Releases: slsa-framework/slsa-verifier
Releases · slsa-framework/slsa-verifier
v2.0.0
Breaking Changes
- refactor: add subcommands and separate functionality from artifacts a… by @asraa in #231. Users running
slsa-verifier -artifact-path ${ARTIFACT} -provenance ${PROVENANCE} -source ${SOURCE} -tag ${TAG} -branch ${BRANCH} -versioned-tag ${VTAG}
must migrate to
slsa-verifier verify-artifact ${ARTIFACT} -provenance-path ${PROVENANCE} -source-uri ${SOURCE} -source-tag {TAG} -source-branch {BRANCH} -source-versioned-tag ${VTAG}
Major Features
- feat: slsa-verifier now performs OCI verification using
slsa-verifier verify-image. See #147. - feat: GCB-generated container image SLSA provenance verification is supported. See https://github.com/slsa-framework/slsa-verifier#verification-for-google-cloud-build and #202
- feat: Add a GitHub Action for installing slsa-verifier. by @kpk47 in #246
What's Changed
- release: release v1.3.0 of verifier by @asraa in #218
- feat: support oci image verification by @asraa in #147
- fix(deps): update module github.com/go-openapi/swag to v0.22.3 by @renovate-bot in #215
- chore(deps): update golang:1.18 docker digest to 616aa98 by @renovate-bot in #214
- chore(deps): update github-actions by @renovate-bot in #222
- chore(deps): update actions/checkout action to v3 by @renovate-bot in #227
- fix(deps): update module github.com/sigstore/cosign to v1.11.0 by @renovate-bot in #224
- fix(deps): update module github.com/sigstore/rekor to v0.11.0 by @renovate-bot in #225
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 533c15e by @renovate-bot in #228
- feat: Support for GCB verification by @laurentsimon in #202
- Correct installation command in README by @laurentsimon in #241
- release: add release v1.0.3 by @asraa in #235
- Verify text provenance for GCB by @laurentsimon in #242
- doc: fix comment typos by @laurentsimon in #244
- fix(deps): update module github.com/sigstore/cosign to v1.11.1 by @renovate-bot in #239
- chore(deps): update github-actions by @renovate-bot in #240
- feat: add CLI tests for GCB verification by @laurentsimon in #245
- chore(deps): update github/codeql-action action to v2.1.22 by @renovate-bot in #249
- chore(deps): update golang:1.18 docker digest to 5540a6a by @renovate-bot in #238
- feat: support for GCB v0.3 verification by @laurentsimon in #248
- fix: fix CLI flag mishap by @asraa in #250
- feat: CLI tests for GCB verification by @laurentsimon in #251
- feat: support builderID matching with or without semver for GCB by @laurentsimon in #256
- chore(deps): update golang docker tag to v1.19 by @renovate-bot in #196
- chore(deps): update ossf/scorecard-action action to v2 by @renovate-bot in #255
- fix(deps): update module github.com/google/go-cmp to v0.5.9 by @renovate-bot in #253
- feat: support builderID matching with or without semver for GHA by @laurentsimon in #257
- fix(deps): update module github.com/sigstore/cosign to v1.12.0 by @renovate-bot in #264
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 33fac4d by @renovate-bot in #260
- chore(deps): update github/codeql-action action to v2.1.24 by @renovate-bot in #262
- Add a GitHub Action for installing slsa-verifier. by @kpk47 in #246
- fix(deps): update module github.com/sigstore/sigstore to v1.4.1 by @renovate-bot in #263
- doc: document build id and GCB vs GHA by @laurentsimon in #266
- doc: add links to GH builders by @laurentsimon in #268
- chore(deps): update github-actions by @renovate-bot in #274
- fix(deps): update module github.com/sigstore/sigstore to v1.4.2 by @renovate-bot in #272
- Update README.md by @laurentsimon in #276
- fix: make client shard aware when verifying by @asraa in #282
- chore(deps): update github-actions by @renovate-bot in #284
- Update pre-submits by @ianlewis in #289
- release: add release v1.3.1 and v1.2.1 by @asraa in #288
- release: add release hash for v1.1.2 and v1.0.4 by @asraa in #291
- chore(deps): pin dependencies by @renovate-bot in #269
- chore(deps): update dependency jasmine to v4.4.0 by @renovate-bot in #283
- gcb: add gcb compatibility for provenance formats and buckets by @asraa in #292
- fix: fix release configuration and workflow for version info by @asraa in #296
