v0.39.0

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.39.0/vendir-linux-amd64

# Move the binary in to your PATH
mv vendir-linux-amd64 /usr/local/bin/vendir

# Make the binary executable
chmod +x /usr/local/bin/vendir

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install vendir
$ vendir version  

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.39.0/checksums.txt
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.39.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.39.0/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

✨ What's new

• fix grammar in README by @vtrenton in #324
• Added changes to sign artifacts by @kumaritanushree in #339
• Simplify gitignore and make sure all binaries are accounted for by @100mik in #351
• PrivateKey with or without extra char as newline will be accepted by @kumaritanushree in #349
• Fix race condition when running multiple vendir from the same directory by @Zebradil in #345
• Refactor lazy sync code by @Zebradil in #340
• Fix: updated setup cosign step in release process by @kumaritanushree in #352
• updated release to have installation and verification steps included in release notes by @kumaritanushree in #354

New Contributors

• @vtrenton made their first contribution in #324
• @100mik made their first contribution in #351

Full Changelog: v0.38.0...v0.39.0

📂 Files Checksum

012531a2f1a2de8bc89f1623edfc40a7ac5aee421fe609085278fb9e287f1cdf  ./vendir-linux-arm64
20b71cc25dc3fea31edf9667c92a05167f713935f854882159736443c2f7a0e6  ./vendir-windows-amd64.exe
90ae82718c1072831f3097bdb031d5a897cc9f2f8334e2e1d7f35e35d0abd84f  ./vendir-darwin-amd64
91ecf04ad5cdfa0f8839dc1430da7a4da665f7cb88c64c0c72202f6db261e651  ./vendir-darwin-arm64
feb2836153508adfb6fd33c127e466c9ce26577678e93a252be2fec445f4501f  ./vendir-linux-amd64