SUSE-RU-2024:3974-1: moderate: Recommended update for cosign
SLE-UPDATES
null at suse.de
Mon Nov 11 16:30:02 UTC 2024
# Recommended update for cosign
Announcement ID: SUSE-RU-2024:3974-1
Release Date: 2024-11-11T15:26:48Z
Rating: moderate
References:
* jsc#SLE-23879
Affected Products:
* Basesystem Module 15-SP5
* Basesystem Module 15-SP6
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
An update that contains one feature can now be installed.
## Description:
This update for cosign fixes the following issues:
cosign was updated to 2.4.0 (jsc#SLE-23879)
* Add new bundle support to verify-blob and verify-blob-attestation (#3796)
* Adding protobuf bundle support to sign-blob and attest-blob (#3752)
* Bump sigstore/sigstore to support email_verified as string or boolean
(#3819)
* Conformance testing for cosign (#3806)
* move incremental builds per commit to GHCR instead of GCR (#3808)
* Add support for recording creation timestamp for cosign attest (#3797)
* Include SCT verification failure details in error message (#3799)
* Set CGO_ENABLED=1 for fixing s390x failed build
Update to 2.3.0 (jsc#SLE-23879):
* Features
* Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
* add registry options to cosign save (#3645)
* Add debug providers command. (#3728)
* Make config layers in ociremote mountable (#3741)
* adds tsa cert chain check for env var or tuf targets. (#3600)
* add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
* add handling of keyless verification for all verify commands (#3761)
* Bug Fixes
* fix: close attestationFile (#3679)
* Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
* Documentation
* Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
* add completion subpackages (bash, fish, zsh)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-3974=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-3974=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-3974=1
* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-3974=1
* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-3974=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-3974=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-3974=1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-3974=1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-3974=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-3974=1
* SUSE Manager Proxy 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-3974=1
* SUSE Manager Retail Branch Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-2024-3974=1
* SUSE Manager Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-3974=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* cosign-debuginfo-2.4.0-150400.3.23.1
* cosign-2.4.0-150400.3.23.1
* openSUSE Leap 15.4 (noarch)
* cosign-fish-completion-2.4.0-150400.3.23.1
* cosign-bash-completion-2.4.0-150400.3.23.1
* cosign-zsh-completion-2.4.0-150400.3.23.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* cosign-2.4.0-150400.3.23.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* cosign-debuginfo-2.4.0-150400.3.23.1
* cosign-2.4.0-150400.3.23.1
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* cosign-2.4.0-150400.3.23.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* cosign-debuginfo-2.4.0-150400.3.23.1
* cosign-2.4.0-150400.3.23.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Manager Proxy 4.3 (x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Manager Retail Branch Server 4.3 (x86_64)
* cosign-2.4.0-150400.3.23.1
* SUSE Manager Server 4.3 (ppc64le s390x x86_64)
* cosign-2.4.0-150400.3.23.1
## References:
* https://jira.suse.com/browse/SLE-23879
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20241111/ba095d3b/attachment.htm>
More information about the sle-updates
mailing list