v0.43.1

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.1/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.1/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.1/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.1/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Fixing CVE by @rohitagg2020 in #691

Full Changelog: v0.43.0...v0.43.1

📂 Files Checksum

578b81cedbba68057fbd5b917a337fb34c8ed7406931839efc01608668aa9bd0  ./imgpkg-darwin-amd64
649eda706a172b520307c2189ee04bdc0d2b255b9b076482873ddaa2120afc18  ./imgpkg-windows-amd64.exe
7cd1ecf4b394770ccfedc38f3b4f97a1a3d49447fa0bfe1e28a4f99751597ddf  ./imgpkg-linux-arm64
9cfd34a67048dd71498d2075969592f7db181e639848239c47a47426ebbb03be  ./imgpkg-darwin-arm64
d36ccfcc54143d2475cf09b0247c88bccf24a7aeb062bd9bb8cab7cb58135fcf  ./imgpkg-linux-amd64

v0.43.0

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.0/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.0/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.43.0/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Get image layer from Primary Location in #660 by @rcmadhankumar
• Limit session IDs to a non-negative, pseudo-random int32 in #664 by @mamachanko
• Introduction of the copy API in #668 by @joaopapereira

Full Changelog: v0.42.0...v0.43.0

📂 Files Checksum

02a7e3fd0142c1053c14a87084820c1940f34c7372c16d883ef54091a37ac30d  ./imgpkg-darwin-amd64
099627a79b7edf9ba99321f4dc4e43404bc83c42930864c9db650070e65cfb5a  ./imgpkg-linux-arm64
2a0c2adb6edf0d67a0677c6dcf036c34d1f26af2858cacd9d114669829cc4848  ./imgpkg-darwin-arm64
4f87f219012e48b917d7aaf8b0ee71729f2572fc1a3deb7483bd8744fe2e1a06  ./imgpkg-linux-amd64
c07608dd4c1b534aaebe5aaf3993ae1a6e0af44691f06d4cd035836c868084c6  ./imgpkg-windows-amd64.exe

v0.42.2

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.2/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.2/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.2/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.2/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Bump golang to 1.22.4 #672 by @rohitagg2020

Full Changelog: v0.42.1...v0.42.2

📂 Files Checksum

493f0931964e800aab255fe32256d044369c997537e7fdc8fcc93ac978c5462e  ./imgpkg-linux-arm64
59f0af401217f3dc36163c31e093b5bdceeaf9397576e894b591a014480b9c1b  ./imgpkg-darwin-amd64
bea6e08f5f6bf8b2a7f31486c41b34715e5dd6e4319e15968e25cd570daf5446  ./imgpkg-linux-amd64
cae062487d5c16d52f6ec70b455b6e53202e021928c061568d4e976ff7ad1a19  ./imgpkg-windows-amd64.exe
cf10c7cb2ef202e1f4fb1f334e350c760690c21883c79f8485c488ff9007aca2  ./imgpkg-darwin-arm64

v0.42.3

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.3/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.3/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.3/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.3/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Bump go version to 1.22.5 #695 by @devanshuVmware

Full Changelog: v0.42.2...v0.42.3

📂 Files Checksum

0cb732863d7e9fa263a232f89ff162886d0c88d585ea27f2f51526f531b4707d  ./imgpkg-linux-arm64
9429779c0ffdbf295e4aa10591184bab1ab3f2145153205532ad080ea3135566  ./imgpkg-linux-amd64
b0382798d3045f3641f3f5c0f28ba57fb378fed8a6a1fc2d8991883ce8384a3a  ./imgpkg-windows-amd64.exe
b96ad7f72a2b6cdc59f508cf606bb280f70b81f1a5024840d4cc8fcd9f63fdca  ./imgpkg-darwin-arm64
ce21316a0345219b19186b9bf40947f4c19aaa50b18ed775717b80512b0b4476  ./imgpkg-darwin-amd64

v0.42.1

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Describe reaches out to original registry to get information on layer incorrectly #659

Full Changelog: v0.42.0...v0.42.1

📂 Files Checksum

6a437f95f8cf0d1295c4165ce60ecf3f4dfe722a497bce8f1b8005a671551df8  ./imgpkg-darwin-arm64
76a2d5a1cc6b5917fea35c9cf7383fc742ade39f2d51f1485a25bd4a8aa58970  ./imgpkg-darwin-amd64
78ed95d612a927abc344df8cadd052610637566b98594252db3bc03ff2713d83  ./imgpkg-linux-arm64
de1816b01fcc1d602013b4b851975a46b6544ae45c001f0c2d15e1c2d4ebc420  ./imgpkg-windows-amd64.exe
fc4e0bc2e238b2ffaff8f04fba0844de0d1e5ef7dd870a4d01896361b5b5510b  ./imgpkg-linux-amd64

v0.42.0

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.42.0/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• When 2 images with same SHA are reference by 2 nested bundles by @joaopapereira in #638
• Added flag --layers to enable/disable functionality of showing each layers of image by @kumaritanushree in #639
• Collect description information for images from correct registry by @joaopapereira in #637
• Update Copyright Headers by @prashantrewar in #647
• [chore] bump docker deps to v25.0.5 by @grokspawn in #648
• Bump go version to 1.22.2 by @sethiyash in #651

