Tekton Chains release v0.14.0

-Docs @ v0.14.0
-Examples @ v0.14.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.14.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• Generalize format loading. (#603)
• Record invocation.configSource section in slsa provenance (#554)

Fixes

• Convert times to UTC (#631)
• test/test_utils: Use kind instead of full GVK for tkn commands. (#648)

Misc

• Add lcarva, chuangw6 to global approvers. (#619)
• Added GHA to run go vet and go fmt checks. (#644)
• Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#643)
• Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#639)
• Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 (#638)
• Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.7 (#637)
• Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 (#635)
• Bump cloud.google.com/go/compute/metadata from 0.2.1 to 0.2.2 (#634)
• Bump go.uber.org/zap from 1.23.0 to 1.24.0 (#633)
• Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 (#628)
• Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#627)
• Bump github.com/tektoncd/pipeline from 0.41.0 to 0.42.0 (#626)
• Bump github.com/google/addlicense from 1.0.0 to 1.1.0 (#624)
• Bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 (#623)
• Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#622)
• Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 (#621)
• Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#620)
• Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#618)
• Bump github.com/sigstore/cosign from 1.12.1 to 1.13.1 (#617)
• Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 (#616)
• Bump scaffolding release, use newer pipelines. (#614)
• Bump github.com/tektoncd/pipeline from 0.40.1 to 0.41.0 (#606)
• Bump gocloud.dev, knative.dev/pkg, k8s.io dependencies. (#605)
• Bump gocloud.dev/docstore/mongodocstore from 0.26.0 to 0.27.0 (#584)
• Bump gocloud.dev/pubsub/kafkapubsub from 0.26.0 to 0.27.0 (#583)

Docs

• Add spiffe-csi driver support to authentication part (#604)
• Update README.md (#611)

Thanks

Thanks to these contributors who contributed to v0.14.0!

• ❤️ @bendory
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @developer-guy
• ❤️ @mtcolman
• ❤️ @vaikas
• ❤️ @wlynch
• ❤️ @zregvart

Extra shout-out for awesome release notes:

• 😍 @bendory
• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @developer-guy
• 😍 @mtcolman
• 😍 @vaikas
• 😍 @wlynch
• 😍 @zregvart

Tekton Chains release v0.13.0

-Docs @ v0.13.0
-Examples @ v0.13.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml
REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# Verify images in manifest (tekton.pub can be found in the chains repo)
cosign manifest verify release.yaml --key=tekton.pub

Changes

Features

• 🎁 Added support for PipelineRun attestations (#436, #568, #573, #564, #598, #599, #601) 🎉 🎉 🎉
• 🎁 Allow reading the pull secret from the podTemplate (#579)
• 🎁 Add feature to extract structured signable targets and store them in subjects and materials in intoto provenance (#491)

Fixes

• 🐛 Stop reconciliation on unrecoverable error (#607)

Misc

• 🧹 Removed usage of Tekton Pipelines v1alpha for everything but PipelineResources (#538)
• 🧹 Removed tekton-provenance storage option (#590) (This was already partially deprecated in v0.8.0, this removed lagging config options).

Docs

• 📖 getting rid of 'pipelien' (#526)
• 📖 Add the OpenSSF badge to the main README (#580)
• 📖 fix: pubusub to pubsub in storage backend support of experimental features (#582)

Thanks

Thanks to these contributors who contributed to v0.13.0!

• ❤️ @ChaosInTheCRD
• ❤️ @afrittoli
• ❤️ @bcaton85
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @developer-guy
• ❤️ @joejstuart
• ❤️ @lcarva
• ❤️ @piyush-garg
• ❤️ @vaikas
• ❤️ @wlynch
• ❤️ @ywluogg

Extra shout-out for awesome release notes:

• 😍 @ChaosInTheCRD
• 😍 @afrittoli
• 😍 @bcaton85
• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @developer-guy
• 😍 @joejstuart
• 😍 @lcarva
• 😍 @piyush-garg
• 😍 @vaikas
• 😍 @wlynch
• 😍 @ywluogg

v0.12.0

🎉 v0.12.0 🎉

-Docs @ v0.12.0
-Examples @ v0.12.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf

Obtain the attestation:

REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml
REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.12.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Grafeas storage for non-image artifacts (#531)
  Support other artifact types for grafeas backend storage i.e. maven
• ✨ Make grafeas notehint configurable and change the BuildType field #495
  Add storage.grafeas.notehint field in configmap that allows the note hint field in the grafeas attestation note to be customizable.

Fixes

• Fix param value ordering in materials #527
• Fix for issue #515, This PR ensures only those signers which are specified as signers for any artifact are initialized. #519
• Fix the default value for builder.id in the config doc (#498)

Misc

• Bump to use scaffolding v0.4.3. (#518)
• Pin to scaffolding v0.4.2, test with k8s 1.22, 1.23, and 1.24. (#513)
• Pinning sigstore/scaffolding/actions/setup version (#512)
• Use industry standard names for payloadType field (#509)
• Fix typo in v0.3.0-build-chains-taskrun.yaml. (#505)

Docs

• 📖 Add pull_request_template.md. (#511)
• 📖 Clarify documentation for (#510)
• Add more supported GCP KMS key ref formats in config doc (#506)

Thanks

Thanks to these contributors who contributed to v0.12.0!

