v0.5.2

Highlights

gitsign

• BREAKING CHANGE: URI schemes added to gitsign show attestations to comply with intoto spec. (i.e. gitsign.sigstore.dev/predicate/git/v0.1 -> https://gitsign.sigstore.dev/predicate/git/v0.1)

gitsign-credential-cache

• Added support for systemd socket activation
• Added support for opening interactive auth flow through the cache socket - this allows users to forward interactive flows over remote SSH sockets to their local machines.

Changelog

• 3406c64 Remove usage of getopt to fix release. (#225)
• aca7918 Bump dependencies (go get -u ./...) (#224)
• ac61585 Add support for systemd socket activation (#223)
• 615911c Bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 (#221)
• f9c532b Update cache directory .sigstore -> sigstore. (#218)
• 98ef482 Add interactive flow to credential cache. (#211)
• 15447fe Add scheme to predicate type URI. (#217)
• e20e829 Bump actions/checkout from 3.2.0 to 3.3.0 (#212)
• ab6d26c Bump actions/cache from 3.2.2 to 3.2.3 (#213)
• ec74e38 Bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 (#214)
• 7a27e1d Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#215)
• cc36fa9 Bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 (#216)
• 6e4639c Bump actions/cache from 3.2.1 to 3.2.2 (#209)
• 9f45bc1 Bump github.com/go-git/go-billy/v5 from 5.3.1 to 5.4.0 (#210)
• cd97505 Bump actions/cache from 3.0.11 to 3.2.1 (#208)
• fddac02 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#204)
• 753bc4f Bump actions/setup-go from 3.4.0 to 3.5.0 (#206)
• ec6825d Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#207)
• 91da40f Bump actions/checkout from 3.1.0 to 3.2.0 (#205)
• eca7ffc Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#203)
• a086299 Bump actions/setup-go from 3.3.1 to 3.4.0 (#199)
• b9208e3 Bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#201)

Thanks to all contributors!

• @iavael
• @wlynch

v0.4.1

What's Changed

• Update README with correct TSA option values. by @wlynch in #197
• Update TSA config names to match cosign. by @wlynch in #198

Full Changelog: v0.4.0...v0.4.1

v0.4.0

Overview

• Added new sub-commands:
  • gitsign show - Prints out in-toto Statement for the specified commit.
  • gitsign attest - Stores attestations for a commit / tree in the repository.
• Fixed timestamp authority verification.
• Rekor Log entry now displayed on successful sign.
• Added fulcioRoot option for configuring private Sigstore instances.

What's Changed

• Bump github.com/sigstore/sigstore from 1.4.2 to 1.4.3 by @dependabot in #160
• Bump github.com/sigstore/cosign from 1.12.1 to 1.13.0 by @dependabot in #159
• Bump sigstore/cosign-installer from 2.7.0 to 2.8.0 by @dependabot in #158
• Bump actions/cache from 3.0.9 to 3.0.10 by @dependabot in #157
• Bump actions/checkout from 3.0.2 to 3.1.0 by @dependabot in #156
• Change limitations section to FAQ. by @wlynch in #161
• Wire up timestamp authorities option to config. by @wlynch in #162
• Bump github.com/sigstore/sigstore from 1.4.3 to 1.4.4 by @dependabot in #165
• Bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 by @dependabot in #164
• Bump actions/cache from 3.0.10 to 3.0.11 by @dependabot in #163
• Temporarily remove TSA e2e test. by @wlynch in #168
• Refactor git commit verification into its own interface. by @wlynch in #167
• Add fulcio root config option. by @wlynch in #170
• [attest] Fix spdx generation by passing through correct attestation type by @wlynch in #171
• Remove provenance type check. by @wlynch in #172
• add logo by @bobcallaway in #173
• Bump github.com/sigstore/fulcio from 0.6.0 to 1.0.0 by @dependabot in #178
• Bump sigstore/cosign-installer from 2.8.0 to 2.8.1 by @dependabot in #177
• Bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 by @dependabot in #174
• Bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 by @dependabot in #175
• Bump github.com/sigstore/rekor from 0.12.2 to 1.0.0 by @dependabot in #179
• Bump actions/setup-go from 3.3.0 to 3.3.1 by @dependabot in #176
• Bump github.com/sigstore/cosign from 1.13.0 to 1.13.1 by @dependabot in #180
• README: fix typos. by @wlynch in #181
• Bump anchore/sbom-action from 0.12.0 to 0.13.0 by @dependabot in #182
• Print tlog entry on successful Rekor upload. by @wlynch in #183
• Bump anchore/sbom-action from 0.13.0 to 0.13.1 by @dependabot in #184
• Refactor commands with Cobra. by @wlynch in #185
• Bump github.com/sigstore/rekor from 1.0.0 to 1.0.1 by @dependabot in #188
• Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in #187
• Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 by @dependabot in #186
• bump golangci-lint to 1.50.1 by @cpanato in #189
• Add gitsign show subcommand. by @wlynch in #191
• fix typo: ommits by @imjasonh in #193
• Generate CLI docs. by @wlynch in #192
• Fix Timestamp Authority verification by @wlynch in #196
• Port gitsign-attest to cobra subcommand. by @wlynch in #195