🔈 Callouts

• @prashantrewar made their first contribution in #647
• @grokspawn made their first contribution in #648

Full Changelog: v0.41.0...v0.42.0

📂 Files Checksum

0bb6235af28abafc3458e30fbbd49e040aaa2189c4c39212a3c7a5a57ea83754  ./imgpkg-linux-amd64
3efc3081538273e924152c978911b0331b9b397cc72e587803c51b5f06f6636a  ./imgpkg-darwin-arm64
89272b9b14512787154eef4fa1ba2132afd4cac1840af757efb8ca9f09fe4711  ./imgpkg-windows-amd64.exe
bbe4c9a3eae83df55b267506a3e6b22d94a7b4ed642f94797779e2b0ba647373  ./imgpkg-darwin-amd64
fc7ad7465730297085e4c7deefc47e2e56713be957971935008460a9bc709a0a  ./imgpkg-linux-arm64

v0.41.1

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.1/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.1/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.1/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.1/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

Changelog

• 287c735 When 2 images with same SHA are reference by 2 nested bundles (#638)

✨ What's new

• When 2 images with same SHA are reference by 2 nested bundles by @joaopapereira in #638

Full Changelog: v0.41.0...v0.41.1

📂 Files Checksum

50d63ad2b4735858112a55e3a2baf9af8568e459e79537f7aa04baf60b291797  ./imgpkg-darwin-amd64
004551cec931a3633c0bb380e113f9c700796deab240a514201c2ec6f0a6fc4e  ./imgpkg-darwin-arm64
e6291309be274d8137116bba06824af763e22110d48e9cc45aca0d3135420966  ./imgpkg-linux-amd64
1fc1c933cc235ef13dedf701075b36fea9c5da425783bec18452ccfb5332cac9  ./imgpkg-linux-arm64
35553c5790ae289d9c964c8954ebed47c55d189a279fc4c5baa28d58f3a24157  ./imgpkg-windows-amd64.exe

v0.41.0

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.0/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.0/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.41.0/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

✨ What's new

• Some layers in some images do not have a DiffID, and imgpkg was not able to process them #464
• Images that contained OS filesystem could not be pulled due to symlinks and other file types #441
• Updated dependencies

Full Changelog: v0.40.0...v0.41.0

📂 Files Checksum

036dc61fe3fa4157aea62cf9284e3c8d7b4f878becbbac21629d043bef1e9171  ./imgpkg-windows-amd64.exe
1822aef7b14f97da0e1d12946362a773863e601c57d943a886ba86f71fcc6777  ./imgpkg-darwin-amd64
2b1bc6ecd757a099b788474a0bf81748c69b5745443a351db0558fd3fcd431df  ./imgpkg-linux-arm64
50eb0ff74447c2d46ab9152794ae11076233390f9a7747a9056985a8de072be0  ./imgpkg-linux-amd64
8553577a8db76e9aee7963ba2c6bc88c5f5dab04286c51e05291ab87dc8d7290  ./imgpkg-darwin-arm64

v0.40.2

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.2/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.2/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.2/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.2/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Upgrade golang version to 1.22.5 in v0.40.x by @devanshuVmware in #696

Full Changelog: v0.40.1...v0.40.2

📂 Files Checksum

4e3022f96b557b265b056997d19c9662b7ce23315d3ffc97eec829836adb27a4  ./imgpkg-windows-amd64.exe
b8d128c3d8f588c71e2866f959bceb9761988bcb5a948d271731952fd204343d  ./imgpkg-darwin-arm64
d80fd7134b8dff0afe12aef7124099e1d4dfd043aa88d4da8fa93710e255f667  ./imgpkg-linux-arm64
dd2567580256f511af2e2f272c8550c94c5b5763ac5b0e9296c26328cb2fbc1d  ./imgpkg-linux-amd64
fbe3a0f4eb2dfef33eb563226016500809df02eccbb57f596ad2f30a151d6968  ./imgpkg-darwin-amd64

v0.40.1

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.1/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.1/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.1/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.40.1/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Bump go version to 1.21.9 in v0.40.x by @sethiyash in #653

Full Changelog: v0.40.0...v0.40.1

📂 Files Checksum

1eccbea8d3eaaaca681a1337ab9ce29c58e6f3cab87665684fde174bc9f49657  ./imgpkg-windows-amd64.exe
5787a7e3ebfb6d67592918c5f5ed0a6d797009d6faf3eae99528b50ba45e4eae  ./imgpkg-darwin-arm64
7b4461e6a37d2f62055120e317dd30485eefebcf8c91d8abd4d0d4f55e2d9842  ./imgpkg-darwin-amd64
94f4db59db55448e6ff000426d1a6fa592f491a1fcbdfb7d71bcb4854128ab32  ./imgpkg-linux-amd64
ccc2f144c76c409f7c9470ebacb7903a5b576b9b8b561010734620d48971d897  ./imgpkg-linux-arm64