| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: cosign-bash-completion | Distribution: openSUSE Tumbleweed |
| Version: 3.0.5 | Vendor: openSUSE |
| Release: 2.2 | Build date: Sun Feb 22 13:25:59 2026 |
| Group: System/Shells | Build host: reproducible |
| Size: 158686 | Source RPM: cosign-3.0.5-2.2.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/sigstore/cosign | |
| Summary: Bash Completion for cosign | |
Bash command line completion support for cosign.
Apache-2.0
* Sun Feb 22 2026 meissner@suse.com
- Update to version 3.0.5: (jsc#SLE-23879)
* CVE-2026-24122: Fixed improper validation of certificates that
outlive expired CA certificates (bsc#1258542)
* CVE-2026-26958: Fixed filippo.io/edwards25519: failure to initialize
receiver in MultiScalarMult can produce invalid results and lead to
undefined behavior (bsc#1258612)
* CVE-2026-24137: Fixed github.com/sigstore/sigstore/pkg/tuf: legacy
TUF client allows for arbitrary file writes with target cache path
traversal (bsc#1257139)
* CVE-2026-22772: Fixed github.com/sigstore/fulcio: bypass MetaIssuer
URL validation bypass can trigger SSRF to arbitrary internal services
(bsc#1256562)
* CVE-2026-23991: Fixed github.com/theupdateframework/go-tuf/v2: denial
of service due to invalid TUF metadata JSON returned by TUF repository
(bsc#1257080)
* CVE-2026-23992: Fixed github.com/theupdateframework/go-tuf/v2:
unauthorized modification to TUF metadata files due to a compromised
or misconfigured TUF repository (bsc#1257085)
* chore(deps): bump google.golang.org/api from 0.260.0 to 0.264.0 (#4679)
* chore(deps): bump github.com/sigstore/rekor-tiles/v2 from 2.0.1 to 2.1.0 (#4670)
* chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#4712)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4680)
* chore(deps): bump the gomod group across 1 directory with 4 updates (#4702)
* chore(deps): bump the actions group with 3 updates (#4703)
* update golang builder to use go1.25.7 (#4687)
* update golangci-lint to v2.8.x (#4688)
* Fix typo in CLI help (#4701)
* Support DSSE signing conformance test (#4685)
* chore(deps): bump the actions group across 1 directory with 8 updates (#4689)
* Deprecate rekor-entry-type flag (#4691)
* Deprecate cosign triangulate (#4676)
* Deprecate cosign copy (#4681)
* Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4668)
* chore(deps): bump golang from 1.25.5 to 1.25.6 in the all group (#4673)
* Automatically require signed timestamp with Rekor v2 entries (#4666)
* Fix syntax issue in conformance test, update nightly (#4664)
* Add mTLS support for TSA client connections when signing with a signing config (#4620)
* fix: avoid panic on malformed tlog entry body (#4652)
* Verify validity of chain rather than just certificate (#4663)
* Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
* chore(deps): bump the gomod group across 1 directory with 3 updates (#4662)
* Bump sigstore/sigstore to resolve GHSA (#4660)
* Gracefully fail if bundle payload body is not a string (#4648)
* fix: avoid panic on malformed replace payload (#4653)
* chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#4659)
* fix: avoid panic on malformed attestation payload (#4651)
* fix: avoid panic on malformed tlog entries (#4649)
* Update conformance to latest
* docs(cosign): clarify RFC3161 revocation semantics (#4642)
* Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
* chore(deps): bump github.com/sigstore/fulcio from 1.8.4 to 1.8.5 (#4637)
* Add origin key for ctfe trusted root
* Add changelog updates for v3.0.4 and v2.6.2 (#4625)
* Wed Feb 11 2026 meissner@suse.com
- Update to version 3.0.4:
* CVE-2025-11065: Fixed github.com/go-viper/mapstructure/v2: sensitive
Information leak in logs (bsc#1250620)
* CVE-2026-22703: Fixed that cosign verification accepts any valid
Rekor entry under certain conditions (bsc#1256496)
* Fix bundle verify path for old bundle/trusted root (#4623)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4616)
* chore(deps): bump cuelang.org/go in the gomod group (#4615)
* Optimize cosign tree performance by caching digest resolution (#4612)
* Don't require a trusted root to verify offline with a key (#4613)
* Support default services for trusted-root and signing-config creation (#4592)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4602)
* chore(deps): bump github.com/sigstore/sigstore-go (#4578)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.114.1 to 3.115.2 (#4601)
* chore(deps): bump google.golang.org/api from 0.257.0 to 0.258.0 (#4611)
* chore(deps): bump k8s.io/client-go from 0.34.3 to 0.35.0 (#4604)
* chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#4588)
* chore(deps): bump golang.org/x/oauth2 from 0.33.0 to 0.34.0 (#4586)
* chore(deps): bump the gomod group with 5 updates (#4599)
* chore(deps): bump github.com/open-policy-agent/opa from 1.10.1 to 1.12.1 (#4600)
* chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 (#4584)
* chore(deps): bump the actions group with 3 updates (#4587)
* chore(deps): bump actions/cache from 4.3.0 to 5.0.1 (#4589)
* chore(deps): bump the gomod group with 9 updates (#4577)
* Wed Dec 10 2025 meissner@suse.com
- Update to version 3.0.3:
* 4554: Closes 4554 - Add warning when --output* is used (#4556)
* chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 (#4545)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.111.0 to 3.113.0 (#4542)
* chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4543)
* chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4546)
* chore(deps): bump the actions group with 4 updates (#4544)
* chore(deps): bump the gomod group across 1 directory with 5 updates (#4567)
* chore(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#4568)
* update builder to use go1.25.5 (#4566)
* Protobuf bundle support for subcommand `clean` (#4539)
* Add staging flag to initialize with staging TUF metadata
* update slack invite link (#4560)
* Updating sign-blob to also support signing with a certificate (#4547)
* Bump sigstore library dependencies (#4532)
* Protobuf bundle support for subcommands `save` and `load` (#4538)
* Fix cert attachment for new bundle with signing config
* Fix OCI verification with local cert - old bundle
* chore(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.1 (#4519)
* chore(deps): bump golang.org/x/crypto in /test/fakeoidc (#4535)
* chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4536)
* CVE-2025-58181: Fixed golang.org/x/crypto/ssh: invalidated number
of mechanisms can cause unbounded memory consumption (bsc#1253913)
* update go builder and cosign (#4529)
* chore(deps): bump the gomod group across 1 directory with 7 updates (#4528)
* chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520)
* chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515)
* chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518)
* chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524)
* chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521)
* chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502)
* chore(deps): bump the actions group across 1 directory with 2 updates (#4516)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.110.0 to 3.111.0 (#4523)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4522)
* Deprecate tlog-upload flag (#4458)
* fix: Use signal context for `sign` cli package.
* update offline verification directions (#4526)
* Fix signing/verifying annotations for new bundle
* Add support to download and attach for protobuf bundles (#4477)
* Add --signing-algorithm flag (#3497)
* Refactor signcommon bundle helpers
* Add --bundle and fix --upload for new bundle
* Pass insecure registry flags through to referrers
* chore(deps): bump github.com/buildkite/agent/v3 from 3.108.0 to 3.109.1 (#4483)
* Add protobuf bundle support for tree subcommand (#4491)
* Remove stale embed import (#4492)
* Support multiple container identities
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4484)
* chore(deps): bump chainguard-dev/actions in the actions group (#4480)
* chore(deps): bump github.com/sigstore/rekor-tiles/v2 (#4485)
* chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 (#4486)
* chore(deps): bump cuelang.org/go in the gomod group (#4479)
* upgrade OSS-Fuzz build tooling (#4487)
* Fix segfault when no attestations are found (#4472)
* Use overridden repository for new bundle format (#4473)
* update go to 1.25.3 (#4471)
* Remove --out flag from `cosign initialize` (#4462)
* chore(deps): bump the actions group with 2 updates (#4460)
* Deprecate offline flag (#4457)
* Deduplicate code in sign/attest* and verify* commands (#4449)
* Cache signing config when calling initialize (#4456)
* Update changelog for v3.0.2 (#4455)
* chore(deps): bump google.golang.org/api from 0.250.0 to 0.251.0
* chore(deps): bump gitlab.com/gitlab-org/api/client-go
* chore(deps): bump the actions group with 3 updates
* chore(deps): bump github.com/buildkite/agent/v3 from 3.107.2 to 3.108.0
* choose different signature filename for KMS-signed release signatures (#4448)
* chore(deps): bump github.com/go-jose/go-jose/v4 (#4451)
* Update rekor-tiles version path
