v0.6.2

This is a minor release to enable better error handling in the gh CLI.

What's Changed

• Use sentinel errors bundle validation in validateBundle func by @malancas in #291

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's Changed

v0.6.1 resolves a security advisory for a denial of service. See GHSA-cq38-jh5f-37mq for more information.

• Add fuzz tests for bundle, tlog and verify packages by @AdamKorcz in #272
• Add the ability to contruct TrustRoot from targets by @bkabrda in #247
• add oss-fuzz build script by @AdamKorcz in #278
• Fix proof of key possession generation by @adityasaky in #283
• Add additional validation for nil elements in Bundles by @codysoyland in #285
• Add hard limits for number of TSA entries, Tlog entries, and attestation subjects/digests by @codysoyland in #286

Full Changelog: v0.6.0...v0.6.1

v0.6.0

As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes.

Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.

Breaking Changes

• In pkg/bundle/bundle.go
  • ProtobufBundle is now Bundle
  • NewProtobufBundle is now NewBundle
• In pkg/bundle/signature_content.go
  • Use Statement() type was from github.com/in-toto/in-toto-golang/in_toto now comes from github.com/in-toto/attestation/go/v1

What's Changed

• feat: add support for additional transparency log key types by @vishal-chdhry in #197
• feat: use GetLogEntryByIndex to query rekor by @vishal-chdhry in #188
• feat: add validation of required fields in the bundle by @vishal-chdhry in #189
• Rename ProtobufBundle to Bundle by @codysoyland in #251
• Fix verify DSSE bundles (after signing) by @steiza in #258
• Fix crash with missing checkpoint by @haydentherapper in #260
• Add file pattern to CODEOWNERS by @codysoyland in #269
• Use example.com and remove trademark from tests by @codysoyland in #267
• Add deprecation message for ProtobufBundle by @codysoyland in #271
• Switch in-toto library to github.com/in-toto/attestation by @codysoyland in #274

Full Changelog: v0.5.1...v0.6.0

v0.5.1

See release v0.5.0 for a list of breaking changes in v0.5.0.

This minor release is to correct the spelling of the new helper function in pkg/verify/certificate_identity.go, now called NewIssuerMatcher().

v0.5.0

We are continuing to work down items as we move towards a v1.0.0 release. As noted in the v0.4.0 release this includes some minor interface changes as we clean things up and get feedback from people using sigstore-go in different contexts.

Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.

Breaking Changes

• In pkg/bundle/verification_content.go:

  • For bundle.Certificate and bundle.PublicKey, HasCertificate() is now called GetCertificate(); only returns *x509.Certificate instead of (x509.Certificate, bool)

• In pkg/verify/certificate.go:

  • Change NewShortCertificateIdentity() arguments
    • Was: func NewShortCertificateIdentity(issuer, sanValue, sanType, sanRegex string)
    • Now: func NewShortCertificateIdentity(issuer, issuerRegex, sanValue, sanRegex string)
  • Change in NewSANMatcher() arguments
    • Was: func NewSANMatcher(sanValue string, sanType string, regexpStr string)
    • Now: func NewSANMatcher(sanValue string, regexpStr string)
  • Change in NewCertificateIdentity() arguments
    • Was: NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions)
    • Now: NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, issuerMatcher IssuerMatcher, extensions certificate.Extensions)
      • func NewIssuserMatcher(issuerValue, regexpStr string) (IssuerMatcher, error) can help you create IssuerMatcher

• In pkg/verify/signed_entity.go:

  • WithoutAnyObserverTimestampsInsecure() is now WithoutAnyObserverTimestampsUnsafe()

What's Changed

• Simplify HasCertificate interface method by @cmurphy in #209
• Make config function name consistent by @cmurphy in #208
• Add unit tests for bundle package by @cmurphy in #217
• Improve error message when verifying certificate identity by @codysoyland in #218
• Add user agent to online Rekor requests and TUF requests. by @steiza in #216
• Dsse one sig by @kommendorkapten in #226
• Fix ProtobufBundle.MinVersion by @codysoyland in #228
• Add Policy WithKey() for verifying content you know is signed with a key by @steiza in #235
• Updates for SAN parsing by @cmurphy in #229
• Add the ability to specify certificate identity via a regular expression by @steiza in #236

Full Changelog: v0.4.0...v0.5.0

v0.4.0

What's Changed

In addition to various improvements in functionality, documentation, and testing, v0.4.0 includes signing support as well as the verification and signing API moving from unstable to beta. There may be minor interface changes between now a v1.0.0.

• Add mediatype string builder to bundle package by @puerco in #154
• chore: fix undefined media type error in OCI verification example by @vishal-chdhry in #163
• Use observer timestamp for comparison against certificate chain validity period by @codysoyland in #180
• Add clarifying comments around TUF caching options by @haydentherapper in #173
• Fix verification example by @cmurphy in #194
• Update README and documentation for signing support by @steiza in #203
• Add unit tests for SCT verification by @cmurphy in #204

New Contributors

• @puerco made their first contribution in #154
• @vishal-chdhry made their first contribution in #163
• @cmurphy made their first contribution in #194

Full Changelog: v0.3.0...v0.4.0

v0.3.0

What's Changed

v0.3.0 includes support for the Sigstore Bundle v0.3. It also includes some improved interface method naming and several bug fixes and dependency updates.

• Bundle v0.3 support by @steiza in #101
• Improve method naming in TrustedMaterial interface by @codysoyland in #114
• Fix Windows embedded file path bug by @malancas in #103
• Added a flag to disable ct log verification by @kommendorkapten in #135
• Update embedded root to latest by @haydentherapper in #144

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

v0.2.0 includes an updated TUF client. This also updates verification to require specifying both the certificate issuer and SAN.

• Bundle verification should require specifying expected certificate issuer and SAN by @steiza in #82
• Update verification example by @haydentherapper in #84
• Update TUF client to support options and add LiveTrustedRoot by @codysoyland in #41

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Changelog

Initial release of sigstore/sigstore-go

See the README for instructions
on supported features and how to use the library.