Bump github.com/sigstore/cosign/v2 from 2.0.0-rc.2 to 2.0.0

[dependabot]

Bumps github.com/sigstore/cosign/v2 from 2.0.0-rc.2 to 2.0.0.

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.0.0

Cosign v2.0.0 is out!

There are many improvments and breaking changes from Cosign 1.x. To see a full list, please see the Sigstore blog and the cosign CHANGELOG.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0

Thanks to all contributors!

• Anish Shah
• Arnaud J Le Hors
• Arthur Lutz
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Chris Burns
• Christian Loos
• Emmanuel T Odeke
• Hayden B
• Hector Fernandez
• Huang Huang
• Jan Wozniak
• Josh Dolitsky
• Josh Wolf
• Kenny Leung
• Marko Mudrinić
• Matt Moore
• Matthias Glastra
• Miloslav Trmač
• Mukuls77
• Priya Wadhwa
• Puerco
• Stefan Zhelyazkov
• Tim Seagren
• Tom Meadows
• Ville Aikas
• Zack Newman
• asraa
• kpk47
• priyawadhwa

v2.0.0-rc.3

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Installation

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.0.0

This is the official 2.0.0 release of cosign! There are many new features and breaking changes from version 1.x, for a full explanation please read the Cosign 2.0 blog post.

Breaking Changes

• COSIGN_EXPERIMENTAL=1 is no longer required to have identity-based ("keyless") signing and transparency.
• By default, artifact signatures will be uploaded to Rekor, for both key-based and identity-based signing. To not upload to Rekor, include --tlog-upload=false.
  • You must also include --insecure-ignore-tlog=true when verifying an artifact that was not uploaded to Rekor.
  • Examples of when you may want to skip uploading to the transparency log are if you have a private Sigstore deployment that does not use transparency or a private artifact.
  • We strongly encourage all other use-cases to upload artifact signatures to Rekor. Transparency is a critical component of supply chain security, to allow artifact maintainers and consumers to monitor a public log for their artifacts and signing identities.
• Verification now requires identity flags, --certificate-identity and --certificate-oidc-issuer. Like verifying a signature with a public key, it's critical to specify who you trust to generate a signature for identity-based signing. See sigstore/cosign#2056 for more discussion on this change.
• --certificate-email has been removed. Use --certificate-identity, which supports not only email verification but also any identity specified in a certificate, including SPIFFE, GitHub Actions, or service account identities.
• Cosign no longer supports providing a certificate that does not conform to the Fulcio certificate profile, which includes setting the SubjectAlternativeName and OIDC Issuer OID. To verify with a non-conformant certificate, extract the public key from the certificate and verify with cosign verify --key . We are actively working on more support for custom certificates for those who want to bring their existing PKI.
• Signing OCI images by tag prints a warning and is strongly discouraged, e.g. cosign sign container.registry.io/foo:tag. This is considered insecure since tags are mutable. If you want to specify a particular image, you are recommended to do so by digest.
• SCT verification, a proof of inclusion in a certificate transparency log, is now on by default for verifying Fulcio certificates. For private deployments without certificate transparency, use --insecure-ignore-sct=true to skip this check.
• DSSE support in verify-blob has been removed. You can now verify attestations using verify-blob-attestation.
• Environment variable SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY has been removed. For private deployments, if you would like to set the Rekor public key to verify transparency log entries, use either a TUF setup or set SIGSTORE_REKOR_PUBLIC_KEY with the PEM of the custom Rekor public key..
• verify-blob no longer searches for a certificate. You must provide one with either --certificate or --bundle.
• cosign attest --type {custom|vuln} (and cosign verify-attestation) will now use the RFC 3986 compliant URIs, adding https://, so that these predicate types are compliant with the in-toto specification.
• The CosignPredicate envelope that wraps the predicates of SPDX and CycloneDX attestations has been removed, which was a violation of the schema specified via the predicateType field (more information).
• --force has been removed. To skip any prompts, use --yes.

Improvements

• Blob attestation and verification is now supported with cosign attest-blob and cosign verify-blob-attestation.
• You can now set flags via environment variables, for example instead of --certificate-identity=email, you can set an environment variable for COSIGN_CERTIFICATE_IDENTITY=email.
• --offline=true removes the fallback to the Rekor log when verifying an artifact. Previously, if you did not provide a bundle (a persisted response from Rekor), Cosign would fallback to querying Rekor. You can now skip this fallback for offline environments. Note that if the bundle fails to verify, Cosign will not fallback and will fail early.
• A Fulcio certificate can now be issued for self-managed keys by providing --issue-certificate=true with a key, --key, or security key, --sk. This is useful when adopting Sigstore incrementally.
• Experimental support for trusted timestamping has been added. Timestamping leverages a third party to provide the timestamp that will be used to verify short-lived Fulcio certificates, which distributes trust. We will be writing more about this in an upcoming blog post!
  • To use a timestamp when signing a container, use cosign sign --timestamp-server-url= , such as https://freetsa.org/tsr, and to verify, cosign verify --timestamp-certificate-chain= .
  • To use a timestamp when signing a blob, use cosign sign-blob --timestamp-server-url= --rfc3161-timestamp= --bundle= , and to verify, cosign verify-blob --rfc3161-timestamp= --timestamp-certificate-chain= --bundle= .

For specific PRs representing enhancements, bug fixes, documentation, and breaking changes, please see the sections below for prereleases v2.0.0-rc.0, v2.0.0-rc.1, v2.0.0-rc.2, and v2.0.0-rc.3.

Thanks to all contributors!

• Anish Shah
• Arnaud J Le Hors
• Arthur Lutz
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Chris Burns
• Christian Loos
• Emmanuel T Odeke
• Hayden B
• Hector Fernandez
• Huang Huang
• Jan Wozniak
• Josh Dolitsky
• Josh Wolf

... (truncated)

Commits

• d6b9001 Loosen verification predicate type + better error messages (#2737)
• f9d8e5d chore(deps): bump actions/cache from 3.2.5 to 3.2.6 (#2733)
• 29ca2cb chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#2732)
• 8c1eec9 chore(deps): bump mikefarah/yq from 4.30.8 to 4.31.1 (#2731)
• 32b2ac7 chore(deps): bump github.com/sigstore/fulcio from 1.0.0 to 1.1.0 (#2728)
• 8336e5d Disable GHAs for codecov (#2729)
• b9fc4ef Suppress logging in cue/rego and leave it up to the caller (#2726)
• f1743a2 Added support for attaching cert and cert chain in attach command Git… (#2602)
• 13cc4ae CHANGELOG for 2.0.0-rc.3 (#2727)
• 5d2964c chore(deps): bump github.com/xanzy/go-gitlab from 0.80.0 to 0.80.2 (#2723)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov-commenter]

Codecov Report

Merging #965 (49b9ad5) into main (03f4aed) will not change coverage.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##             main     #965   +/-   ##
=======================================
  Coverage   52.42%   52.42%           
=======================================
  Files          43       43           
  Lines        3325     3325           
=======================================
  Hits         1743     1743           
  Misses       1353     1353           
  Partials      229      229           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.