v0.11.0

Changelog

• 8e08985 Bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.4.1 (#573)
• 036c118 Fix matching of tlog entries to payload (#584)
• da79e4b Fix unhandled extension issue for cached certs (#583)
• 02af74d Update credential-cache messages to user (#582)
• 51907a6 Support gitsign-credential-cache on Windows (#579)
• 45f647b Bump google.golang.org/protobuf from 1.34.2 to 1.35.1 (#580)
• 6b63283 Bump anchore/sbom-action from 0.17.3 to 0.17.4 in the actions group (#581)
• 1b11c27 Trigger workflows on push only to main branch (#578)
• 73821e1 Bump the gomod group across 1 directory with 2 updates (#577)
• 0a530d1 Bump github.com/sigstore/fulcio from 1.5.1 to 1.6.5 (#575)
• 3a6b5ff Bump Go to 1.23.2 and golangci-lint to 1.61 (#576)
• ec41a4e Bump anchore/sbom-action from 0.17.2 to 0.17.3 in the actions group (#572)
• a9e5bf9 Bump github.com/docker/docker (#553)
• aa71ea8 Handle GeneralName as SAN (#571)
• 7b9a59e Bump the actions group across 1 directory with 6 updates (#569)
• 6619f72 Fix gitsign env test (#568)
• 512c386 Bump the actions group with 2 updates (#552)
• 7d7b847 e2e tests: Use beacon token. (#549)
• 6ba65fc Bump github.com/sigstore/fulcio from 1.4.5 to 1.5.1 (#541)
• 3a204ff Bump github.com/mattn/go-tty from 0.0.5 to 0.0.7 in the gomod group (#546)
• 0504d6b Bump docker/login-action from 3.2.0 to 3.3.0 in the actions group (#545)
• a7b5867 Bump anchore/sbom-action from 0.16.1 to 0.17.0 in the actions group (#543)
• fdd6e3a update go to 1.22.5 and fix golangci-lint action (#542)
• e999077 Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7 in the gomod group (#539)
• 94dc609 Bump github.com/coreos/go-oidc/v3 from 3.10.0 to 3.11.0 (#540)
• 7d10c99 Bump the actions group with 3 updates (#538)
• 359a77d Bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#536)
• 1624fdb Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#535)
• 0ba49a1 Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 in the gomod group (#534)
• 6431500 Support for Client Secret File (#533)
• d911d96 Point to homebrew-core (#531)
• 7819bd0 Bump actions/attest-build-provenance in the actions group (#530)
• 56549b7 Bump actions/attest-build-provenance in the actions group (#529)
• 3e5444a Updates ci/dependabot/release (#528)
• d20b0f0 Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#527)
• 36ec1cc Bump imjasonh/setup-crane from 0.3 to 0.4 (#524)
• bed15d1 Bump actions/checkout from 4.1.6 to 4.1.7 (#525)
• 024ac5f Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#521)
• 42af7c1 Bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 (#522)
• 3c280a2 Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#523)
• bc5ec37 resolves #516 adds support for private rekor for gitsign attest (#517)
• d94bdd9 launchctl commands for macOS users (#520)
• 51c08dc Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 (#518)
• 7dbcc46 Bump docker/login-action from 3.1.0 to 3.2.0 (#519)
• 2818752 Bump anchore/sbom-action from 0.15.11 to 0.16.0 (#514)
• 7c3d86d Bump actions/checkout from 4.1.5 to 4.1.6 (#513)

Thanks to all contributors!

v0.10.2

What's Changed

Not much! All dependency bumps.

• Bump golang.org/x/crypto from 0.21.0 to 0.22.0 by @dependabot in #490
• Bump imjasonh/setup-crane from 0.2 to 0.3 by @dependabot in #485
• Bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 by @dependabot in #489
• Bump github.com/sigstore/rekor from 1.3.5 to 1.3.6 by @dependabot in #487
• Bump github.com/sigstore/protobuf-specs from 0.3.0 to 0.3.1 by @dependabot in #486
• Bump github.com/sigstore/fulcio from 1.4.4 to 1.4.5 by @dependabot in #488
• Remove local-user validation. by @wlynch in #491
• Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 by @dependabot in #492
• Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 by @dependabot in #493
• Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #494
• Bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #495
• e2e.yaml: Avoid non-versioned TUF metadata by @jku in #496
• Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @dependabot in #500
• Bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 by @dependabot in #503
• Bump google.golang.org/protobuf from 1.33.0 to 1.34.0 by @dependabot in #502
• Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #504
• Bump golangci/golangci-lint-action from 5.0.0 to 5.3.0 by @dependabot in #505
• Bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #499
• Bump anchore/sbom-action from 0.15.10 to 0.15.11 by @dependabot in #498
• Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #512
• Bump google.golang.org/protobuf from 1.34.0 to 1.34.1 by @dependabot in #508
• Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 by @dependabot in #511
• Bump actions/checkout from 4.1.4 to 4.1.5 by @dependabot in #510
• Bump github.com/sigstore/protobuf-specs from 0.3.1 to 0.3.2 by @dependabot in #509
• Bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in #507

