winget install --id Sigstore.Cosign
About cosign
Code signing and transparency for containers and binaries
What's new in 3.1.1
What's Changed Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0 This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release. This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs. - Initialize PKCS11 slots Before Getting Token Info in #4803 - Sign exclusively via sigstore-go in #4618 - bundle create: Prevent IgnoreTlog when bundle contains SET in #4829 - Require bundle output or registry upload in #4785 - fix(load): pass NameOptions to name.ParseReference in #4786 - fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #4813 - Deprecate Flags for v4: Certificates in #4822 - Deprecate flags signing config in #4844 - Deprecate flags bundle in #4838 - Fix typo in map of verify command fields unsupported for new bundle format in #4853 - Add bundle upgrade command in #4820 - Deprecate Flags for v4 in #4854 - fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #4869 - fix: use Header.Set to prevent duplicate Authorization on retry in #4870 - feat(cli): add Rekor v2 flag to cosign sign...
Version history
| Version | Updated | Notes |
|---|---|---|
| 3.1.1 | Unknown | What's Changed Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0 This release deprecates a number of flags related to verification material input for trust root material, as wel... |
| 3.0.6 | Unknown | Changelog v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys. - f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801) - a09afa9 Handle whitespace-only certi... |
| 3.0.5 | Unknown | v3.0.5 v3.0.5 resolves a low-severity advisory for private PKIs. Deprecations - Deprecate rekor-entry-type flag (#4691) - Deprecate cosign triangulate (#4676) - Deprecate cosign copy (#4681) Features - Automatically requ... |
| 3.0.4 | Unknown | v3.0.4 v3.0.4 resolves GHSA-whqx-f9j3-ch6m. Changes - Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623) - Optimize cosign tree performance by caching digest resolution (#4612) - Don't requi... |
| 3.0.3 | Unknown | v3.0.3 Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional comma... |
| 3.0.2 | Unknown | v3.0.2 v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format. - Note that the --bundle flag specifying an output file to write the Sigstor... |
| 3.0.1 | Unknown | v3.0.1 v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows. - Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all r... |
| 2.6.1 | Unknown | Changelog - 634fabe Bump sigstore-go, move conformance back to tagged release - c5545ed Partially populate the output of cosign verify when working with new bundles (#4416) - e191024 bump go builder to use 1.25.1 and cos... |
| 2.6.0 | Unknown | v2.6.0 introduces a number of new features, including: - Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm r... |
| 2.5.3 | Unknown | Changelog - 488ef8c Add signing-config create command (#4280) - 722207e Allow multiple services to be specified for trusted-root create (#4285) - 2ee22fc force when copying the latest image to overwrite (#4298) - 86560e1... |
| 2.5.2 | Unknown | Changelog - b126109 Do not load trusted root when CT env key is set - 19ef59d docs: improve doc for --no-upload option (#4206) Thanks to all contributors! |
| 2.5.1 | Unknown | v2.5.1 Features - Add Rekor v2 support for trusted-root create (#4242) - Add baseUrl and Uri to trusted-root create command - Upgrade to TUF v2 client with trusted root - Don't verify SCT for a private PKI cert (#4225) -... |
| 2.5.0 | Unknown | v2.5.0 includes an implementation of the new bundle specification, attesting and verifying OCI image attestations uploaded as OCI artifacts. This feature is currently gated behind the --new-bundle-format flag when runnin... |
| 2.4.3 | Unknown | v2.4.3 Features - Bump sigstore/sigstore to support KMS plugins (#4073) - Enable fetching signatures without remote get. (#4047) - Feat/file flag completion improvements (#4028) - Update builder to use go1.23.6 (#4052) B... |
| 2.4.2 | Unknown | Features - Updated open-policy-agent to 1.1.0 library (#4036) - Note that only Rego v0 policies are supported at this time - Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006) - Add support for verifying... |
| 2.4.1 | Unknown | Changelog - update changelog for v2.4.1 (#3896) - chore(deps): bump actions/checkout in the actions group (#3893) - chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#3895) - bump scaffolding release to v0.7.11... |
| 2.4.0 | Unknown | v2.4.0 begins the modernization of the Cosign client, which includes: - Support for the newer Sigstore specification-compliant bundle format - Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) thro... |
| 2.3.0 | Unknown | Release notes |