* update CL for v3.0.1 release (#4447)
* update goreleaser config for v3.0.0 release (#4446)
* Create changelog for v3.0.0 (#4440)
* Fetch service URLs from the TUF PGI signing config by default (#4428)
* Create changelog for v2.6.1 (#4439)
* chore(deps): bump google.golang.org/api from 0.249.0 to 0.250.0 (#4432)
* chore(deps): bump the gomod group with 2 updates (#4429)
* chore(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#4433)
* chore(deps): bump the actions group with 3 updates (#4434)
* chore(deps): bump github.com/go-openapi/swag from 0.24.1 to 0.25.1 (#4435)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4436)
* chore(deps): bump github.com/go-openapi/runtime from 0.28.0 to 0.29.0 (#4437)
* Bump module version to v3 for Cosign v3.0 (#4427)
* Move sigstore-conformance back to tagged release (#4425)
* Bump sigstore-go to v1.1.3 (#4423)
* Partially populate the output of cosign verify when working with new bundles (#4416)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4419)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4418)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.105.0 to 3.107.0 (#4420)
* chore(deps): bump chainguard-dev/actions in the actions group (#4421)
* bump go builder to use 1.25.1 and cosign (#4417)
* Bump sigstore-go for more precise user agents (#4413)
* chore(deps): bump github.com/spf13/viper from 1.20.1 to 1.21.0 (#4408)
* chore(deps): bump the actions group with 2 updates (#4407)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4410)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.104.0 to 3.105.0 (#4411)
* Default to using the new protobuf format (#4318)
* Thu Sep 18 2025 Marcus Meissner <meissner@suse.com>
- Update to version 2.6.0:
- Require exclusively a SigningConfig or service URLs when signing (#4403)
- Add a terminal spinner while signing with sigstore-go (#4402)
- Bump sigstore-go, support alternative hash algorithms with keys (#4386)
- Add support for SigningConfig in sign/attest (#4371)
- Support self-managed keys when signing with sigstore-go (#4368)
- Remove SHA256 assumption in sign-blob/verify-blob (#4050)
- introduce dockerfile to pin the go version to decouple go version from go.mod (#4369)
- refactor: extract function to write referrer attestations (#4357)
- Break import cycle with e2e build tag (#4370)
- Update conformance test binary for signing config (#4367)
- update builder image to use go1.25 (#4366)
- Don't load content from TUF if trusted root path is specified (#4347)
- Don't require timestamps when verifying with a key (#4337)
- Fixes to cosign sign / verify for the new bundle format (#4346)
- update builder to use go1.24.6 (#4334)
- bump golangci-lint to v2.3.x (#4333)
- Have cosign sign support bundle format (#4316)
- Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319)
- Verify subject with bundle only when checking claims (#4320)
- Add to `attest-blob` the ability to supply a complete in-toto statement, and add to `verify-blob-attestation` the ability to verify with just a digest (#4306)
* Fri Jul 18 2025 meissner@suse.com
- Update to version 2.5.3 (jsc#SLE-23879)
- Add signing-config create command (#4280)
- Allow multiple services to be specified for trusted-root create (#4285)
- force when copying the latest image to overwrite (#4298)
- Fix cert verification logic for trusted-root/SCTs (#4294)
- Fix lint error for types package (#4295)
- feat: Add OCI 1.1+ experimental support to tree (#4205)
- Add validity period end for trusted-root create (#4271)
- avoid double-loading trustedroot from file (#4264)
- Update to 2.5.2:
- Do not load trusted root when CT env key is set
- docs: improve doc for --no-upload option (#4206)
- Update to 2.5.1:
* Features
- Add Rekor v2 support for trusted-root create (#4242)
- Add baseUrl and Uri to trusted-root create command
- Upgrade to TUF v2 client with trusted root
- Don't verify SCT for a private PKI cert (#4225)
- Bump TSA library to relax EKU chain validation rules (#4219)
* Bug Fixes
- Bump sigstore-go to pick up log index=0 fix (#4162)
- remove unused recursive flag on attest command (#4187)
* Docs
- Fix indentation in verify-blob cmd examples (#4160)
* GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego (bsc#1246725)
* Wed May 28 2025 Marcus Meissner <meissner@suse.com>
- switch to go1.24, enable fips build
* Sun Apr 13 2025 meissner@suse.com
- Update to version 2.5.0:
* Update sigstore-go to pick up bug fixes (#4150)
* Update golangci-lint to v2, update golangci-lint-action (#4143)