New Contributors

• @jku made their first contribution in #496

Full Changelog: v0.10.1...v0.10.2

v0.10.1

Changelog

• 337b099 update base image for gitsign to one with shell available (#484)

Thanks to all contributors!

v0.10.0

What's Changed

• Bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 by @dependabot in #468
• Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @dependabot in #467
• Bump anchore/sbom-action from 0.15.8 to 0.15.9 by @dependabot in #475
• Bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @dependabot in #474
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot in #473
• Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 by @dependabot in #472
• Bump github.com/go-openapi/strfmt from 0.22.2 to 0.23.0 by @dependabot in #471
• Bump github.com/go-openapi/swag from 0.22.9 to 0.23.0 by @dependabot in #470
• Bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 by @dependabot in #469
• Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #476
• Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible by @dependabot in #477
• Bump github.com/coreos/go-oidc/v3 from 3.9.0 to 3.10.0 by @dependabot in #479
• Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #478
• Bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #482
• Bump anchore/sbom-action from 0.15.9 to 0.15.10 by @dependabot in #480
• Bump github.com/go-git/go-git/v5 from 5.11.1-0.20240221104814-686a0f7a4928 to 5.12.0 by @dependabot in #481
• add gitsign image by @cpanato in #483

Full Changelog: v0.9.0...v0.10.0

v0.9.0

Changelog

• e20deaa Add config options for Autoclose and AutocloseTimeout (#466)
• 3f2e97e Bump actions/cache from 4.0.0 to 4.0.1 (#456)
• 9ba5809 Bump github.com/go-openapi/strfmt from 0.22.0 to 0.22.2 (#464)
• 98923e1 Update to use go1.22 and ci udpates (#465)
• b3da2e6 Enable autoclose for sigstore confirmation page. (#455)
• c2ac22d CI updates and fix lints (#461)
• cedcc9d Remove GITSIGN_LOG env variable. (#463)
• 2e63fd0 Run e2e Go tests first. (#462)
• 6f20ffd Add go-git based signer implementation. (#454)
• 66e0ff5 Bump github.com/sigstore/protobuf-specs from 0.2.1 to 0.3.0 (#453)
• 57153a0 Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#450)
• 3eafadd Bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 (#449)
• ae02bda Add GITSIGN_TOKEN_PROVIDER docs (#447)
• ff05b31 Add tokenProvider configuration for forcing OIDC providers. (#446)

Thanks to all contributors!