New Contributors

• @bobcallaway made their first contribution in #173

Full Changelog: v0.3.2...v0.4.0

v0.3.2

What's Changed

• config: Fork out to git binary for config data. by @wlynch in #149
• Add tests for gitsign-attest by @wlynch in #150

Full Changelog: v0.3.1...v0.3.2

v0.3.1

What's new

• Fixes issue with out-of-band OAuth for non-browser sessions.
• Fixes issue with gitsign-attest where git objects became corrupted due to unsorted trees.
• Fixes issue with gitsign-attest where attestation history was not preserved.

Changelog

• 4902248 update sigstore dependencies (#144)
• 1d87be8 upgrade go to 1.19 (#145)
• a7cf346 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#146)
• 30381ea Bump s/s to latest (#141)
• 4359c71 Bump cosign to 1.12. (#140)
• c06f6fd Bump github.com/sigstore/sigstore from 1.4.0 to 1.4.1 (#139)
• a038546 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#133)
• 98498a6 Bump github.com/coreos/go-oidc/v3 from 3.3.0 to 3.4.0 (#135)
• 2153fb9 attest: Make sure trees are sorted. (#132)
• 06bc251 attest: preserve refs/attestations parent. (#129)
• 4ee1d4c Bump github.com/coreos/go-oidc/v3 from 3.2.0 to 3.3.0 (#130)
• bc1202a Bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 (#124)
• f460b77 Bump actions/setup-go from 3.2.1 to 3.3.0 (#126)
• 9d55249 Bump actions/cache from 3.0.7 to 3.0.8 (#125)

Thanks to all contributors!

v0.3.0

What's new

• .gitconfig support - You can now configure Gitsign with your ~/.gitconfig and/or .git/config files! See File Config for more details.

  $ git config gitsign.fulcio https://fulcio.example.com
  $ cat ~/.gitconfig
  [gitsign]
        fulcio = https://fulcio.example.com

• Dex connector configuration - You can now configure the Dex connector ID to use when authenticating. This can help speed up workflows by pre-selecting the identity provider to use when signing in. For example, to always sign in with GitHub:

  $ git config gitsign.connectorID https://github.com/login/oauth

  Supported values depend on the OIDC issuer you are using. For the public Sigstore instance (oauth2.sigstore.dev):

  Provider	Connector ID
  GitHub	https://github.com/login/oauth
  Google	https://accounts.google.com
  Microsoft	https://login.microsoftonline.com

• Experimental support for Git based attestations - store attestations about your code directly in your repository! (note: This is not yet included in the main gitsign binary and is not available as a downloadable release artifact - please install from source).

Changelog

• 707a2cb Recognize SIGSTORE_ prefixed environment variables. (#123)
• cff750b Add connectorID option (#122)
• 7fcbc7b Add gitsign-attest (#113)
• f215bd8 Add file based configuration. (#121)
• 7916a8b Update go modules to go1.18 (#120)
• 1eaab67 Bump anchore/sbom-action from 0.11.0 to 0.12.0 (#116)
• a22383d Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 (#117)
• a748c05 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#115)
• 0561fe8 Bump github.com/go-openapi/swag from 0.22.0 to 0.22.3 (#118)
• ec2da04 Bump github.com/sigstore/cosign from 1.10.1 to 1.11.0 (#119)
• 1d4fc64 Gitignore and verify consume (#109)
• bd39f7c Bump actions/cache from 3.0.6 to 3.0.7 (#112)
• 355fea8 Bump cosign version to 0.10.1 (#111)
• 084c46f Bump actions/cache from 3.0.5 to 3.0.6 (#106)
• f0cac92 Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (#107)
• d9a9aba Add note to credential cache docs about cache directory selection. (#102)
• edb89df Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#100)
• da368d7 Bump github.com/sigstore/rekor from 0.9.1 to 0.10.0 (#101)
• 57bdce0 Bump actions/setup-go from 3.2.0 to 3.2.1 (#95)
• be797c9 Bump actions/cache from 3.0.4 to 3.0.5 (#96)
• bf41df3 Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (#97)
• 31ae988 Bump github.com/sigstore/rekor from 0.9.0 to 0.9.1 (#93)
• 3a86508 --version: Print out relevant env variables. (#92)

Thanks to all contributors!

v0.2.0

Highlights

• Adds gitsign-credential-cache: an optional socket based credential cache binary for reusing keys for multiple signing requests without needing to reauth (e.g. rebases).
• Adds support for out-of-band interactive flows to add support for SSH and other sessions where web browsers are not directly present.
• Signing errors will now be output to the user TTY directly if available.
• Fixed Rekor Git SHA generation for tags.