• ❤️ @bcaton85
• ❤️ @bendory
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @jagathprakash
• ❤️ @vaikas

v0.11.0

🎉 v0.11.0 🎉

-Docs @ v0.11.0
-Examples @ v0.11.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9

Obtain the attestation:

REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml
REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.11.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• Add Intoto Signable Target support in Chains using strings in results. (#465)

Misc

• Switch to Grafeas v1 API in grafeas storage (#453)

Thanks

Thanks to these contributors who contributed to v0.11.0!

• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @maurycupitt
• ❤️ @priyawadhwa
• ❤️ @ywluogg

Extra shout-out for awesome release notes:

• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @maurycupitt
• 😍 @priyawadhwa
• 😍 @ywluogg

v0.10.0

🎉 v0.10.0🎉

-Docs @ v0.10.0
-Examples @ v0.10.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7

Obtain the attestation:

REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml
REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.10.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• Add s390x arch support to chains (#463)
• Add ppc64le arch support to chains (#461)
• Allow TaskRun payloads other than IMAGE_URL (#444)
• add mongodb service support (#390)

Fixes

• Fix error msg in case no image produced (#464)
• Fix default params in attestation invocation (#449)
• Change SCC from anyuid to nonroot (#432)

Misc

• Disable unit test for grafeas backend creation (#446)

Docs

Thanks

Thanks to these contributors who contributed to v0.10.0!

• ❤️ @06kellyjac
• ❤️ @chuangw6
• ❤️ @concaf
• ❤️ @dependabot[bot]
• ❤️ @haf-tech
• ❤️ @lcarva
• ❤️ @manojbison
• ❤️ @priyawadhwa
• ❤️ @robnester-rh
• ❤️ @snehakpersistent
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @06kellyjac
• 😍 @chuangw6
• 😍 @concaf
• 😍 @dependabot[bot]
• 😍 @haf-tech
• 😍 @lcarva
• 😍 @manojbison
• 😍 @priyawadhwa
• 😍 @robnester-rh
• 😍 @snehakpersistent
• 😍 @wlynch

v0.9.0

🎉 v0.9.0 🎉

-Docs @ v0.9.0
-Examples @ v0.9.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml

Attestation

The Rekor UUID for this release is b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89

Obtain the attestation:

REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml
REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.9.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• Specify provider and oidc issuer when requesting fulcio cert (#440)
• Add support for Grafeas storage backend (#389)
• Add support for PubSub storage backend (#386)
• Adding Spire OIDC for Vault authentication (#369)

Deprecation Notices

tekton-provenance format has officially been removed in this release
Please switch to the in-toto format by running:

kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

• Remove tekton-provenance format (#439)

In current release:

Fixes

• Fix flaky grafeas unit test (#427)

Misc

• Fix nightly builds (#422)
• Use sigstore/scaffolding github actions now that it's out there. (#409)
• Revert default fulcio URL to fulcio.sigstore.dev (#388)

Docs

• Add docs for secrets based on existing credentials (#430)
• Add godoc documentation (#414)
• Add community tutorial subsection (#379)
• Fix default fulcio addr in docs (#365)

Thanks

Thanks to these contributors who contributed to v0.9.0!

• ❤️ @Yongxuanzhang
• ❤️ @chuangw6
• ❤️ @concaf
• ❤️ @dependabot[bot]
• ❤️ @imjasonh
• ❤️ @lcarva
• ❤️ @loosebazooka
• ❤️ @piyush-garg
• ❤️ @priyawadhwa
• ❤️ @rgreinho
• ❤️ @sudo-bmitch
• ❤️ @tcnghia
• ❤️ @vaikas
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @Yongxuanzhang
• 😍 @chuangw6
• 😍 @concaf
• 😍 @dependabot[bot]
• 😍 @imjasonh
• 😍 @lcarva
• 😍 @loosebazooka
• 😍 @piyush-garg
• 😍 @priyawadhwa
• 😍 @rgreinho
• 😍 @sudo-bmitch
• 😍 @tcnghia
• 😍 @vaikas
• 😍 @wlynch

v0.8.0

🎉 v0.8.0 🎉

-Docs @ v0.8.0
-Examples @ v0.8.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml

Verify the Release

The Rekor UUID for this release is 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735

Obtain the attestation:

rekor-cli get --uuid 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735 --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml 
REKOR_UUID=03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.8.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Features

• Add chains-info ConfigMap with version info (#338)

Deprecation Notices

• This release marks a new default value for signers.x509.fulcio.address. The default value was previously https://fulcio.sigstore.dev, and it is now https://v1.fulcio.sigstore.dev to match the default in cosign. The old value can still be set by running:

kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"signers.x509.fulcio.address": "https://fulcio.sigstore.dev"}}'

Fixes

• Bump go-containerregistry and k8schain to pick up new cred helpers (#364)
• Pass in authentication when getting remote image (#361)
• Change default Fulcio URL to match cosign's (#360)
• Add securityContext to controller pod (#346)

Misc

• Remove un-used options from artifacts.oci.format and artifacts.oci.storage (#334)

Docs

• Fix namespace typo (#357)

Thanks

Thanks to these contributors who contributed to v0.8.0!