v0.8.1

What's Changed

Not much! All dependency bumps. 😎

• Bump golang.org/x/oauth2 from 0.13.0 to 0.14.0 by @dependabot in #403
• Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 by @dependabot in #401
• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #404
• Bump anchore/sbom-action from 0.14.3 to 0.15.0 by @dependabot in #405
• Bump github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1 by @dependabot in #407
• Bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 by @dependabot in #406
• Bump github.com/coreos/go-oidc/v3 from 3.7.0 to 3.8.0 by @dependabot in #408
• Bump github.com/sigstore/rekor from 1.3.3 to 1.3.4 by @dependabot in #409
• Bump github.com/go-openapi/strfmt from 0.21.7 to 0.21.8 by @dependabot in #410
• Bump github.com/coreos/go-oidc/v3 from 3.8.0 to 3.9.0 by @dependabot in #415
• Bump github.com/go-openapi/strfmt from 0.21.8 to 0.21.9 by @dependabot in #419
• Bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 by @dependabot in #418
• Bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 by @dependabot in #417
• Bump anchore/sbom-action from 0.15.0 to 0.15.1 by @dependabot in #413
• Bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #412
• Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.2 by @dependabot in #416
• Bump github.com/go-openapi/runtime from 0.26.0 to 0.26.2 by @dependabot in #414
• Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 by @dependabot in #420
• Bump github.com/go-openapi/swag from 0.22.4 to 0.22.5 by @dependabot in #421
• Bump github.com/go-openapi/strfmt from 0.21.9 to 0.21.10 by @dependabot in #422
• Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #423
• Bump google.golang.org/protobuf from 1.31.0 to 1.32.0 by @dependabot in #427
• Bump github.com/go-openapi/swag from 0.22.5 to 0.22.6 by @dependabot in #425
• Bump github.com/sigstore/sigstore from 1.7.6 to 1.8.0 by @dependabot in #424
• Bump github.com/go-openapi/swag from 0.22.6 to 0.22.7 by @dependabot in #429
• Bump github.com/go-openapi/strfmt from 0.21.10 to 0.22.0 by @dependabot in #428
• Bump anchore/sbom-action from 0.15.1 to 0.15.2 by @dependabot in #430
• Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 by @dependabot in #431
• Bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 by @dependabot in #433
• Bump actions/cache from 3.3.2 to 3.3.3 by @dependabot in #434
• Bump anchore/sbom-action from 0.15.2 to 0.15.3 by @dependabot in #435
• Bump actions/cache from 3.3.3 to 4.0.0 by @dependabot in #436
• Bump anchore/sbom-action from 0.15.3 to 0.15.4 by @dependabot in #437
• Bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @dependabot in #438
• Bump github.com/go-openapi/runtime from 0.26.2 to 0.27.1 by @dependabot in #439
• Bump github.com/go-openapi/swag from 0.22.7 to 0.22.9 by @dependabot in #440
• Bump anchore/sbom-action from 0.15.4 to 0.15.5 by @dependabot in #441
• Bump anchore/sbom-action from 0.15.5 to 0.15.8 by @dependabot in #445
• Bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3 by @dependabot in #442
• Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 by @dependabot in #444
• Bump github.com/sigstore/rekor from 1.3.4 to 1.3.5 by @dependabot in #443

Full Changelog: v0.8.0...v0.8.1

v0.8.0

Rekor: https://search.sigstore.dev/?commitSha=01375268d822f8299a3d9c23f4fbd796c84bcaa5

Highlights

• cd66ccb Add options for Rekor client, make public key fetcher configurable. (#399)
• 530e976 Add gitsign initialize. (#321)
• 4bda12e Fix offline verification marshalling, add e2e tests. (#330)

Thanks to all contributors!

v0.7.1

Changelog

• c5a1f43 Offline verification: refactor to make it clear no signature checks are happening. (#319)
• 8a76ba2 Revoke v0.7.0 (#318)

Thanks to all contributors!

v0.7.0

Changelog

• 8955100 Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 (#316)
• 5dd6092 Add offline verification (#220)
• 295f8c1 Bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 (#314)
• fffe410 Bump sigstore/cosign-installer from 3.0.3 to 3.0.5 (#313)
• e135d08 Bump actions/setup-go from 4.0.0 to 4.0.1 (#312)
• dbeae80 Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#310)
• 859b2ac Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#311)
• ee39f77 Bump github.com/docker/distribution (#309)
• 70e4dfd Bump github.com/cloudflare/circl from 1.3.1 to 1.3.3 (#308)
• a454679 Bump github.com/sigstore/fulcio from 1.2.0 to 1.3.1 (#302)
• 472a9d1 Bump github.com/sigstore/sigstore from 1.6.3 to 1.6.4 (#304)
• 06cd545 Bump github.com/in-toto/in-toto-golang from 0.8.0 to 0.9.0 (#305)
• 71800bf Bump anchore/sbom-action from 0.14.1 to 0.14.2 (#307)
• d24ff29 Bump github.com/mattn/go-tty from 0.0.4 to 0.0.5 (#306)
• 9f5a9e8 Bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#300)
• a75b58a Bump github.com/in-toto/in-toto-golang from 0.7.1 to 0.8.0 (#298)
• df022a6 Bump github.com/sigstore/cosign/v2 from 2.0.1 to 2.0.2 (#299)
• 717e7e6 Bump sigstore/cosign-installer from 3.0.2 to 3.0.3 (#297)
• a8dc697 Bump actions/checkout from 3.5.0 to 3.5.2 (#289)
• ebe8923 Bump github.com/sigstore/sigstore from 1.6.2 to 1.6.3 (#296)
• f374e54 Bump github.com/go-openapi/runtime from 0.25.0 to 0.26.0 (#295)
• 71a9701 Bump dependabot/fetch-metadata from 1.3.6 to 1.4.0 (#294)
• 23df870 Ensure that io writers are properly closed. (#292)
• 04f9453 Bump github.com/sigstore/sigstore from 1.6.1 to 1.6.2 (#290)
• 76c47d5 Fix e2e test for initializing cosign (#287)
• d38cd0b Update e2e test to use CDN instead of GCS (#285)
• f9e70b5 Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#283)

Thanks to all contributors!

v0.6.0

Highlights

• Added gitsign.matchCommitter option to verify certificate identity matches expected committer identity.
• Added gitsign verify to verify commits with certificate verification options to match cosign (--certificate-identity, --certificate-oidc-issuer)
• Added support for Buildkite and Environment Variable OIDC credential detection.