- ci: use upstream version lib to provide version, commit, and tree state by @asraa in #297
- fix: env vars are case sensitive in configuration by @asraa in #298
- chore(deps): update github-actions by @renovate-bot in #295
- fix(deps): update module github.com/sigstore/sigstore to v1.4.4 by @renovate-bot in #294
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 3778d4f by @renovate-bot in #293
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to a6441d1 by @renovate-bot in #306
- chore(deps): update dependency eslint-plugin-github to v4.4.0 by @renovate-bot in #305
- fix(deps): update module github.com/go-openapi/runtime to v0.24.2 by @renovate-bot in #304
- rekor: use rekor client with retries by @asraa in #301
- chore(deps): update dependency eslint to v8.25.0 by @renovate-bot in #273
- tests: fix builder id matching by @asraa in #308
- test: add v1.2.1 builder tests by @asraa in #310
- docs: update release.md docs to describe a pre-release by @asraa in #314
- fix: address gcb verifier comments and add gcb documentation by @asraa in #300
- Add optional by @wietse-gmail in #316
- Fix installer: Add arguments to actions/checkout so that it checks ou… by @kpk47 in #319
- Make GitHub token optional by @laurentsimon in #324
- chore(deps): update dependency eslint to v8.26.0 by @renovate-bot in #323
- feat: run CLI tests daily by @laurentsimon in #327
- Update sigstore libraries by @ianlewis in #326
- chore(deps): update dependency typescript to v4.8.4 by @renovate-bot in #270
- chore(deps): update dependency jasmine to v4.5.0 by @renovate-bot in #345
- chore(deps): update github-actions to v3 (major) by @renovate-bot in #344
- chore(deps): update dependency @types/node to v18.11.8 by @renovate-bot in #341
- chore(deps): update github-actions by @renovate-bot in https://github.com/slsa-framework/slsa-verif...
Contributors
ianlewis, kpk47, and 6 other contributors
Assets 4
v1.3.2
This fixes issue #325. Sigstore root metadata was updated to a key format incompatible with old go-tuf (the underlying TUF client) libraries. This updated sigstore libraries to new ones that pulled in the updated go-tuf libraries.
What's Changed
- Backport release/v1.3: Update sigstore libraries by @ianlewis in #329
- release/v1.3: update release builder by @asraa in #333
Full Changelog: v1.3.1...v1.3.2
Contributors
ianlewis and asraa
Assets 4
v1.2.2
This fixes issue #325. Sigstore root metadata was updated to a key format incompatible with old go-tuf (the underlying TUF client) libraries. This updated sigstore libraries to new ones that pulled in the updated go-tuf libraries.
What's Changed
- chore(deps): update github-actions by @renovate-bot in #295
- fix(deps): update module github.com/sigstore/sigstore to v1.4.4 by @renovate-bot in #294
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 3778d4f by @renovate-bot in #293
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to a6441d1 by @renovate-bot in #306
- chore(deps): update dependency eslint-plugin-github to v4.4.0 by @renovate-bot in #305
- fix(deps): update module github.com/go-openapi/runtime to v0.24.2 by @renovate-bot in #304
- rekor: use rekor client with retries by @asraa in #301
- chore(deps): update dependency eslint to v8.25.0 by @renovate-bot in #273
- tests: fix builder id matching by @asraa in #308
Full Changelog: v1.4.1...v1.2.2
Contributors
asraa and renovate-bot
Assets 4
v1.1.3
This fixes issue #325. Sigstore root metadata was updated to a key format incompatible with old go-tuf (the underlying TUF client) libraries. This updated sigstore libraries to new ones that pulled in the updated go-tuf libraries.
What's Changed
- Backport release/v1.1: Update sigstore libraries by @ianlewis in #331
- release/v1.1: update release builder by @asraa in #335
- release/v1.1: fix release workflow perms by @asraa in #338
Full Changelog: v1.1.2...v1.1.3
Contributors
ianlewis and asraa
Assets 4
v1.0.5
This fixes issue #325. Sigstore root metadata was updated to a key format incompatible with old go-tuf (the underlying TUF client) libraries. This updated sigstore libraries to new ones that pulled in the updated go-tuf libraries.