* Feat/non filename completions (#4115)
* update builder to use go1.24.1 (#4116)
* Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
* Remove cert log line (#4113)
* cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
* bump to latest scaffolding release for testing (#4099)
* increase 2e2_test docker compose tiemout to 180s (#4091)
* Fix replace with compliant image mediatype (#4077)
* Add TSA certificate related flags and fields for cosign attest (#4079)
- Security issues fixed:
- CVE-2024-6104: cosign: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227031)
- CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (bsc#1232985)
- CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237682)
- CVE-2025-22870: cosign: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs (bsc#1238693)
- CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239204)
- CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239337)
* Thu Feb 20 2025 meissner@suse.com
- Update to version 2.4.3:
* Enable fetching signatures without remote get. (#4047)
* Bump sigstore/sigstore to support KMS plugins (#4073)
* sort properly Go imports (#4071)
* sync comment with parameter name in function signature (#4063)
* fix go imports order to be alphabetical (#4062)
* fix comment typo and imports order (#4061)
* Feat/file flag completion improvements (#4028)
* Udpate builder to use go1.23.6 (#4052)
* Refactor verifyNewBundle into library function (#4013)
* fix parsing error in --only for cosign copy (#4049)
* Fix codeowners syntax, add dep-maintainers (#4046)
* Wed Feb 05 2025 meissner@suse.com
- Update to version 2.4.2:
- Updated open-policy-agent to 1.1.0 library (#4036)
- Note that only Rego v0 policies are supported at this time
- Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
- Add support for verifying root checksum in cosign initialize (#3953)
- Detect if user supplied a valid protobuf bundle (#3931)
- Add a log message if user doesn't provide --trusted-root (#3933)
- Support mTLS towards container registry (#3922)
- Add bundle create helper command (#3901)
- Add trusted-root create helper command (#3876)
Bug Fixes:
- fix: set tls config while retaining other fields from default http transport (#4007)
- policy fuzzer: ignore known panics (#3993)
- Fix for multiple WithRemote options (#3982)
- Add nightly conformance test workflow (#3979)
- Fix copy --only for signatures + update/align docs (#3904)
- use "osc service mr" to update
* Wed Oct 02 2024 Marcus Meissner <meissner@suse.com>
- update to 2.4.0 (jsc#SLE-23879)
- Add new bundle support to verify-blob and verify-blob-attestation (#3796)
- Adding protobuf bundle support to sign-blob and attest-blob (#3752)
- Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
- Conformance testing for cosign (#3806)
- move incremental builds per commit to GHCR instead of GCR (#3808)
- Add support for recording creation timestamp for cosign attest (#3797)
- Include SCT verification failure details in error message (#3799)
* Tue Aug 20 2024 Sarah Kriesch <sarah.kriesch@opensuse.org>
- Set CGO_ENABLED=1 for fixing s390x failed build
* Wed Jul 24 2024 Marcus Meissner <meissner@suse.com>
- update to 2.3.0 (jsc#SLE-23879)
* Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
* Bug Fixes
- fix: close attestationFile (#3679)
- Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
* Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
* Fri May 31 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add completion subpackages (bash, fish, zsh)
* Mon Apr 15 2024 Marcus Meissner <meissner@suse.com>
- updated to 2.2.4 (jsc#SLE-23879)
* Bug Fixes
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
- CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
* Documentation
* add oci bundle spec (#3622)
* Correct help text of triangulate cmd (#3551)
* Correct help text of verify-attestation policy argument (#3527)
* feat: add OVHcloud MPR registry tested with cosign (#3639)
* Fri Feb 02 2024 Marcus Meissner <meissner@suse.com>
- updated to 2.2.3 (jsc#SLE-23879)
Bug Fixes:
* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)
Features:
* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)
Documentation:
* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468)
Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
* Tue Dec 12 2023 Marcos Bjoerkelund <marcos.bjoerkelund@suse.com>
- updated to 2.2.2 (jsc#SLE-23879)
v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
For private deployments, we have also added an alias for
- -insecure-skip-log, --private-infrastructure.
