Skip to content

Releases: sigstore/rekor

v0.10.0

29 Jul 11:45
83a4094
Compare
Choose a tag to compare

** Note: Rekor will not send application/yaml responses anymore only application/json responses

What's Changed

New Contributors

Full Changelog: v0.9.1...v0.10.0

Thanks to all contributors!

v0.9.1

08 Jul 16:49
fb4ed40
Compare
Choose a tag to compare

What's Changed

  • feat: add subject URIs to index for x509 certificates by @asraa in #897
  • Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #898
  • fix: sql syntax in dbcreate script by @xens in #903
  • Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904
  • Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in #905
  • ensure log messages have requestID where possible by @bobcallaway in #907
  • Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1 by @dependabot in #906
  • Remove unnecessary lookup of non-existent attestations from storage layer by @bobcallaway in #909
  • Fix bug where /retrieve endpoint returns wrong logIndex across shards by @priyawadhwa in #908
  • cleanup makefile with generated code; cleanup unused files by @bobcallaway in #910
  • add changelog for v0.9.1 by @cpanato in #911

New Contributors

Full Changelog: v0.9.0...v0.9.1

Thanks for all contributors!

v0.9.0

30 Jun 13:15
66f5c06
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v0.8.2...v0.9.0

Thanks to all contributors!

v0.8.2

21 Jun 13:30
bd717e7
Compare
Choose a tag to compare

What's Changed

  • collect docker-compose logs if sharding tests fail, also trim IDs by @bobcallaway in #869
  • ensure fallback logic executes if attestation key is empty when fetching attestation by @bobcallaway in #878
  • Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #881
  • Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #880
  • add changelog for v0.8.2 by @cpanato in #882

Full Changelog: v0.8.1...v0.8.2

v0.8.1

17 Jun 09:39
e981811
Compare
Choose a tag to compare

What's Changed

Full Changelog: v0.8.0...v0.8.1

Thanks for all contributors!

v0.8.0

09 Jun 11:28
v0.8.0
3708c5c
Compare
Choose a tag to compare

What's Changed

  • Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 by @dependabot in #846
  • Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847
  • Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 by @dependabot in #848
  • Configure rekor server in e2e tests via env variable by @priyawadhwa in #850
  • Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in #853
  • Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in #852
  • Bump ossf/scorecard-action from 1.1.0 to 1.1.1 by @dependabot in #857
  • Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in #858
  • update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860
  • update go.mod to go1.17 by @cpanato in #861
  • Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862
  • Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 by @dependabot in #863
  • Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #844
  • Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859
  • Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864
  • add changelog for v0.8.0 by @cpanato in #866

New Contributors

Full Changelog: v0.7.0...v0.8.0

v0.7.0

27 May 08:41
v0.7.0
7ff1c87
Compare
Choose a tag to compare

⚠️ Breaking Change

Removed timestamping authority API. This is a breaking API change.
If you are relying on the timestamping authority to issue signed timestamps, create signed timestamps using either OpenSSL or a service such as FreeTSA.

What's Changed

  • remove URL fetch of keys/artifacts server-side by @bobcallaway in #735
  • Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in #776
  • Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in #777
  • Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in #778
  • Bump anchore/sbom-action from 0.10.0 to 0.11.0 by @dependabot in #779
  • Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 by @dependabot in #781
  • Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in #782
  • Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in #785
  • Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in #786
  • Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in #790
  • Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in #791
  • Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in #796
  • Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @dependabot in #795
  • Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in #794
  • intoto: add index on materials digest of slsa provenance by @asraa in #793
  • Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @dependabot in #799
  • chore(deps): Included dependency review by @naveensrinivasan in #788
  • Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800
  • Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 by @dependabot in #803
  • Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807
  • Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 by @dependabot in #802
  • Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 by @dependabot in #811
  • Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810
  • Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in #816
  • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in #815
  • update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820
  • Bump github/codeql-action from 03e2e3c45f9f937ffe65a1caa4c9960d420a31f9 to 2.1.10 by @dependabot in #821
  • Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in #822
  • Bump github.com/google/trillian from 1.4.0 to 1.4.1 by @dependabot in #817
  • Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools by @dependabot in #818
  • update go to 1.17.10 in the dockerfile by @cpanato in #819
  • Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 by @dependabot in #827
  • Limit the number of certificates parsed in a chain by @haydentherapper in #823
  • Bump actions/github-script from 6.0.0 to 6.1.0 by @dependabot in #826
  • Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in #825
  • Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @dependabot in #828
  • Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in #830
  • Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in #829
  • Breaking change: Remove timestamping authority by @haydentherapper in #813
  • Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in #832
  • Add back owners for rfc3161 package type by @haydentherapper in #833
  • all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834
  • Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in #836
  • Bump goreleaser/goreleaser-action from 2.9.1 to 3 by @dependabot in #837
  • Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in #840
  • Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in #839
  • name stored attestations by digest instead of UUID by @bobcallaway in #769
  • Bump ossf/scorecard-action from 1.0.4 to 1.1.0 by @dependabot in #843
  • Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in #842
  • add changelog for 0.7.0 release by @cpanato in #835

