v1.8.2

This release also changes the format of the binary and container signature, which is now a
Sigstore bundle. To verify a release, use the
latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Testing

• make email address in test cases rfc822 conformant (#2205)

v1.8.1

Same as v1.8.0, but with a fix for the CI build pipeline.

v1.8.0

Bug Fixes

• fix: K8s API does not accept unauthorized requests (#2111)
• fix: vault for enterprise expects only the key name (#2117)
• fix(config): respect cacert on oidc-issuers (#2098)
• Register /healthz endpoint when listening on duplex http/grpc port (#2046)

Features

• feat: adds cert loading and key-match validation. (#2173)
• expose gcp kms retry and timeout options (#2132)
• server: Use warning log level for client errors (#2147)
• Add workflow to periodically validate OIDC issuers (#2188)
• Add Chainguard issuer (#2078)
• Add logging for template error (#2194)
• Add extension for deployment environment (#2190)

Removal

• Remove cmd/create_tink_keyset (#2096)

Full Changelog: v1.7.1...v1.8.1

v1.7.1 contains a bug fix for extensions for CI providers where the OIDC claims
include HTML escape characters. If a client attempted to verify an extension value,
verification would fail unless an HTML-escaped string was used in the comparison.
Extension values will no longer be escaped.

Bug Fixes:

• Do not HTML-escape extension values (#2023)

v1.7.0

v1.7.0 includes a change to how proof of possession signatures are verified.
Fulcio has updated the expected hashing algorithm for ECDSA P-384 and P-521
signatures to be SHA-384 and SHA-512, in line with CSR signature verification.
Cosign is actively being updated to support this for when signing with a
managed key and requesting a certificate.

Features

• Allow configurable client signing algorithms (#1938)
• Use different hash in proof of possession based on key (#1959)
• Tls verification on OIDC issuers (#1932)
• feat: adds cert-utility. (#1870)
• feat: makes leaf optional and other changes. (#1931)

Bug Fixes

• Remove err impossible condition: nil != nil (#1934)
• mark principal and issuer class under pkg/identity as deprecated (#1980)

v1.6.6

Features

• Configure additional certificate extensions for Buildkite (#1903)
• Relax gomod (#1909)
• update builder to use go1.23.4 (#1883)
• config: Add IBM OIDC provider (#1892)
• Add Kaggle identity provider (#1850)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• James Healy
• Stefan Berger
• Trishank Karthik Kuppusamy

v1.6.5

Features

• use go1.23.2 (#1834)
• fallback to json default cfg path if yaml does not exist (#1810)
• Include IDP type and subject domain in configuration API response (#1824)

Documentation

• Update OIDC claim mapping table to reflect the current state (#1801)

Contributors

• Aditya Sirish
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Nina
• Richard Fan

Features

• use go1.22.6 to build fulcio (#1793)

Bugs

• Revert "If custom server url exists, use that instead of the default one." (#1791)

Contributors

• Carlos Tadeu Panato Junior
• Fredrik Skogman

Full Changelog: v1.6.3...v1.6.4

v1.6.3

Features

• If custom server url exists, use that instead of the default one. (#1776)

Contributors

• Fredrik Skogman
• Javan Lacerda

Changelog

• 8acbceb fix: adding ci provider for meta-issuers (#1767)

Thanks for all contributors!

v1.6.1

Bug Fixes

• fix: removing surplus slash, making logs richer (#1762)

Contributors

• Javan Lacerda

Full Changelog: v1.6.0...v1.6.1