[pull] main from sigstore:main #26
Open
+1,655
−306
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Signed-off-by: Carlos Panato <[email protected]>
Remove the need to fetch TUF keys when signing with a private key and attaching a non-Fulcio certificate to the artifact bundle. Verifiers will still need to check whether the certificate contains an SCT and have a policy for verifying it. Signed-off-by: Colleen Murphy <[email protected]>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.1.2 to 1.1.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@5363dd9...fb25e25) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.1.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4237) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.97.0 to 3.98.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.97.0...v3.98.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.98.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.14.0 to 0.15.0. - [Commits](golang/sync@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.128.0 to 0.129.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.128.0...v0.129.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.129.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.234.0 to 0.236.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.234.0...v0.236.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.236.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Should pick up the latest workflow for scanning for license issues. Signed-off-by: Hayden B <[email protected]>
Use sigstore-go's TUF client to fetch the trusted_root.json from the TUF mirror, if available. Where possible, use sigstore-go's verifiers which natively accept the trusted root as its trusted material. Where there is no trusted root available in TUF or sigstore-go doesn't support a use case, fall back to the sigstore/sigstore TUF v1 client and the existing verifiers in cosign. Signed-off-by: Colleen Murphy <[email protected]>
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.3 to 0.33.1. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.3...v0.33.1) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-version: 0.33.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4233) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.4.2 to 1.5.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.4.2...v1.5.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
One minor functional change, printing verification errors when verifying multiple signed timestamps. Signed-off-by: Hayden B <[email protected]>
Signed-off-by: Carlos Panato <[email protected]>
Clients using Rekor v2 need the name of the log server in order to create a checkpoint verifier, so it is useful to include it in the trust root. This change adds that functionality for all key material. Signed-off-by: Colleen Murphy <[email protected]>
When deducing the Rekor log key ID, cosign universally assumes a Rekor v1 type checkpoint, which is not C2SP compliant. Rekor v2 is compliant for all different types of keys, which means the log ID must be calculated differently. This affects the `trusted-root create` tool which must generate the log ID from the public key. This change adds the ability for the trusted-root command to parse a ":" in the --rekor-key flag to indicate that the trusted material should be generated for a Rekor v2 log and that the origin string following the ":" should be used to calculate it. This is backwards compatible and will not affect Rekor v1 which needs no origin string. This addresses the issue strictly for this command so that trusted_root files can be created for Rekor v2 servers. A later change will make more general changes to the TUF client to ensure the trusted material is generated properly for the server it relates to. Signed-off-by: Colleen Murphy <[email protected]>
Signed-off-by: Hayden B <[email protected]>
This change adds documentation to the `no-upload` option of the `cosign attest` command to clarify that when the option is used, the produced attestation is written to STDOUT Signed-off-by: Travis Truman <[email protected]>
In 32a2d62 the ability to use TUF to read and refresh trusted_root.json was added. Prior, there was already a --trusted-root flag for verify* commands, to read trusted_root.json directly without using a TUF client. This did not exist for the sign* commands, which still need key material to verifyi the CT key. The workaround for the sign commands was to use the SIGSTORE_CT_LOG_PUBLIC_KEY_FILE environment variable, but when the TUF client was updated, this workaround regressed. This change makes it so that this flag will still work and that the machine's cached trusted root is not used if it's not intended to be used. The permanent fix going forward should be to add the --trusted-root flags to the sign* commands. Signed-off-by: Colleen Murphy <[email protected]>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.1.3 to 1.2.1 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@fb25e25...939ece6) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.129.0 to 0.130.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.129.0...v0.130.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.130.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )