- output trace in slog and override correlation header name (#1986)
- give log timestamps nanosecond precision (#1985)
- Added support for sha384/sha512 hash algorithms in hashedrekords (#1959)
- Change Redis value for locking mechanism (#1957)
- Fix panic for DSSE canonicalization (#1923)
- Drop conditional when verifying entry checkpoint (#1917)
- Remove timestamp from checkpoint (#1888)
- Additional unique index correction (#1885)
- bump trillian images to v1.6.0 (#1984)
- remove trillian images from release process (#1983)
- update builder to use go1.21
- Andrew Block
- Bob Callaway
- Carlos Tadeu Panato Junior
- Hayden Blauzvern
- Riccardo Schirone
- add mysql indexstorage backend
- add s3 storage for attestations
- fix: Do not check for pubsub.topics.get on initialization (#1853)
- fix optional field in cose schema
- Update ranges.go (#1852)
- update indexstorage interface to reduce roundtrips (#1838)
- use a single validator library in rekor-cli (#1818)
- Remove go-playground/validator dependency from pkg/pki (#1817)
- Bob Callaway
- Carlos Tadeu Panato Junior
- Hayden B
- James Alseth
- Kenny Leung
- Noah Kreiger
- Zach Steindler
- update trillian to 1.5.3 (#1803)
- adds redis_auth (#1627)
- Add method to get artifact hash for an entry (#1777)
- Update signer flag description (#1804)
- install go at correct version for codeql (#1762)
- make e2e tests more usable with docker-compose (#1770)
- Bob Callaway
- Carlos Tadeu Panato Junior
- Hayden B
- ian hundere
- Kenny Leung
- move to go 1.21.3 to pick up fixes for CVE-2023-39325
- build(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1753)
- build(deps): Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1755)
- build(deps): Bump google/cloud-sdk from 449.0.0 to 450.0.0 (#1757)
- build(deps): Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#1754)
- update Dockerfile for go 1.21.3 (#1752)
- update builder image to use go1.21.3 (#1751)
- Carlos Tadeu Panato Junior
- enable GCP cloud profiling on rekor-server (#1746)
- move index storage into interface (#1741)
- add info to readme to denote additional documentation sources (#1722)
- Add type of ed25519 key for TUF (#1677)
- Allow parsing base64-encoded TUF metadata and root content (#1671)
- disable quota in trillian in test harness (#1680)
- Update contact for code of conduct (#1720)
- fix: typo (#1711)
- Fix panic when parsing SSH SK pubkeys (#1712)
- Correct index creation (#1708)
- Update .ko.yaml (#1682)
- docs: fixzes a small typo on the readme (#1686)
- chore: fix
backfill-redis
Makefile target (#1685)
- Andres Galante
- Andrew Block
- Appu
- Bob Callaway
- Carlos Tadeu Panato Junior
- guangwu
- Hayden B
- jonvnadelberg
- Lance Ball
- feat: Support publishing new log entries to Pub/Sub topics (#1580)
- Change values of Identity.Raw, add fingerprints (#1628)
- Extract all subjects from SANs for x509 verifier (#1632)
- Fix type comment for Identity struct (#1619)
- Refactor Identities API (#1611)
- Refactor Verifiers to return multiple keys (#1601)
- set min go version to 1.21 (#1651)
- Upgrade to go1.21 (#1636)
- Update openapi.yaml (#1655)
- pass transient errors through retrieveLogEntry (#1653)
- return full entryID on HTTP 409 responses (#1650)
- Update checkpoint link (#1597)
- Use correct log index in inclusion proof (#1599)
- remove instrumentation library (#1595)
- pki: clean up fuzzer (#1594)
- alpine: add max metadata size to fuzzer (#1571)
- AdamKorcz
- Appu
- Bob Callaway
- Carlos Tadeu Panato Junior
- Ceridwen Coghlan
- Hayden B
- James Alseth
- swap killswitch for 'docker-compose restart' (#1562)
- pass treeSize and rootHash to avoid trillian import (#1513)
- Move github.com/sigstore/protobuf-specs users into a separate subpackage (#1511)
- pass down error with message instead of nil (#1560)
- Bob Callaway
- Carlos Tadeu Panato Junior
- Eng Zer Jun
- Miloslav Trmač
- run go mod tidy in hack/tools (#1510)
- Bob Callaway
- add client method to generate TLE struct (#1498)
- add dsse type (#1487)
- support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
- Add concurrency to backfill-redis (#1504)
- omit informational message if machine-parseable output has been requested (#1486)
- Publish stable checkpoint periodically to Redis (#1461)
- Add intoto v0.0.2 to backfill script (#1500)
- add new method to test insertability of proposed entries into log (#1410)
- use t.Skip() in fuzzers (#1506)
- improve fuzzing coverage (#1499)
- Remove watcher script (#1484)
- Merge pull request from GHSA-frqx-jfcm-6jjr
- Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
- fix lint errors, bump linter up to 1.52 (#1485)
- Remove dependencies from pkg/util (#1469)
- Bob Callaway
- Carlos Tadeu Panato Junior
- Ceridwen Coghlan
- Cody Soyland
- Hayden B
- Miloslav Trmač
- Refactor Trillian client with exported methods (#1454)
- Switch to official redis-go client (#1459)
- Remove replace in go.mod (#1444)
- Add Rekor OID info. (#1390)
- remove legacy encrypted cosign key (#1446)
- swap cjson dependency (#1441)
- Update release readme (#1456)
- Merge pull request from GHSA-2h5h-59f5-c5x9
- Billy Lynch
- Bob Callaway
- Carlos Tadeu Panato Junior
- Ceridwen Coghlan
- Hayden B
- improve validation on intoto v0.0.2 type (#1351)
- add feature to limit HTTP request body length to process (#1334)
- add information about the file size limit (#1313)
- Add script to backfill Redis from Rekor (#1163)
- Feature: add search support for sha512 (#1142)
- fuzzing: refactor OSS-Fuzz build script (#1377)
- Update cloudbuild for cosign 2.0 (#1375)
- Tests - Additional sharding tests (#1180)
- jar type: add fuzzer for 3rd-party dep (#1360)
- update cosign to 2.0.0 and builder image and also cosign flags (#1368)
- fuzzing: move alpine utils to fuzz utils (#1335)
- fuzzing: add seed for alpine fuzzer (#1342)
- jar: add v001 fuzzer (#1327)
- fuzzing: open writer later in fuzz utils (#1326)
- fuzzing: remove tar operations in alpine fuzzer (#1322)
- alpine: add v001 fuzzer (#1316)
- hashedrekord: add v001 fuzzer (#1315)
- fuzzing: add call to IndexKeys in multiple fuzzers (#1302)
- fuzzing: improve cose fuzzer (#1300)
- fuzzing: improve fuzz utils (#1298)
- fuzzing: improve alpine fuzzer (#1273)
- fuzzing: go mod edit go-fuzz-headers (#1272)
- fuzzing: add .options file (#1271)
- fuzzing: build helm fuzzer from correct dir (#1264)
- types: refactor multiple fuzzers (#1258)
- helm: add fuzzer for provenance unmarshalling (#1243)
- pki: add fuzzer (#1256)
- Fuzzing: Add more bug detectors (#1253)
- Refactor e2e - part 5 (#1236)
- Removed unused tool/deps (#1244)
- Fixed the invalid path (#1245)
- Run latest fuzzers in OSS-Fuzz (#1221)
- Fuzz tests - hashedrekord (#1224)
- Update builder (#1228)
- Revamping rekor e2e - part 4 of N (#1218)
- types: add fuzzers (#1225)
- jar type: add fuzzer (#1215)
- Revamping rekor e2e - part 3 of N (#1177)
- modify OSS-Fuzz build script (#1214)
- move over oss-fuzz build script (#1204)
- wrap redis client errors to aid debugging (#1176)
- don't test release candidate builds in harness (#1183)
- types/alpine: add fuzzer (#1200)
- logging tweaks to improve usability (#1235)
- Add backfill-redis to the release artifacts (#1174)
- ensure jobs run on release branches (#1181)
- update builder image and cosign (#1165)
- Refactor e2e tests - x509 apk (#1152)
- Sharding - Additional tests (#1156)
- Ran gofmt and cleaned up (#1157)
- Fuzz - Fuzz tests for sharding (#1147)
- Revamping rekor e2e - part 1 of N (#1089)
- remove goroutine usage from SearchLogQuery (#1407)
- drop log messages regarding attestation storage to debug (#1408)
- fix ko-local build (#1381)
- disable blocking checks (#1353)
- fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
- fix: fix regex for multi-digit counts (#1321)
- return NotFound if treesize is 0 rather than calling trillian (#1311)
- enumerate slice to get sugared logs (#1312)
- put a reasonable size limit on ssh key reader (#1288)
- CLIENT: Fix Custom Host and Path Issue (#1306)
- do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
- correctly handle invalid or missing pki format (#1281)
- Add Verifier to get public key/cert and identities for entry type (#1210)
- fix goroutine leak in client; add insecure TLS option (#1238)
- Fix - Remove the force-recreate flag (#1179)
- trim whitespace around public keys before parsing (#1175)
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
- Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
- remove double encoding of payload and signature fields for intoto (#1150)
- fix SearchLogQuery behavior to conform to openapi spec (#1145)
- Remove pem-certificate-chain from client (#1138)
- fix flag type for operator in search (#1136)
- use sigstore/community dep review (#1132)
- AdamKorcz
- Batuhan Apaydın
- Bob Callaway
- Carlos Tadeu Panato Junior
- Fabian Kammel
- Fredrik Skogman
- Hayden B
- Joyce
- Naveen
- Noah Kreiger
- Priya Wadhwa
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171) (#1172)
- ensure jobs run on release branches (#1181) (#1182)
- Bob Callaway
Rekor is 1.0! No changes, as this is tagged at the same commit as v1.0.0-rc.1.
