winget install --id Sigstore.CosignAbout cosign
Code signing and transparency for containers and binaries
What's new in 3.0.6
Changelog v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys. - f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801) - a09afa9 Handle whitespace-only certificate annotation (#4760) - 5a38a6d fix(sign): closing SignerVerifier too early when signing with a security key (#4761) - 2290a59 Disallow --new-bundle-format and --rfc3161-timestamp (#4762) - 36f4008 support managed keys in conformance testing (#4728) - 3274cf9 Add support for GCE metadata server env var (#4732) - 2e9754a fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709) - dece275 Fix parsing of in-toto for string predicates - bd4f0fd Mark batch of flags for deprecation (#4698) - 9b259ff disallow key and cert identity being used together during verification (#4636) - 95eb1c3 support key creation in GitLab group (#4704) Thanks to all contributors!
Version history
| Version | Updated | Notes |
|---|---|---|
| 3.0.6 | Unknown | Changelog v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys. - f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801) - a09afa9 Handle whitespace-only certi... |
| 3.0.5 | Unknown | v3.0.5 v3.0.5 resolves a low-severity advisory for private PKIs. Deprecations - Deprecate rekor-entry-type flag (#4691) - Deprecate cosign triangulate (#4676) - Deprecate cosign copy (#4681) Features - Automatically requ... |
| 3.0.4 | Unknown | v3.0.4 v3.0.4 resolves GHSA-whqx-f9j3-ch6m. Changes - Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623) - Optimize cosign tree performance by caching digest resolution (#4612) - Don't requi... |
| 3.0.3 | Unknown | v3.0.3 Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional comma... |
| 3.0.2 | Unknown | v3.0.2 v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format. - Note that the --bundle flag specifying an output file to write the Sigstor... |
| 3.0.1 | Unknown | v3.0.1 v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows. - Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all r... |
| 2.6.1 | Unknown | Changelog - 634fabe Bump sigstore-go, move conformance back to tagged release - c5545ed Partially populate the output of cosign verify when working with new bundles (#4416) - e191024 bump go builder to use 1.25.1 and cos... |
| 2.6.0 | Unknown | v2.6.0 introduces a number of new features, including: - Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm r... |
| 2.5.3 | Unknown | Changelog - 488ef8c Add signing-config create command (#4280) - 722207e Allow multiple services to be specified for trusted-root create (#4285) - 2ee22fc force when copying the latest image to overwrite (#4298) - 86560e1... |
| 2.5.2 | Unknown | Changelog - b126109 Do not load trusted root when CT env key is set - 19ef59d docs: improve doc for --no-upload option (#4206) Thanks to all contributors! |
| 2.5.1 | Unknown | v2.5.1 Features - Add Rekor v2 support for trusted-root create (#4242) - Add baseUrl and Uri to trusted-root create command - Upgrade to TUF v2 client with trusted root - Don't verify SCT for a private PKI cert (#4225) -... |
| 2.5.0 | Unknown | v2.5.0 includes an implementation of the new bundle specification, attesting and verifying OCI image attestations uploaded as OCI artifacts. This feature is currently gated behind the --new-bundle-format flag when runnin... |
| 2.4.3 | Unknown | v2.4.3 Features - Bump sigstore/sigstore to support KMS plugins (#4073) - Enable fetching signatures without remote get. (#4047) - Feat/file flag completion improvements (#4028) - Update builder to use go1.23.6 (#4052) B... |
| 2.4.2 | Unknown | Features - Updated open-policy-agent to 1.1.0 library (#4036) - Note that only Rego v0 policies are supported at this time - Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006) - Add support for verifying... |
| 2.4.1 | Unknown | Changelog - update changelog for v2.4.1 (#3896) - chore(deps): bump actions/checkout in the actions group (#3893) - chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#3895) - bump scaffolding release to v0.7.11... |
| 2.4.0 | Unknown | v2.4.0 begins the modernization of the Cosign client, which includes: - Support for the newer Sigstore specification-compliant bundle format - Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) thro... |
| 2.3.0 | Unknown | Release notes |