<div class="container">
<h1>Recommended update for cosign</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2023:2301-2</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP5</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for cosign fixes the following issues:</p>
<p>cosign was updated to 2.0.1 (jsc#SLE-23879)</p>
<ul>
<li>
<p>Enhancements</p>
</li>
<li>
<p>Add environment variable token provider (#2864)</p>
</li>
<li>Remove cosign policy command (#2846)</li>
<li>Allow customising 'go' executable with GOEXE var (#2841)</li>
<li>Consistent tlog warnings during verification (#2840)</li>
<li>Add riscv64 arch (#2821)</li>
<li>Default generated PEM labels to SIGSTORE (#2735)</li>
<li>Update privacy statement and confirmation (#2797)</li>
<li>Add exit codes for verify errors (#2766)</li>
<li>Add Buildkite provider (#2779)</li>
<li>
<p>verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)</p>
</li>
<li>
<p>Bug Fixes</p>
</li>
<li>
<p>PKCS11 sessions are now opened read only (#2853)</p>
</li>
<li>Makefile: date format of log should not show signatures (#2835)</li>
<li>Add missing flags to cosign verify dockerfile/manifest (#2830)</li>
<li>Add a warning to remember how to configure a custom Gitlab host (#2816)</li>
<li>Remove tag warning message from save/copy commands (#2799)</li>
<li>
<p>Mark keyless pem files with b64 (#2671)</p>
</li>
<li>
<p>build against a maintained golang version (upstream uses go1.20) </p>
</li>
</ul>
<p>cosign was updated to 2.0.0 (jsc#SLE-23879)</p>
<ul>
<li>
<p>Breaking Changes:</p>
</li>
<li>
<p>insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)</p>
</li>
<li>
<p>Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)</p>
</li>
<li>
<p>Enhancements:</p>
</li>
<li>
<p>Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)</p>
</li>
<li>Allow users to pass in a path for the --identity-token flag (#2538)</li>
<li>Breaking change: Respect tlog-upload=false, default to true (#2505)</li>
<li>Support outputing a certificate without uploading to the tlog (#2506)</li>
<li>Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)</li>
<li>respect tlog-upload flag with TSA (#2474)</li>
<li>Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)</li>
<li>Support TSA and Rekor verifications (#2463)</li>
<li>add support for tsa signing and verification of images (#2460)</li>
<li>cosign policy sign: remove experimental flag and make keyless signing default (#2459)</li>
<li>Remove experimental mode from cosign attest and verify-attestation (#2458)</li>
<li>Remove experimental mode from sign-blob and verify-blob (#2457)</li>
<li>Add --offline flag to force offline verification (#2427)</li>
<li>Air gap support (#2299)</li>
<li>Breaking change: Change SCT verification behavior to default to enforcement (#2400)</li>
<li>Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)</li>
<li>Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)</li>
<li>Remove experimental flag from cosign sign and cosign verify (#2387)</li>
<li>verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)</li>
<li>Add warning to use digest instead of tags to other cosign commands (#2650)</li>
<li>Fix up UI messages (#2629)</li>
<li>Remove hardcoded Fulcio from output (#2621)</li>
<li>Fix missing privacy statement, print in multiple locations (#2622)</li>
<li>feat: allows custom key names for import-key-pair (#2587)</li>
<li>feat: support keyless verification for verify-blob-attestation (#2525)</li>
<li>attest-blob: add functionality for keyless signing (#2515)</li>
<li>Rego: add support for custom error/warning messages when evaluating rego rules (#2577)</li>
<li>feat: add debug information to cert validation error (#2579)</li>
<li>Support non-Sigstore TSA requests (#2708)</li>
<li>Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)</li>
<li>Output certificate in bundle when entry is not uploaded to Rekor (#2715)</li>
<li>attach signature and attach sbom must use STDIN to upload raw string (#2637)</li>
<li>add generate-key-pair GitHub Enterprise server support (#2676)</li>
<li>add in format string for warning (#2699)</li>
<li>Support for fetching Fulcio certs with self-managed key (#2532)</li>
<li>
<p>2476 predicate type download (#2484)</p>
</li>
<li>
<p>Bug Fixes:</p>
</li>
<li>
<p>Fix the file existence check. (#2552)</p>
</li>
<li>Fix timestamp verification, add verify-blob tests (#2527)</li>
<li>Fix(verify): Consolidate certificate expiry logic (#2504)</li>
<li>Updates to Timestamp signing and verification (#2499)</li>
<li>Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)</li>
<li>Fix path for e2e-tests badge (#2490)</li>
<li>Fix spdx json media type (#2479)</li>
<li>Fix sct verificaction (#2426)</li>
<li>Fix: panic with unsigned local image (#2656)</li>
<li>Make sure a cert passed in via --cert matches the bundle cert (#2652)</li>
<li>Fix: fix github oidc post submit test (#2594)</li>
<li>Fix: add enhanced error messages for failing verification with TUF targets (#2589)</li>
<li>Fix: Add missing schemes to cosign predicate types. (#2717)</li>
<li>Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)</li>
<li>Fix prompts with Windows line endings (#2674)</li>
</ul>
<p>cosing was update to 1.13.1:</p>
<ul>
<li>verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)</li>
<li>Nits for #2337 (#2342)</li>
<li>Add verify-blob-attestation command and tests (#2337)</li>
<li>Update warning when users sign images by tag. (#2313)</li>
<li>Remove experimental flags from attest-blob and refactor (#2338)</li>
<li>Add --output-attestation flag to attest-blob and remove experimental signing (#2332)</li>
<li>Add attest-blob command (#2286)</li>
<li>Add '--cert-identity' flag to support subject alternate names for ver… (#2278)</li>
<li>Update Dockerfile section of README (#2323)</li>
<li>Fix option description: "sign" --> "verify" (#2306)</li>
</ul>
<p>cosign was updated to 1.13.0:</p>
<ul>
<li>feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269</li>
<li>feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268</li>
<li>use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280</li>
<li>fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282</li>
<li>Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284</li>
<li>Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285</li>
<li>Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287</li>
<li>Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283</li>
<li>Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291</li>
<li>fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297</li>
<li>Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308</li>
<li>Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311</li>
<li>Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188</li>
<li>replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314</li>
<li>update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315</li>
</ul>
<p>cosign was updated to 1.12.1:</p>
<ul>
<li>fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).</li>
<li>fix: fix cert chain validation for verify-blob in non-experimental mode</li>
<li>fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba</li>
<li>Fix BYO-root with intermediate to fetch intermediates from annotation</li>
<li>fix: fixing breaking changes in rekor v1.12.0 upgrade</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Moderate update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2023-2301=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-2301=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-2.0.1-150400.3.9.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-2.0.1-150400.3.9.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://jira.suse.com/browse/SLE-23879">https://jira.suse.com/browse/SLE-23879</a>
</li>
</ul>
</div>