Releases: sigstore/sigstore-go
v0.6.2
v0.6.1
What's Changed
v0.6.1 resolves a security advisory for a denial of service. See GHSA-cq38-jh5f-37mq for more information.
- Add fuzz tests for bundle, tlog and verify packages by @AdamKorcz in #272
- Add the ability to contruct TrustRoot from targets by @bkabrda in #247
- add oss-fuzz build script by @AdamKorcz in #278
- Fix proof of key possession generation by @adityasaky in #283
- Add additional validation for nil elements in Bundles by @codysoyland in #285
- Add hard limits for number of TSA entries, Tlog entries, and attestation subjects/digests by @codysoyland in #286
Full Changelog: v0.6.0...v0.6.1
v0.6.0
As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes.
Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.
Breaking Changes
- In
pkg/bundle/bundle.go
ProtobufBundle
is nowBundle
NewProtobufBundle
is nowNewBundle
- In
pkg/bundle/signature_content.go
- Use
Statement()
type was fromgit.luolix.top/in-toto/in-toto-golang/in_toto
now comes fromgit.luolix.top/in-toto/attestation/go/v1
- Use
What's Changed
- feat: add support for additional transparency log key types by @vishal-chdhry in #197
- feat: use GetLogEntryByIndex to query rekor by @vishal-chdhry in #188
- feat: add validation of required fields in the bundle by @vishal-chdhry in #189
- Rename ProtobufBundle to Bundle by @codysoyland in #251
- Fix verify DSSE bundles (after signing) by @steiza in #258
- Fix crash with missing checkpoint by @haydentherapper in #260
- Add file pattern to CODEOWNERS by @codysoyland in #269
- Use example.com and remove trademark from tests by @codysoyland in #267
- Add deprecation message for ProtobufBundle by @codysoyland in #271
- Switch in-toto library to github.com/in-toto/attestation by @codysoyland in #274
Full Changelog: v0.5.1...v0.6.0
v0.5.1
See release v0.5.0 for a list of breaking changes in v0.5.0.
This minor release is to correct the spelling of the new helper function in pkg/verify/certificate_identity.go
, now called NewIssuerMatcher()
.
v0.5.0
We are continuing to work down items as we move towards a v1.0.0 release. As noted in the v0.4.0 release this includes some minor interface changes as we clean things up and get feedback from people using sigstore-go in different contexts.
Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.
Breaking Changes
-
In
pkg/bundle/verification_content.go
:- For
bundle.Certificate
andbundle.PublicKey
,HasCertificate()
is now calledGetCertificate()
; only returns*x509.Certificate
instead of(x509.Certificate, bool)
- For
-
In
pkg/verify/certificate.go
:- Change
NewShortCertificateIdentity()
arguments- Was:
func NewShortCertificateIdentity(issuer, sanValue, sanType, sanRegex string)
- Now:
func NewShortCertificateIdentity(issuer, issuerRegex, sanValue, sanRegex string)
- Was:
- Change in
NewSANMatcher()
arguments- Was:
func NewSANMatcher(sanValue string, sanType string, regexpStr string)
- Now:
func NewSANMatcher(sanValue string, regexpStr string)
- Was:
- Change in
NewCertificateIdentity()
arguments- Was:
NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions)
- Now:
NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, issuerMatcher IssuerMatcher, extensions certificate.Extensions)
func NewIssuserMatcher(issuerValue, regexpStr string) (IssuerMatcher, error)
can help you createIssuerMatcher
- Was:
- Change
-
In
pkg/verify/signed_entity.go
:WithoutAnyObserverTimestampsInsecure()
is nowWithoutAnyObserverTimestampsUnsafe()
What's Changed
- Simplify HasCertificate interface method by @cmurphy in #209
- Make config function name consistent by @cmurphy in #208
- Add unit tests for bundle package by @cmurphy in #217
- Improve error message when verifying certificate identity by @codysoyland in #218
- Add user agent to online Rekor requests and TUF requests. by @steiza in #216
- Dsse one sig by @kommendorkapten in #226
- Fix ProtobufBundle.MinVersion by @codysoyland in #228
- Add Policy WithKey() for verifying content you know is signed with a key by @steiza in #235
- Updates for SAN parsing by @cmurphy in #229
- Add the ability to specify certificate identity via a regular expression by @steiza in #236
Full Changelog: v0.4.0...v0.5.0
v0.4.0
What's Changed
In addition to various improvements in functionality, documentation, and testing, v0.4.0 includes signing support as well as the verification and signing API moving from unstable to beta. There may be minor interface changes between now a v1.0.0.
- Add mediatype string builder to bundle package by @puerco in #154
- chore: fix undefined media type error in OCI verification example by @vishal-chdhry in #163
- Use observer timestamp for comparison against certificate chain validity period by @codysoyland in #180
- Add clarifying comments around TUF caching options by @haydentherapper in #173
- Fix verification example by @cmurphy in #194
- Update README and documentation for signing support by @steiza in #203
- Add unit tests for SCT verification by @cmurphy in #204
New Contributors
- @puerco made their first contribution in #154
- @vishal-chdhry made their first contribution in #163
- @cmurphy made their first contribution in #194
Full Changelog: v0.3.0...v0.4.0
v0.3.0
What's Changed
v0.3.0 includes support for the Sigstore Bundle v0.3. It also includes some improved interface method naming and several bug fixes and dependency updates.
- Bundle v0.3 support by @steiza in #101
- Improve method naming in TrustedMaterial interface by @codysoyland in #114
- Fix Windows embedded file path bug by @malancas in #103
- Added a flag to disable ct log verification by @kommendorkapten in #135
- Update embedded root to latest by @haydentherapper in #144
Full Changelog: v0.2.0...v0.3.0
v0.2.0
What's Changed
v0.2.0 includes an updated TUF client. This also updates verification to require specifying both the certificate issuer and SAN.
- Bundle verification should require specifying expected certificate issuer and SAN by @steiza in #82
- Update verification example by @haydentherapper in #84
- Update TUF client to support options and add LiveTrustedRoot by @codysoyland in #41
Full Changelog: v0.1.0...v0.2.0