SUSE-RU-2023:2301-1: moderate: Recommended update for cosign
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Thu May 25 12:30:06 UTC 2023
# Recommended update for cosign
Announcement ID: SUSE-RU-2023:2301-1
Rating: moderate
References:
Affected Products:
* Basesystem Module 15-SP4
* openSUSE Leap 15.4
* SUSE Linux Enterprise Desktop 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
An update that contains one feature can now be installed.
## Description:
This update for cosign fixes the following issues:
cosign was updated to 2.0.1 (jsc#SLE-23879)
* Enhancements
* Add environment variable token provider (#2864)
* Remove cosign policy command (#2846)
* Allow customising 'go' executable with GOEXE var (#2841)
* Consistent tlog warnings during verification (#2840)
* Add riscv64 arch (#2821)
* Default generated PEM labels to SIGSTORE (#2735)
* Update privacy statement and confirmation (#2797)
* Add exit codes for verify errors (#2766)
* Add Buildkite provider (#2779)
* verify-blob-attestation: Loosen arg requirements if --check-claims=false
(#2746)
* Bug Fixes
* PKCS11 sessions are now opened read only (#2853)
* Makefile: date format of log should not show signatures (#2835)
* Add missing flags to cosign verify dockerfile/manifest (#2830)
* Add a warning to remember how to configure a custom Gitlab host (#2816)
* Remove tag warning message from save/copy commands (#2799)
* Mark keyless pem files with b64 (#2671)
* build against a maintained golang version (upstream uses go1.20)
cosign was updated to 2.0.0 (jsc#SLE-23879)
* Breaking Changes:
* insecure-skip-tlog-verify: rename and adapt the cert expiration check
(#2620)
* Deprecate --certificate-email flag. Make --certificate-identity and -…
(#2411)
* Enhancements:
* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0
(#2544)
* Allow users to pass in a path for the --identity-token flag (#2538)
* Breaking change: Respect tlog-upload=false, default to true (#2505)
* Support outputing a certificate without uploading to the tlog (#2506)
* Attestation/Blob signing and verification using a RFC3161 time-stamping
server (#2464)
* respect tlog-upload flag with TSA (#2474)
* Better feedback if specifying incompatible argument on cosign sign
--attachment (#2449)
* Support TSA and Rekor verifications (#2463)
* add support for tsa signing and verification of images (#2460)
* cosign policy sign: remove experimental flag and make keyless signing
default (#2459)
* Remove experimental mode from cosign attest and verify-attestation (#2458)
* Remove experimental mode from sign-blob and verify-blob (#2457)
* Add --offline flag to force offline verification (#2427)
* Air gap support (#2299)
* Breaking change: Change SCT verification behavior to default to enforcement
(#2400)
* Breaking change: remove --force flag from sign and attest and rely on --yes
flag to skip confirmation (#2399)
* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag
(#2397)
* Remove experimental flag from cosign sign and cosign verify (#2387)
* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a
key from rekor's API (#2362)
* Add warning to use digest instead of tags to other cosign commands (#2650)
* Fix up UI messages (#2629)
* Remove hardcoded Fulcio from output (#2621)
* Fix missing privacy statement, print in multiple locations (#2622)
* feat: allows custom key names for import-key-pair (#2587)
* feat: support keyless verification for verify-blob-attestation (#2525)
* attest-blob: add functionality for keyless signing (#2515)
* Rego: add support for custom error/warning messages when evaluating rego
rules (#2577)
* feat: add debug information to cert validation error (#2579)
* Support non-Sigstore TSA requests (#2708)
* Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag
(#2684)
* Output certificate in bundle when entry is not uploaded to Rekor (#2715)
* attach signature and attach sbom must use STDIN to upload raw string (#2637)
* add generate-key-pair GitHub Enterprise server support (#2676)
* add in format string for warning (#2699)
* Support for fetching Fulcio certs with self-managed key (#2532)
* 2476 predicate type download (#2484)
* Bug Fixes:
* Fix the file existence check. (#2552)
* Fix timestamp verification, add verify-blob tests (#2527)
* Fix(verify): Consolidate certificate expiry logic (#2504)
* Updates to Timestamp signing and verification (#2499)
* Fix: removes attestation payload from attest-blob's output & no base64
encoding (#2498)
* Fix path for e2e-tests badge (#2490)
* Fix spdx json media type (#2479)
* Fix sct verificaction (#2426)
* Fix: panic with unsigned local image (#2656)
* Make sure a cert passed in via --cert matches the bundle cert (#2652)
* Fix: fix github oidc post submit test (#2594)
* Fix: add enhanced error messages for failing verification with TUF targets
(#2589)
* Fix: Add missing schemes to cosign predicate types. (#2717)
* Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
* Fix prompts with Windows line endings (#2674)
cosing was update to 1.13.1:
* verify-blob-attestation: allow multiple subjects in in_toto attestation
(#2341)
* Nits for #2337 (#2342)
* Add verify-blob-attestation command and tests (#2337)
* Update warning when users sign images by tag. (#2313)
* Remove experimental flags from attest-blob and refactor (#2338)
* Add --output-attestation flag to attest-blob and remove experimental signing
(#2332)
* Add attest-blob command (#2286)
* Add '\--cert-identity' flag to support subject alternate names for ver…
(#2278)
* Update Dockerfile section of README (#2323)
* Fix option description: "sign" \--> "verify" (#2306)
cosign was updated to 1.13.0:
* feat: use stdin as an input for predicate by @developer-guy in
https://github.com/sigstore/cosign/pull/2269
* feat: improve the verification message by @developer-guy in
https://github.com/sigstore/cosign/pull/2268
* use scaffolding 0.4.8 for tests. by @vaikas in
https://github.com/sigstore/cosign/pull/2280
* fix pivtool generate key touch policy by @cpanato in
https://github.com/sigstore/cosign/pull/2282
* Check error on chain verification failure by @haydentherapper in
https://github.com/sigstore/cosign/pull/2284
* Fix: Remove an extra registry request from verification path. by @mattmoor
in https://github.com/sigstore/cosign/pull/2285
* Fix: Create a static copy of signatures as part of verification. by
@mattmoor in https://github.com/sigstore/cosign/pull/2287
* Data race in FetchSignaturesForReference by @RTann in
https://github.com/sigstore/cosign/pull/2283
* Add support for Fulcio username identity in SAN by @haydentherapper in
https://github.com/sigstore/cosign/pull/2291
* fix: make tlog entry lookups for online verification shard-aware by @asraa
in https://github.com/sigstore/cosign/pull/2297
* Better help text to sign and verify SBOM by @ChristianCiach in
https://github.com/sigstore/cosign/pull/2308
* Adding warning to pin to digest by @ChaosInTheCRD in
https://github.com/sigstore/cosign/pull/2311
* Add annotations for upload blob. by @cldmnky in
https://github.com/sigstore/cosign/pull/2188
* replace deprecate package by @cpanato in
https://github.com/sigstore/cosign/pull/2314
* update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in
https://github.com/sigstore/cosign/pull/2315
cosign was updated to 1.12.1:
* fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
* fix: fix cert chain validation for verify-blob in non-experimental mode
* fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
* Fix BYO-root with intermediate to fetch intermediates from annotation
* fix: fixing breaking changes in rekor v1.12.0 upgrade
## Patch Instructions:
To install this SUSE Moderate update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-2301=1
* Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2301=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* cosign-2.0.1-150400.3.9.1
* Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* cosign-2.0.1-150400.3.9.1
## References:
* https://jira.suse.com/browse/SLE-23879
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230525/f7ebda47/attachment.htm>
More information about the sle-updates
mailing list