• ❤️ @concaf
• ❤️ @dependabot[bot]
• ❤️ @imjasonh
• ❤️ @priyawadhwa
• ❤️ @pxp928
• ❤️ @rgreinho
• ❤️ @tcnghia

Extra shout-out for awesome release notes:

• 😍 @concaf
• 😍 @dependabot[bot]
• 😍 @imjasonh
• 😍 @priyawadhwa
• 😍 @pxp928
• 😍 @rgreinho
• 😍 @tcnghia

v0.7.0

🎉 v0.7.0 🎉

-Docs @ v0.7.0
-Examples @ v0.7.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml

Verify the Release

The Rekor UUID for this release is 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef

Obtain the attestation:

rekor-cli get --uuid 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml 
REKOR_UUID=95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.7.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Features

• Add support for all of cosign's ambient credentials. (#319)
• Allow IMAGES result to be separated by newlines (#315)
• added multi-backend support (#302)
• Implement missing features to OCI backend (#284)

Deprecation Notices

• 🚨 - Deprecate the tekton-provenance predicate format (#292)

This feature will be removed in v0.8.0. To switch to the in-toto format which is now the preferred format, please run:

 kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

Fixes

• Make builder id for SLSA provenance valid URI (#331)
• Make SLSA provenance v0.2 invocation.parameters compliant with spec (#307)
• Fix bugs in provenance implementation for materials.digest (#310)
• Fix bug in uploading signatures to OCI (#298)

Docs

• Fix in-toto chains docs typos (#337)
• Add installation instructions for OpenShift (#335)
• Use cosign flags with 2 hyphens (#327)

Thanks

Thanks to these contributors who contributed to v0.7.0!

• ❤️ @concaf
• ❤️ @loosebazooka
• ❤️ @mattmoor
• ❤️ @mlieberman85
• ❤️ @priyawadhwa
• ❤️ @pxp928
• ❤️ @rgreinho
• ❤️ @sublimino

Extra shout-out for awesome release notes:

• 😍 @concaf
• 😍 @loosebazooka
• 😍 @mattmoor
• 😍 @mlieberman85
• 😍 @priyawadhwa
• 😍 @pxp928
• 😍 @rgreinho
• 😍 @sublimino

v0.6.1

🎉 v0.6.1 🎉

-Docs @ v0.6.1
-Examples @ v0.6.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.1/release.yaml

Verify the Release

The Rekor UUID for this release is a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a

Obtain the attestation:

rekor-cli get --uuid a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.1/release.yaml 
REKOR_UUID=a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.6.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Fixes

• Fix bug in uploading signatures to OCI (#298)

Thanks

Thanks to these contributors who contributed to v0.6.1!

• ❤️ @priyawadhwa

Extra shout-out for awesome release notes:

• 😍 @priyawadhwa

v0.6.0

🎉 v0.6.0 🎉

Note: This release has a known bug uploading signatures and attestations to OCI. A point release with a fix should be out soon!

-Docs @ v0.6.0
-Examples @ v0.6.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.0/release.yaml

Changes

Features

• Capture step information inrecipe.arguments for in-toto/slsa Provenance (#272)
• Upgrade slsa-provenance format to v0.2 (#291)
• Add new signing and storage features (#245)

Deprecation Notices

• 🚨 - Deprecate the tekton-provenance predicate format (#292)

This feature will be removed in v0.8.0. To switch to the in-toto format which is now the preferred format, please run:

 kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

Fixes

• fix: look for materials/git metadata in taskrun results too (#263)
• Fix bug uploading slsa-provenance attestations to oci (#255)

Docs

• 📖 Add front matter to docs (#285)

• docs: generate keypair using k8s://foo/bar (#257)
• fix link to intoto docs (#256)

Thanks

Thanks to these contributors who contributed to v0.6.0!

• ❤️ @adityasaky
• ❤️ @afrittoli
• ❤️ @bobcallaway
• ❤️ @csullivannet
• ❤️ @loosebazooka
• ❤️ @mtcolman
• ❤️ @priyawadhwa
• ❤️ @pxp928
• ❤️ @rgreinho
• ❤️ @sbose78

Extra shout-out for awesome release notes:

• 😍 @adityasaky
• 😍 @afrittoli
• 😍 @bobcallaway
• 😍 @csullivannet
• 😍 @loosebazooka
• 😍 @mtcolman
• 😍 @priyawadhwa
• 😍 @pxp928
• 😍 @rgreinho
• 😍 @sbose78