What's Changed
- Backport release/v1.0: Update sigstore libraries by @ianlewis in #332
- release/v1.0: update release builder by @asraa in #336
- release/v1.0: fix release workflow permissions by @asraa in #337
Full Changelog: v1.0.4...v1.0.5
Contributors
ianlewis and asraa
Assets 4
v1.4.1
v1.4.0
What's Changed
- release: release v1.3.0 of verifier by @asraa in #218
- feat: support oci image verification by @asraa in #147
- fix(deps): update module github.com/go-openapi/swag to v0.22.3 by @renovate-bot in #215
- chore(deps): update golang:1.18 docker digest to 616aa98 by @renovate-bot in #214
- chore(deps): update github-actions by @renovate-bot in #222
- chore(deps): update actions/checkout action to v3 by @renovate-bot in #227
- fix(deps): update module github.com/sigstore/cosign to v1.11.0 by @renovate-bot in #224
- fix(deps): update module github.com/sigstore/rekor to v0.11.0 by @renovate-bot in #225
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 533c15e by @renovate-bot in #228
- feat: Support for GCB verification by @laurentsimon in #202
- Correct installation command in README by @laurentsimon in #241
- release: add release v1.0.3 by @asraa in #235
- Verify text provenance for GCB by @laurentsimon in #242
- doc: fix comment typos by @laurentsimon in #244
- fix(deps): update module github.com/sigstore/cosign to v1.11.1 by @renovate-bot in #239
- chore(deps): update github-actions by @renovate-bot in #240
- feat: add CLI tests for GCB verification by @laurentsimon in #245
- chore(deps): update github/codeql-action action to v2.1.22 by @renovate-bot in #249
- chore(deps): update golang:1.18 docker digest to 5540a6a by @renovate-bot in #238
- refactor: add subcommands and separate functionality from artifacts a… by @asraa in #231
- feat: support for GCB v0.3 verification by @laurentsimon in #248
- fix: fix CLI flag mishap by @asraa in #250
- feat: CLI tests for GCB verification by @laurentsimon in #251
- feat: support builderID matching with or without semver for GCB by @laurentsimon in #256
- chore(deps): update golang docker tag to v1.19 by @renovate-bot in #196
- chore(deps): update ossf/scorecard-action action to v2 by @renovate-bot in #255
- fix(deps): update module github.com/google/go-cmp to v0.5.9 by @renovate-bot in #253
- feat: support builderID matching with or without semver for GHA by @laurentsimon in #257
- fix(deps): update module github.com/sigstore/cosign to v1.12.0 by @renovate-bot in #264
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 33fac4d by @renovate-bot in #260
- chore(deps): update github/codeql-action action to v2.1.24 by @renovate-bot in #262
- Add a GitHub Action for installing slsa-verifier. by @kpk47 in #246
- fix(deps): update module github.com/sigstore/sigstore to v1.4.1 by @renovate-bot in #263
- doc: document build id and GCB vs GHA by @laurentsimon in #266
- doc: add links to GH builders by @laurentsimon in #268
- chore(deps): update github-actions by @renovate-bot in #274
- fix(deps): update module github.com/sigstore/sigstore to v1.4.2 by @renovate-bot in #272
- Update README.md by @laurentsimon in #276
- fix: make client shard aware when verifying by @asraa in #282
- chore(deps): update github-actions by @renovate-bot in #284
- Update pre-submits by @ianlewis in #289
- release: add release v1.3.1 and v1.2.1 by @asraa in #288
- release: add release hash for v1.1.2 and v1.0.4 by @asraa in #291
- chore(deps): pin dependencies by @renovate-bot in #269
- chore(deps): update dependency jasmine to v4.4.0 by @renovate-bot in #283
- gcb: add gcb compatibility for provenance formats and buckets by @asraa in #292
- fix: fix release configuration and workflow for version info by @asraa in #296
- ci: use upstream version lib to provide version, commit, and tree state by @asraa in #297
New Contributors
Full Changelog: v1.3.0...v1.4.0
Contributors
ianlewis, kpk47, and 3 other contributors