What's Changed

• Bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 by @dependabot in #228
• Bump goreleaser/goreleaser-action from 4.1.0 to 4.1.1 by @dependabot in #227
• Bump anchore/sbom-action from 0.13.1 to 0.13.3 by @dependabot in #226
• Bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.6.0 by @dependabot in #233
• Bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1 by @dependabot in #232
• Bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 by @dependabot in #231
• Bump actions/cache from 3.2.3 to 3.2.4 by @dependabot in #230
• Bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 by @dependabot in #237
• Bump actions/cache from 3.2.4 to 3.2.5 by @dependabot in #235
• upgrade go to 1.20 by @cpanato in #234
• Bump golang.org/x/crypto from 0.5.0 to 0.6.0 by @dependabot in #236
• Update README.md by @y12studio in #239
• Handle spaces in git config values by @adityasaky in #240
• Bump github.com/sigstore/fulcio from 1.0.0 to 1.1.0 by @dependabot in #243
• Bump golang.org/x/net from 0.6.0 to 0.7.0 by @dependabot in #245
• Update --detached-sign to --detach-sign, remove "auto generated" line from docs by @adityasaky in #242
• Add support for checking cert email against user config before signing. by @wlynch in #246
• Bump sigstore cosign to v2, dep and workflows by @k4leung4 in #247
• Bump actions/cache from 3.2.5 to 3.2.6 by @dependabot in #248
• Bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 by @dependabot in #255
• Bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 by @dependabot in #252
• Bump golang.org/x/crypto from 0.6.0 to 0.7.0 by @dependabot in #253
• Bump sigstore/cosign-installer from 2.8.1 to 3.0.1 by @dependabot in #251
• enable auto merge/approval for dependencies by @cpanato in #229
• update some dependencies and use head of cosign for now by @cpanato in #250
• Bump actions/cache from 3.2.6 to 3.3.1 by @dependabot in #256
• Add matchCommitter to top level README table. by @wlynch in #257
• Bump github.com/go-openapi/strfmt from 0.21.3 to 0.21.5 by @dependabot in #260
• Bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 by @dependabot in #261
• Bump actions/setup-go from 3.5.0 to 4.0.0 by @dependabot in #259
• Bump actions/checkout from 3.3.0 to 3.4.0 by @dependabot in #258
• Add gitsign verify by @wlynch in #262
• Bump anchore/sbom-action from 0.13.3 to 0.13.4 by @dependabot in #266
• Fix e2e tests by including --certificate-identity flag. by @wlynch in #264
• Initialize staging TUF root for sigstage.dev. by @wlynch in #267
• Add cosign to e2e tests, generalize e2e tests for forked repos. by @wlynch in #268
• Fix verify flags in README by @wlynch in #263
• Bump actions/checkout from 3.4.0 to 3.5.0 by @dependabot in #265
• Bump github.com/go-openapi/strfmt from 0.21.5 to 0.21.7 by @dependabot in #272
• Bump github.com/sigstore/fulcio from 1.1.0 to 1.2.0 by @dependabot in #273
• Bump anchore/sbom-action from 0.13.4 to 0.14.1 by @dependabot in #269
• Bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 by @dependabot in #270
• Update logo URL by @wlynch in #274
• Bump github.com/docker/docker from 20.10.23+incompatible to 20.10.24+incompatible by @dependabot in #275
• bump cosign dependency to pick up buildkite OIDC provider by @imjasonh in #276
• Bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible by @dependabot in #277
• Revert change in Gitsign logo URL path by @sandipanpanda in #278
• Bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 by @dependabot in #281
• Bump github.com/in-toto/in-toto-golang from 0.7.0 to 0.7.1 by @dependabot in #280
• Bump github.com/sigstore/cosign/v2 from 2.0.1-0.20230404223517-fdeea9fd1574 to 2.0.1 by @dependabot in #279
• Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 by @dependabot in #282
• Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 by @dependabot in #284

New Contributors

• @y12studio made their first contribution in #239
• @adityasaky made their first contribution in #240
• @k4leung4 made their first contribution in #247
• @sandipanpanda made their first contribution in #278

Full Changelog: v0.5.2...v0.6.0