From b23586d6390d6a48ba4789848fe6ad89710afb7f Mon Sep 17 00:00:00 2001 From: Hayden B Date: Wed, 7 Aug 2024 01:12:08 -0700 Subject: [PATCH] Add changelog for v2.4.0 (#3821) * Add changelog for v2.4.0 Signed-off-by: Hayden Blauzvern * Add note about containers Signed-off-by: Hayden Blauzvern --------- Signed-off-by: Hayden Blauzvern --- CHANGELOG.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 595c022dc31..1755d45df30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,40 @@ +# v2.4.0 + +v2.4.0 begins the modernization of the Cosign client, which includes: + +* Support for the newer Sigstore specification-compliant bundle format +* Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) + through a trust root file, instead of many different flags +* Conformance test suite integration to verify signing and verification behavior + +In future updates, we'll include: + +* General support for the trust root file, instead of only when using the bundle + format during verification +* Simplification of trust root flags and deprecation of the + Cosign-specific bundle format +* Bundle support with container signing + +We have also moved nightly Cosign container builds to GHCR instead of GCR. + +## Features + +* Add new bundle support to `verify-blob` and `verify-blob-attestation` (#3796) +* Adding protobuf bundle support to sign-blob and attest-blob (#3752) +* Bump sigstore/sigstore to support `email_verified` as string or boolean (#3819) +* Conformance testing for cosign (#3806) +* move incremental builds per commit to GHCR instead of GCR (#3808) +* Add support for recording creation timestamp for cosign attest (#3797) +* Include SCT verification failure details in error message (#3799) + +## Contributors + +* Bob Callaway +* Hayden B +* Slavek Kabrda +* Zach Steindler +* Zsolt Horvath + # v2.3.0 ## Features