[pull] main from sigstore:main

.github/workflows/depsreview.yml

@@ -26,4 +26,4 @@ jobs:
     permissions:
       contents: read
 
-    uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@9b1b5aca605f92ec5b1bf3681b1e61b3dbc420cc
+    uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@main

.github/workflows/donotsubmit.yaml

@@ -40,4 +40,4 @@ jobs:
           persist-credentials: false
 
       - name: Do Not Submit
-        uses: chainguard-dev/actions/donotsubmit@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
+        uses: chainguard-dev/actions/donotsubmit@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1

.github/workflows/e2e-tests.yml

@@ -220,4 +220,4 @@ jobs:
 
     - name: Collect diagnostics
       if: ${{ failure() }}
-      uses: chainguard-dev/actions/kind-diag@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
+      uses: chainguard-dev/actions/kind-diag@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1

.github/workflows/kind-verify-attestation.yaml

@@ -156,7 +156,7 @@ jobs:
 
     - name: Collect diagnostics
       if: ${{ failure() }}
-      uses: chainguard-dev/actions/kind-diag@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
+      uses: chainguard-dev/actions/kind-diag@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1
 
     - name: Create vuln attestation for it
       run: |

.github/workflows/tests.yaml

@@ -169,7 +169,7 @@ jobs:
 
       - name: Collect diagnostics
         if: ${{ failure() }}
-        uses: chainguard-dev/actions/kind-diag@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
+        uses: chainguard-dev/actions/kind-diag@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1
 
   e2e-windows-powershell-tests:
     name: Run PowerShell E2E tests

.github/workflows/validate-release.yml

@@ -31,9 +31,9 @@ jobs:
     steps:
       - name: Check Signature
         run: |
-          cosign verify ghcr.io/gythialy/golang-cross:v1.24.3-0@sha256:b0e66440a1dc4216c45d9df95ac9c34b9cb2e7de1d9e55a94914eb38c2ec2249 \
+          cosign verify ghcr.io/gythialy/golang-cross:v1.24.4-0@sha256:0b29abd58891e1b3dc915efbfec697f93151118e20c13860ac1c8667ef14fb24 \
           --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.3-0"
+          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.4-0"
         env:
           TUF_ROOT: /tmp
 
@@ -43,7 +43,7 @@ jobs:
       - check-signature
 
     container:
-      image: ghcr.io/gythialy/golang-cross:v1.24.3-0@sha256:b0e66440a1dc4216c45d9df95ac9c34b9cb2e7de1d9e55a94914eb38c2ec2249
+      image: ghcr.io/gythialy/golang-cross:v1.24.4-0@sha256:0b29abd58891e1b3dc915efbfec697f93151118e20c13860ac1c8667ef14fb24
       volumes:
         - /usr:/host_usr
         - /opt:/host_opt

.github/workflows/whitespace.yaml

@@ -38,8 +38,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: chainguard-dev/actions/trailing-space@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
+      - uses: chainguard-dev/actions/trailing-space@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1
         if: ${{ always() }}
 
-      - uses: chainguard-dev/actions/eof-newline@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
+      - uses: chainguard-dev/actions/eof-newline@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1
         if: ${{ always() }}

CHANGELOG.md

@@ -1,3 +1,38 @@
+# v2.5.1
+
+## Features
+
+* Add Rekor v2 support for trusted-root create (#4242)
+* Add baseUrl and Uri to trusted-root create command
+* Upgrade to TUF v2 client with trusted root
+* Don't verify SCT for a private PKI cert (#4225)
+* Bump TSA library to relax EKU chain validation rules (#4219)
+
+## Bug Fixes
+
+* Bump sigstore-go to pick up log index=0 fix (#4162)
+* remove unused recursive flag on attest command (#4187)
+
+## Docs
+
+* Fix indentation in `verify-blob` cmd examples (#4160)
+
+## Releases
+
+* ensure we copy the latest tags on each release (#4157)
+
+## Contributors
+
+* arthurus-rex
+* Babak K. Shandiz
+* Bob Callaway
+* Carlos Tadeu Panato Junior
+* Colleen Murphy
+* Dmitry Savintsev
+* Emmanuel Ferdman
+* Hayden B
+* Ville Skyttä
+
 # v2.5.0
 
 v2.5.0 includes an implementation of the new bundle specification,

cmd/conformance/main.go

@@ -124,11 +124,16 @@ func main() {
 	args = append(args, os.Args[len(os.Args)-1])
 
 	dir := filepath.Dir(os.Args[0])
+	initCmd := exec.Command(filepath.Join(dir, "cosign"), "initialize") // #nosec G204
+	err := initCmd.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
 	cmd := exec.Command(filepath.Join(dir, "cosign"), args...) // #nosec G204
 	var out strings.Builder
 	cmd.Stdout = &out
 	cmd.Stderr = &out
-	err := cmd.Run()
+	err = cmd.Run()
 
 	fmt.Println(out.String())
 

cmd/cosign/cli/attest.go

@@ -16,11 +16,15 @@
 package cli
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/attest"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/internal/ui"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 )
 