Breaking changes

• Fixed Rekor Git SHA generation for tags.
  Since this is fixing how the tag SHA was meant to be calculated, this breaks the rekor entry lookup for older versions that use the incorrect behavior. Those tags will be considered unverified unless they are resigned by a newer version of gitsign: git tag -f -s <tag name> <tag name>

Changelog

• 4bc492c Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (#90)
• 319e053 Bump github.com/sigstore/rekor from 0.8.2 to 0.9.0 (#91)
• ca0cb8d Calculate correct SHA for signed Tags. (#89)
• 7fb3656 Use TTY output for errors. (#87)
• 97abf6c Bump github.com/sigstore/rekor from 0.8.1 to 0.8.2 (#85)
• c52c82e Implement out of band OAuth. (#80)
• 4fccc27 add gitsign-credential-cache to the build/release jobs (#84)
• 0fb71e6 Implement Credential Caching (#75)
• 6663b1b Typo fix (#82)
• 7bbe200 Document signing tags (#83)
• 111ffa4 Bump github.com/sigstore/rekor from 0.8.0 to 0.8.1 (#81)
• 79844de Fix casing in README (#77)
• 3c72400 Use pkg/fulcioroots from sigstore/sigstore (#67)

Thanks to all contributors!

v0.1.1

What's Changed

• Checkout pull request merge commit for e2e test. by @wlynch in #54
• e2e: select checkout ref based on event type. by @wlynch in #57
• Refactor verification to use consistent verification options. by @wlynch in #55
• Fix e2e ref expression. by @wlynch in #59
• Partially remove cosign dependencies for fulcio / rekor client creation. by @wlynch in #53
• Remove dependency on cosign/cli/fulcio. by @wlynch in #63
• Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #64
• Bump github.com/sigstore/rekor from 0.7.0 to 0.8.0 by @dependabot in #72
• Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #71
• Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #70
• Add Homebrew install instructions to README by @jdolitsky in #73
• Export rekor package. by @wlynch in #60
• update/fix version flag by @cpanato in #66

New Contributors

• @jdolitsky made their first contribution in #73

Full Changelog: v0.1.0...v0.1.1

Thanks to all contributors!

v0.1.0

⚠️ Note: Due to a bug, gitsign >= v0.1 is now required to work with the public sigstore instance starting 2022/06/01. See #49 for more details.

Changelog

• 2d9cff2 Fix gitsign for public Sigstore changes. (#50)
• 61a4195 e2e: Verify commit with command that will return non-zero. (#51)
• fe9a344 Bump actions/setup-go from 3.1.0 to 3.2.0 (#48)
• 5cce35c Add privacy section to README. (#47)
• 05dd77d Verify: check if summary is nil before accessing cert. (#43)
• 01b9cc3 Unexport NewRekorClient which is only used in its own package (#45)
• 9861d9d Ensure GITSIGN_REKOR_URL is respected. (#44)
• 3911553 Added environment variable for OIDC Redirect URL (#39)
• ab580ed Bump goreleaser/goreleaser-action from 2.9.1 to 3 (#42)
• 6e70287 all: remove dependency on deprecated github.com/pkg/errors (#41)
• 7cd8fa3 Resize GitHub unverified image, add link to smime verification. (#38)
• 20e9e75 Fix GitHub verified limitation typos (#35)
• 72b4a2d Add GitHub verified badge explaination to limitations. (#34)
• 71a1010 Fix readme file to allow copy/pasting CLI configuration (#33)
• dff662e Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#32)
• cc20420 Some updates on CI, add new jobs and dependabot config (#29)
• 1d333a3 update goreleaser config to explicity some configurations (#28)
• 7058874 add initial makefile
• 107ac24 Drop go version to 1.17. (#23)
• 4d501b6 Add GITSIGN_LOG environment variable for debug log path.
• 3a5916b Update error temp log base directory to use os.Tempdir.
• b9d0176 README: s/cosign/sigstore

Thanks to all contributors!

v0.0.2-alpha

Another pre-release to test out the release pipeline

What's Changed

• Update README to include commit.gpgsign option. by @wlynch in #15
• Fix up getopt dependency by @nsmith5 in #17

Full Changelog: v0.0.1-alpha...v0.0.2-alpha