New Contributors

Full Changelog: v0.6.0...v0.7.0

Thanks for all contributors!

v0.6.0

14 Apr 07:25
v0.6.0
5c52ad2
Compare
Choose a tag to compare

Notice: The server side remote fetching of resources will be removed in the next release

What's Changed

Read more

v0.5.0

04 Feb 12:52
09ecf71
Compare
Choose a tag to compare

Highlights

  • Add Rekor logo to README (#650)
  • update API calls to v5 (#591)
  • Refactor helm type to remove intermediate state. (#575)
  • Refactor the shard map parsing so we can pass it down into the API object. (#564)
  • Refactor the alpine type to reduce intermediate state. (#573)

Enhancements

  • Add logic to GET artifacts via old or new UUID (#587)
  • helpful error message for hashedrekord types (#605)
  • Set Accept header in dynamic counter requests (#594)
  • Add sharding package and update validators (#583)
  • rekor-cli: show the url in case of error (#581)
  • Enable parsing of incomplete minisign keys, to enable re-indexing. (#567)
  • Cleanups on the TUF pluggable type. (#563)
  • Refactor the RPM type to remove more intermediate state. (#566)
  • Do some cleanups of the jar type to remove intermediate state. (#561)

Others

  • Update Makefile (#621)
  • update version comments since dependabot doesn't do it (#617)
  • Use workload identity provider instead of GitHub Secret for GCR access (#600)
  • add OSSF scorecard action (#599)
  • enable the sbom for rekor releases (#586)
  • Point to the official website (instead of a 404) (#580)
  • add milestone to closed prs (#574)
  • Add a Makefile target for the "ko apply" step. (#572)
  • types/README.md: Corrected documentation link (#568)

Dependencies Updates

  • Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (#636)
  • Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (#635)
  • Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (#634)
  • Bump golang from f71d4ca to 301609e (#627)
  • Bump golang from 0fa6504 to f71d4ca (#624)
  • Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (#622)
  • Bump github/codeql-action from 1.0.29 to 1.0.30 (#619)
  • Bump ossf/scorecard-action from 1.0.1 to 1.0.2 (#618)
  • bump swagger and go mod tidy (#616)
  • Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#614)
  • Bump github.com/go-openapi/errors from 0.20.1 to 0.20.2 (#613)
  • Bump google-github-actions/auth from 0.4.4 to 0.5.0 (#612)
  • Bump github/codeql-action from 1.0.28 to 1.0.29 (#611)
  • Bump gopkg.in/ini.v1 from 1.66.2 to 1.66.3 (#608)
  • Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#609)
  • Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 (#606)
  • Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (#607)
  • Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 (#603)
  • Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (#602)
  • Bump golang from 8c0269d to 0fa6504 (#597)
  • Pin dependencies in github action workflows and Dockerfile (#595)
  • update release image to use go 1.17.6 (#589)
  • Bump golang from 1.17.5 to 1.17.6 (#588)
  • Bump go.uber.org/goleak from 1.1.11 to 1.1.12 (#585)
  • Bump go.uber.org/zap from 1.19.1 to 1.20.0 (#584)
  • Bump github.com/go-playground/validator/v10 from 10.9.0 to 10.10.0 (#579)
  • Bump actions/github-script from 4 to 5 (#577)

Contributors

New Contributors

Thanks to all contributors!

Full Changelog: v0.4.0...v0.5.0

v0.4.0

28 Dec 16:44
v0.4.0
e55259d
Compare
Choose a tag to compare

v0.4.0

Highlights

  • Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501)

