Skip to content

Releases: sigstore/sigstore-go

v0.6.2

10 Sep 19:06
0726854
Compare
Choose a tag to compare

This is a minor release to enable better error handling in the gh CLI.

What's Changed

  • Use sentinel errors bundle validation in validateBundle func by @malancas in #291

Full Changelog: v0.6.1...v0.6.2

v0.6.1

04 Sep 20:06
01e70e8
Compare
Choose a tag to compare

What's Changed

v0.6.1 resolves a security advisory for a denial of service. See GHSA-cq38-jh5f-37mq for more information.

  • Add fuzz tests for bundle, tlog and verify packages by @AdamKorcz in #272
  • Add the ability to contruct TrustRoot from targets by @bkabrda in #247
  • add oss-fuzz build script by @AdamKorcz in #278
  • Fix proof of key possession generation by @adityasaky in #283
  • Add additional validation for nil elements in Bundles by @codysoyland in #285
  • Add hard limits for number of TSA entries, Tlog entries, and attestation subjects/digests by @codysoyland in #286

Full Changelog: v0.6.0...v0.6.1

v0.6.0

16 Aug 14:02
3f8dbc4
Compare
Choose a tag to compare

As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes.

Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.

Breaking Changes

  • In pkg/bundle/bundle.go
    • ProtobufBundle is now Bundle
    • NewProtobufBundle is now NewBundle
  • In pkg/bundle/signature_content.go
    • Use Statement() type was from github.com/in-toto/in-toto-golang/in_toto now comes from github.com/in-toto/attestation/go/v1

What's Changed

Full Changelog: v0.5.1...v0.6.0

v0.5.1

24 Jul 18:12
2b6fc6d
Compare
Choose a tag to compare

See release v0.5.0 for a list of breaking changes in v0.5.0.

This minor release is to correct the spelling of the new helper function in pkg/verify/certificate_identity.go, now called NewIssuerMatcher().

v0.5.0

24 Jul 17:44
17ad99b
Compare
Choose a tag to compare

We are continuing to work down items as we move towards a v1.0.0 release. As noted in the v0.4.0 release this includes some minor interface changes as we clean things up and get feedback from people using sigstore-go in different contexts.

Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.

Breaking Changes

  • In pkg/bundle/verification_content.go:

    • For bundle.Certificate and bundle.PublicKey, HasCertificate() is now called GetCertificate(); only returns *x509.Certificate instead of (x509.Certificate, bool)
  • In pkg/verify/certificate.go:

    • Change NewShortCertificateIdentity() arguments
      • Was: func NewShortCertificateIdentity(issuer, sanValue, sanType, sanRegex string)
      • Now: func NewShortCertificateIdentity(issuer, issuerRegex, sanValue, sanRegex string)
    • Change in NewSANMatcher() arguments
      • Was: func NewSANMatcher(sanValue string, sanType string, regexpStr string)
      • Now: func NewSANMatcher(sanValue string, regexpStr string)
    • Change in NewCertificateIdentity() arguments
      • Was: NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions)
      • Now: NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, issuerMatcher IssuerMatcher, extensions certificate.Extensions)
        • func NewIssuserMatcher(issuerValue, regexpStr string) (IssuerMatcher, error) can help you create IssuerMatcher
  • In pkg/verify/signed_entity.go:

    • WithoutAnyObserverTimestampsInsecure() is now WithoutAnyObserverTimestampsUnsafe()

What's Changed

Full Changelog: v0.4.0...v0.5.0

v0.4.0

10 Jun 18:38
c60e743
Compare
Choose a tag to compare

What's Changed

In addition to various improvements in functionality, documentation, and testing, v0.4.0 includes signing support as well as the verification and signing API moving from unstable to beta. There may be minor interface changes between now a v1.0.0.

  • Add mediatype string builder to bundle package by @puerco in #154
  • chore: fix undefined media type error in OCI verification example by @vishal-chdhry in #163
  • Use observer timestamp for comparison against certificate chain validity period by @codysoyland in #180
  • Add clarifying comments around TUF caching options by @haydentherapper in #173
  • Fix verification example by @cmurphy in #194
  • Update README and documentation for signing support by @steiza in #203
  • Add unit tests for SCT verification by @cmurphy in #204

New Contributors

Full Changelog: v0.3.0...v0.4.0

v0.3.0

11 Apr 15:15
998ff47
Compare
Choose a tag to compare

What's Changed

v0.3.0 includes support for the Sigstore Bundle v0.3. It also includes some improved interface method naming and several bug fixes and dependency updates.

Full Changelog: v0.2.0...v0.3.0

v0.2.0

13 Feb 16:06
4e750e1
Compare
Choose a tag to compare

What's Changed

v0.2.0 includes an updated TUF client. This also updates verification to require specifying both the certificate issuer and SAN.

  • Bundle verification should require specifying expected certificate issuer and SAN by @steiza in #82
  • Update verification example by @haydentherapper in #84
  • Update TUF client to support options and add LiveTrustedRoot by @codysoyland in #41

Full Changelog: v0.1.0...v0.2.0

v0.1.0

25 Jan 21:11
2e5477d
Compare
Choose a tag to compare

Changelog

Initial release of sigstore/sigstore-go

See the README for instructions
on supported features and how to use the library.