Bug Fixes:
* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
* Don't require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371)
Features:
* Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
* Use the timeout flag value in verify* commands. (#3391)
* add --private-infrastructure flag (#3369)
Container Updates:
* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation:
* Update SBOM_SPEC.md (#3358)
* Tue Nov 07 2023 Marcus Meissner <meissner@suse.com>
- updated to 2.2.1 (jsc#SLE-23879)
This release comes with a fix for
CVE-2023-46737 / bsc#1216933 described in this [Github Security
Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Enhancements:
* feat: Support basic auth and bearer auth login to registry (#3310)
* add support for ignoring certificates with pkcs11 (#3334)
* Support ReplaceOp in Signatures (#3315)
* feat: added ability to get image digest back via triangulate (#3255)
* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
* feat: add support attaching a Rekor bundle to a container (#3246)
* feat: add support outputting rekor response on signing (#3248)
* feat: improve dockerfile verify subcommand (#3264)
* Add guard flag for experimental OCI 1.1 verify. (#3272)
* Deprecate SBOM attachments (#3256)
* feat: dedent line in cosign copy doc (#3244)
* feat: add platform flag to cosign copy command (#3234)
* Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
* attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes:
* Merge pull request from GHSA-vfp6-jrw2-99g9
* fix: allow cosign download sbom when image is absent (#3245)
* ci: add a OCI registry test for referrers support (#3253)
* Fix ReplaceSignatures (#3292)
* Stop using deprecated in_toto.ProvenanceStatement (#3243)
* Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
* fix: update error in `SignedEntity` to be more descriptive (#3233)
* Fail timestamp verification if no root is provided (#3224)
Documentation:
* Add some docs about verifying in an air-gapped environment (#3321)
* Update CONTRIBUTING.md (#3268)
* docs: improves the Contribution guidelines (#3257)
* Remove security policy (#3230)
Others:
* Set go to min 1.21 and update dependencies (#3327)
* Update contact for code of conduct (#3266)
* Update .ko.yaml (#3240)
* Fri Sep 01 2023 Marcus Meissner <meissner@suse.com>
- updated to 2.2.0 (jsc#SLE-23879)
- Enhancements
* switch to uploading DSSE types to rekor instead of intoto (#3113)
* add 'cosign sign' command-line parameters for mTLS (#3052)
* improve error messages around bundle != payload hash (#3146)
* make VerifyImageAttestation function public (#3156)
* Switch to cryptoutils function for SANS (#3185)
* Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
- Bug Fixes
* Fix nondeterminsitic timestamps (#3121)
- Documentation
* doc: Add example of sign-blob with key in env var (#3152)
* add deprecation notice for cosign-releases GCS bucket (#3148)
* update doc links (#3186)
* Tue Jun 27 2023 Marcus Meissner <meissner@suse.com>
- updated to 2.1.1 (jsc#SLE-23879)
- Bug Fixes
- wait for the workers become available again to continue the execution (#3084)
- fix help text when in a container (#3082)
- updated to 2.1.0 (jsc#SLE-23879)
- Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
- Enhancements
- Verify sigs and attestations in parallel (#3066)
- Deep inspect attestations when filtering download (#3031)
- refactor bundle validation code, add support for DSSE rekor type (#3016)
- Allow overriding remote options (#3049)
- feat: adds no cert found on sig exit code (#3038)
- Make predicate a required flag in attest commands (#3033)
- Added support for attaching Time stamp authority Response in attach command (#3001)
- Add sign --sign-container-identity CLI (#2984)
- Feature: Allow cosign to sign digests before they are uploaded. (#2959)
- accepts attachment-tag-prefix for cosign copy (#3014)
- Feature: adds '--allow-insecure-registry' for cosign load (#3000)
- download attestation: support --platform flag (#2980)
- Cleanup: Add Digest to the SignedEntity interface. (#2960)
- verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
- verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
- Bug Fixes
- Fix pkg/cosign/errors (#3050)
- Fix: update doc to refer to github-actions oidc provider (#3040)
- Fix: prefer GitHub OIDC provider if enabled (#3044)
- Fix --sig-only in cosign copy (#3074)
- Documentation
- Fix links to sigstore/docs in markdown files (#3064)
* Sun May 07 2023 Marcus Meissner <meissner@suse.com>
- update to 2.0.2 (jsc#SLE-23879)
Enhancements
- Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
- feat: Make cosign copy faster (#2901)
- remove sget (#2885)
- Require a payload to be provided with a signature (#2785)
Bug Fixes
- cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
- Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)
Documentation
- Remove experimental warning from Fulcio flags (#2923)
- add missing oidc provider (#2922)
- Add zot as a supported registry (#2920)
- deprecates kms_support docs (#2900)
- chore(docs) deprecate note for usage docs (#2906)
- adds note of deprecation for examples.md docs (#2899)
* Mon Apr 17 2023 Marcus Meissner <meissner@suse.com>
- update to 2.0.1 (jsc#SLE-23879)
Enhancements
- Add environment variable token provider (#2864)
- Remove cosign policy command (#2846)
- Allow customising 'go' executable with GOEXE var (#2841)
- Consistent tlog warnings during verification (#2840)
- Add riscv64 arch (#2821)
- Default generated PEM labels to SIGSTORE (#2735)
- Update privacy statement and confirmation (#2797)
- Add exit codes for verify errors (#2766)
- Add Buildkite provider (#2779)
- verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
Bug Fixes
- PKCS11 sessions are now opened read only (#2853)
- Makefile: date format of log should not show signatures (#2835)
- Add missing flags to cosign verify dockerfile/manifest (#2830)
- Add a warning to remember how to configure a custom Gitlab host (#2816)
- Remove tag warning message from save/copy commands (#2799)
- Mark keyless pem files with b64 (#2671)
* Tue Apr 04 2023 Dirk Müller <dmueller@suse.com>
- fix buildtags
- build against a maintained golang version (upstream uses go1.20)
* Mon Feb 27 2023 Marcus Meissner <meissner@suse.com>
- update to 2.0.0 (jsc#SLE-23879)
Breaking Changes:
* insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
* Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
Enhancements:
* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
* Allow users to pass in a path for the --identity-token flag (#2538)
* Breaking change: Respect tlog-upload=false, default to true (#2505)
* Support outputing a certificate without uploading to the tlog (#2506)
* Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
* respect tlog-upload flag with TSA (#2474)
* Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
* Support TSA and Rekor verifications (#2463)
* add support for tsa signing and verification of images (#2460)
* cosign policy sign: remove experimental flag and make keyless signing default (#2459)
* Remove experimental mode from cosign attest and verify-attestation (#2458)
* Remove experimental mode from sign-blob and verify-blob (#2457)
* Add --offline flag to force offline verification (#2427)
* Air gap support (#2299)
* Breaking change: Change SCT verification behavior to default to enforcement (#2400)
* Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
* Remove experimental flag from cosign sign and cosign verify (#2387)
* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
* Add warning to use digest instead of tags to other cosign commands (#2650)
* Fix up UI messages (#2629)
* Remove hardcoded Fulcio from output (#2621)
* Fix missing privacy statement, print in multiple locations (#2622)
* feat: allows custom key names for import-key-pair (#2587)
* feat: support keyless verification for verify-blob-attestation (#2525)
* attest-blob: add functionality for keyless signing (#2515)
* Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
* feat: add debug information to cert validation error (#2579)
* Support non-Sigstore TSA requests (#2708)
* Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
* Output certificate in bundle when entry is not uploaded to Rekor (#2715)
* attach signature and attach sbom must use STDIN to upload raw string (#2637)
* add generate-key-pair GitHub Enterprise server support (#2676)
* add in format string for warning (#2699)
* Support for fetching Fulcio certs with self-managed key (#2532)
* 2476 predicate type download (#2484)
Bug Fixes:
* Fix the file existence check. (#2552)
* Fix timestamp verification, add verify-blob tests (#2527)
* Fix(verify): Consolidate certificate expiry logic (#2504)
* Updates to Timestamp signing and verification (#2499)
* Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
* Fix path for e2e-tests badge (#2490)
* Fix spdx json media type (#2479)
* Fix sct verificaction (#2426)
* Fix: panic with unsigned local image (#2656)
* Make sure a cert passed in via --cert matches the bundle cert (#2652)
* Fix: fix github oidc post submit test (#2594)
* Fix: add enhanced error messages for failing verification with TUF targets (#2589)
* Fix: Add missing schemes to cosign predicate types. (#2717)
* Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
* Fix prompts with Windows line endings (#2674)
/usr/share/bash-completion/completions /usr/share/bash-completion/completions/cosign
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Apr 7 22:37:12 2026