Enhancements

  • Update the schema to match that of Trillian repo. The map specific (#528)
  • allow setting the user-agent string sent from the client (#521)
  • update key usage for ts cert (#504)
  • api/index/retrieve: allow searching on indicies with sha1 hashes (#499)
  • Only include Attestation data if attestation storage enabled (#494)
  • Fuzzing RequestFromRekor API (#488)
  • Included pprof for profiling the application. (#485)
  • refactor release and add signing (#483)
  • More verbose error message for redis connection failure (#479) (#480)
  • Fixed modtime for reproducible goreleaser (#473)
  • add goreleaser and cloudbuild for releases (#443)
  • Add dynamic JS tree size counter (#468)
  • check that entry UUID == leafHash of returned entry (#469)
  • chore: upgrade cosign version (#465)
  • Reproducible builds with trimpath (#464)
  • correct links, add Table of Contents of sorts (#449)
  • update go tuf for rsa key impl (#446)
  • Canonicalize JSON before inserting into trillian (#445)
  • Export search UUIDs field (#438)
  • Add a flag to start specifying log index ranges for virtual indices. (#435)
  • Cleanup some initialization/flag parsing in rekor-server. (#433)
  • Drop 404 errors down to a warning. (#426)
  • Cleanup the output of search (the text goes to stderr not stdout). (#421)
  • remove extradata field from types (#418)
  • Update usage of ./cmd/rekor-cli/ from rekor to rekor-cli (#417)
  • Add TUF type (#383)
  • Updates to INSTALLATION.md notes (#415)
  • Update snippets to use console type for snippets (#410)
  • version: add way to display a version when using go get or go install (#405)
  • Use an in memory timestamping key (#402)
  • Links are case sensitive (#401)
  • Installation guide (#400)
  • Add a SignedTimestampNote (#397)
  • Provide instructions on verifying releases (#399)
  • rekor-server: add html page when humans reach the server via the browser (#394)
  • use go modules to track tools (#395)

Bug Fixes

  • fix timestamp addition and unmarshal (#525)
  • Correct & parallelize tests (#522)
  • Fix fuzz go.sum issue (#509)
  • fix validation error (#503)
  • Correct Helm index keys (#474)
  • Fix a bug in x509 certificate handling. (#461)
  • Fix a conflict from parallel dependabot merges. (#456)
  • fix tuf metadata marshalling (#447)
  • Switch DSSE provider to go-securesystemslib (#442)
  • fix unmarshalling sth (#409)
  • Fix port flag override (#396)
  • makefile: small fix on the makefile for the rekor-server (#393)

Dependencies Updates

  • Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#531)
  • Bump sigstore/cosign-installer from 1.3.1 to 1.4.1 (#530)
  • Bump the DSSE signing library. (#529)
  • Bump golang from 1.17.4 to 1.17.5 (#527)
  • Bump golang from 1.17.3 to 1.17.4 (#523)
  • Bump gopkg.in/ini.v1 from 1.66.0 to 1.66.2 (#520)
  • Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (#517)
  • Bump github.com/secure-systems-lab/go-securesystemslib (#516)
  • Bump gopkg.in/ini.v1 from 1.64.0 to 1.66.0 (#513)
  • Upgraded go-playground/validator module to v10 (#507)
  • Bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (#495)
  • Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (#510)
  • Bump the trillian import to v1.4.0. (#502)
  • Bump the trillian versions to v1.4.0 in our docker-compose setup. (#500)
  • update go.mod for go-fuzz (#496)
  • Bump sigstore/cosign-installer from 1.3.0 to 1.3.1 (#491)
  • Bump golang from 1.17.2 to 1.17.3 (#482)
  • Bump google.golang.org/grpc from 1.41.0 to 1.42.0 (#478)
  • Bump actions/checkout from 2.3.5 to 2.4.0 (#477)
  • Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (#470)
  • bump go-swagger to v0.28.0 (#463)
  • Bump github.com/in-toto/in-toto-golang from 0.3.2 to 0.3.3 (#459)
  • Bump actions/checkout from 2.3.4 to 2.3.5 (#458)
  • Bump github.com/mediocregopher/radix/v4 from 4.0.0-beta.1 to 4.0.0 (#460)
  • Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (#451)
  • Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (#454)
  • Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (#453)
  • Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (#452)
  • Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (#450)
  • Bump golang from 1.17.1 to 1.17.2 (#448)
  • Bump google.golang.org/grpc from 1.40.0 to 1.41.0 (#441)
  • Bump golang.org/x/mod from 0.5.0 to 0.5.1 (#440)
  • Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (#439)
  • Bump gopkg.in/ini.v1 from 1.63.0 to 1.63.2 (#437)
  • Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (#436)
  • Bump gocloud to v0.24.0. (#434)
  • Bump golang from 1.17.0 to 1.17.1 (#432)
  • Bump go.uber.org/zap from 1.19.0 to 1.19.1 (#431)
  • Bump gopkg.in/ini.v1 from 1.62.0 to 1.63.0 (#429)
  • Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (#425)
  • Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (#423)
  • Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (#422)
  • Bump golang from 1.16.7 to 1.17.0 (#413)
  • Bump golang.org/x/mod from 0.4.2 to 0.5.0 (#412)
  • Bump google.golang.org/grpc from 1.39.1 to 1.40.0 (#411)
  • Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (#408)
  • Bump go.uber.org/zap from 1.18.1 to 1.19.0 (#407)
  • Bump golang from 1.16.6 to 1.16.7 (#403)
  • Bump google.golang.org/grpc from 1.39.0 to 1.39.1 (#404)

Contributors

Images:

  • Rekor server: `gcr.i...
Read more