This update for cosign fixes the following issues: Updated to 2.2.1 * Enhancements: * CVE-2023-46737: Possible endless data attack from attacker-controlled registry * feat: Support basic auth and bearer auth login to registry * add support for ignoring certificates with pkcs11 * Support ReplaceOp in Signatures * feat: added ability to get image digest back via triangulate * feat: add `--only` flag in `cosign copy` to copy sign, att sbom * feat: add support attaching a Rekor bundle to a container * feat: add support outputting rekor response on signing * feat: improve dockerfile verify subcommand * Add guard flag for experimental OCI 1.1 verify. * Deprecate SBOM attachments * feat: dedent line in cosign copy doc * feat: add platform flag to cosign copy command * Add SLSA 1.0 attestation support to cosign. Closes #2860 * attest: pass OCI remote opts to att resolver. * Bug Fixes: * Merge pull request from GHSA-vfp6-jrw2-99g9 * fix: allow cosign download sbom when image is absent * ci: add a OCI registry test for referrers support * Fix ReplaceSignatures * Stop using deprecated in_toto.ProvenanceStatement * Fixes #3236, disable SCT checking for a cosign verification when using .. * fix: update error in `SignedEntity` to be more descriptive * Fail timestamp verification if no root is provided * Documentation: * Add some docs about verifying in an air-gapped environment * Update CONTRIBUTING.md * docs: improves the Contribution guidelines * Remove security policy * Others: * Set go to min 1.21 and update dependencies * Update contact for code of conduct * Update .ko.yaml Updated to 2.2.0 * Enhancements * switch to uploading DSSE types to rekor instead of intoto * add "cosign sign" command-line parameters for mTLS * improve error messages around bundle != payload hash * make VerifyImageAttestation function public * Switch to cryptoutils function for SANS * Handle HTTP_1_1_REQUIRED errors in github provider * Bug Fixes * Fix nondeterminsitic timestamps * Documentation * doc: Add example of sign-blob with key in env var * add deprecation notice for cosign-releases GCS bucket * update doc links Updated to 2.1.1 * Bug Fixes * wait for the workers become available again to continue the execution * fix help text when in a container Updated to 2.1.0 * Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. * Enhancements * Verify sigs and attestations in parallel * Deep inspect attestations when filtering download * refactor bundle validation code, add support for DSSE rekor type * Allow overriding remote options * feat: adds no cert found on sig exit code * Make predicate a required flag in attest commands * Added support for attaching Time stamp authority Response in attach command * Add sign --sign-container-identity CLI * Feature: Allow cosign to sign digests before they are uploaded. * accepts attachment-tag-prefix for cosign copy * Feature: adds "\--allow-insecure-registry" for cosign load * download attestation: support --platform flag * Cleanup: Add Digest to the SignedEntity interface. * verify command: support keyless verification using only a provided certificate chain with non-fulcio roots * verify: use workers to limit the paralellism when verifying images with --max-workers flag * Bug Fixes * Fix pkg/cosign/errors * Fix: update doc to refer to github-actions oidc provider * Fix: prefer GitHub OIDC provider if enabled * Fix --sig-only in cosign copy * Documentation * Fix links to sigstore/docs in markdown files Update to 2.0.2 * Enhancements * Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change * feat: Make cosign copy faster * remove sget * Require a payload to be provided with a signature * Bug Fixes * cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. * Use SOURCE_DATE_EPOCH for OCI CreatedAt times * Documentation * Remove experimental warning from Fulcio flags * add missing oidc provider * Add zot as a supported registry * deprecates kms_support docs * chore deprecate note for usage docs * adds note of deprecation for examples.md docs