@@ -59,6 +63,9 @@ func Attest() *cobra.Command {
   # supply attestation via stdin
   echo <PAYLOAD> | cosign attest --predicate - <IMAGE>
 
+  # write attestation to stdout
+  cosign attest --predicate <FILE> --type <TYPE> --key cosign.key --no-upload true <IMAGE>
+
   # attach an attestation to a container image and honor the creation timestamp of the signature
   cosign attest --predicate <FILE> --type <TYPE> --key cosign.key --record-creation-timestamp <IMAGE>`,
 
@@ -69,6 +76,7 @@ func Attest() *cobra.Command {
 			if err != nil {
 				return err
 			}
+
 			ko := options.KeyOpts{
 				KeyRef:                   o.Key,
 				PassFunc:                 generate.GetPass,
@@ -92,6 +100,13 @@ func Attest() *cobra.Command {
 				TSAServerURL:             o.TSAServerURL,
 				NewBundleFormat:          o.NewBundleFormat,
 			}
+			if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing
+				trustedMaterial, err := cosign.TrustedRoot()
+				if err != nil {
+					ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
+				}
+				ko.TrustedMaterial = trustedMaterial
+			}
 			attestCommand := attest.AttestCommand{
 				KeyOpts:                 ko,
 				RegistryOptions:         o.Registry,

cmd/cosign/cli/attest_blob.go

@@ -15,9 +15,14 @@
 package cli
 
 import (
+	"context"
+
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/attest"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/internal/ui"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 )
 
@@ -54,6 +59,7 @@ func AttestBlob() *cobra.Command {
 			if err != nil {
 				return err
 			}
+
 			ko := options.KeyOpts{
 				KeyRef:                   o.Key,
 				PassFunc:                 generate.GetPass,
@@ -79,6 +85,13 @@ func AttestBlob() *cobra.Command {
 				BundlePath:               o.BundlePath,
 				NewBundleFormat:          o.NewBundleFormat,
 			}
+			if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing
+				trustedMaterial, err := cosign.TrustedRoot()
+				if err != nil {
+					ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
+				}
+				ko.TrustedMaterial = trustedMaterial
+			}
 			v := attest.AttestBlobCommand{
 				KeyOpts:           ko,
 				CertPath:          o.Cert,

cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go

@@ -17,12 +17,15 @@ package fulcioverifier
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/sigstore-go/pkg/verify"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 )
 
@@ -32,12 +35,31 @@ func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerV
 		return nil, err
 	}
 
-	// Grab the PublicKeys for the CTFE, either from tuf or env.
+	if ko.TrustedMaterial != nil && len(fs.SCT) == 0 {
+		// Detached SCTs cannot be verified with this function.
+		chain, err := cryptoutils.UnmarshalCertificatesFromPEM(fs.Chain)
+		if err != nil {
+			return nil, fmt.Errorf("unmarshalling cert chain from PEM for SCT verification: %w", err)
+		}
+		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(fs.Cert)
+		if err != nil || len(certs) < 1 {
+			return nil, fmt.Errorf("unmarshalling cert from PEM for SCT verification: %w", err)
+		}
+		chain = append(certs, chain...)
+		chains := make([][]*x509.Certificate, 1)
+		chains[0] = chain
+		if err := verify.VerifySignedCertificateTimestamp(chains, 1, ko.TrustedMaterial); err != nil {
+			return nil, fmt.Errorf("verifying SCT using trusted root: %w", err)
+		}
+		ui.Infof(ctx, "Successfully verified SCT...")
+		return fs, nil
+	}
+
+	// There was no trusted_root.json or we need to verify a detached SCT, so grab the PublicKeys for the CTFE, either from tuf or env.
 	pubKeys, err := cosign.GetCTLogPubs(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("getting CTFE public keys: %w", err)
 	}
-
 	// verify the sct
 	if err := cosign.VerifySCT(ctx, fs.Cert, fs.Chain, fs.SCT, pubKeys); err != nil {
 		return nil, fmt.Errorf("verifying SCT: %w", err)