Thank you to all of the contributors to Rekor in the past couple years who helped make Rekor 1.0 possible!
- Aastha Bist
- Aditya Sirish
- Ahmet Alp Balkan
- Andrew Block
- Appu
- Asra Ali
- axel simon
- Azeem Shaikh
- Batuhan Apaydın
- Bob Callaway
- Carlos Tadeu Panato Junior
- Ceridwen Driskill
- Christian Rebischke
- Dan Lorenc
- Dan Luhring
- Eddie Zaneski
- Efe Barlas
- Fredrik Skogman
- Harry Fallows
- Hayden B
- Hector Fernandez
- Jake Sanders
- Jason Hall
- Jehan Shah
- John Speed Meyers
- Kenny Leung
- Koichi Shiraishi
- Lily Sturmann
- Luke Hinds
- Mikhail Swift
- Morten Linderud
- Nathan Smith
- Naveen
- Olivier Cedric Barbier
- Parth Patel
- Priya Wadhwa
- Robert James Hernandez
- Romain Aviolat
- Samsondeen
- Sascha Grunert
- Scott Nichols
- Shiwei Zhang
- Simon Kent
- Sylvestre Ledru
- Tiziano Santoro
- Trishank Karthik Kuppusamy
- Ville Aikas
- dhaus67
- endorama
- kpcyrd
- add retry command line flag on rekor-cli (#1097)
- Add some info and debug logging to commonly used funcs (#1106)
- Bob Callaway
- Priya Wadhwa
- update swagger API version to 1.0.0 (#1102)
- verify: verify checkpoint's STH against the inclusion proof root hash (#1092)
- add ability to enable/disable specific rekor API endpoints (#1080)
- enable configurable client retries with backoff in RekorClient (#1096)
- remove unused RekorVersion API definition (#1101)
- remove unused api-key and timestamp references (#1098)
- Bob Callaway
- asraa
- add changelog for 0.12.0 and 0.12.1 (#1064)
- add description on /api/v1/index/retrieve endpoint (#1073)
- Adding e2e test coverage (#1071)
- export rekor build/version information (#1074)
- Search through all shards when searching by hash (#1082)
- Use POST instead of GET for /api/log/entries/retrieve metrics (#1083)
- Bob Callaway
- Carlos Tadeu Panato Junior
- Ceridwen Driskill
- Simon Kent
- Priya Wadhwa
** Rekor
v0.12.1
comes with a breaking change torekor-cli v0.12.1
. Users of rekor-cli MUST upgrade to the latest version ** The addition of the intotov2 created a breaking change for therekor-cli
- Adds new rekor metrics for latency and QPS. (sigstore#1059)
- feat: add file based signer and password (sigstore#1049)
- fix: fix harness tests with intoto v0.0.2 (sigstore#1052)
- Asra Ali (@asraa)
- Simon Kent (@var-sdk)
- remove /api/v1/version endpoint (sigstore#1022)
- Include checkpoint (STH) in entry upload and retrieve responses (sigstore#1015)
- Validate tree ID on calls to /api/v1/log/entries/retrieve (sigstore#1017)
- feat: add verification functions (sigstore#986)
- Change Checkpoint origin to be "Hostname - Tree ID" (sigstore#1013)
- Add bounds on number of elements in api/v1/log/entries/retrieve (sigstore#1011)
- Intoto v0.0.2 (sigstore#973)
- api.SearchLogQueryHandler thread safety (sigstore#1006)
- enable blocking specific pluggable type versions from being inserted into the log (sigstore#1004)
- check supportedVersions list rather than directly reading from version map (sigstore#1003)
- fix retrieve endpoint response code and add testing (sigstore#1043)
- Fix harness tests @ main (sigstore#1038)
- Fix rekor-cli backwards incompatibility & run harness tests against HEAD (sigstore#1030)
- fix: use entry uuid uniformly (sigstore#1012)
- Fetch all tags in harness tests (sigstore#1039)
- Asra Ali (@asraa)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Ceridwen Driskill (@cdris)
- Hayden Blauzvern (@haydentherapper)
- Kenny Leung (@k4leung4)
- Mikhail Swift (@mikhailswift)
- Parth Patel (@pxp928)
- Priya Wadhwa (@priyawadhwa)
- add support for
intersection
&union
in search operations (sigstore#968) - Allow sharding config to be written in yaml or json (sigstore#974)
- update field documentation on publicKey for hashedrekord (sigstore#969)
- compute payload and envelope hashes upon validating intoto proposed entries (sigstore#967)
- Add prometheus summary to track metric latency (sigstore#966)
- Add harness test for getting all entries by UUID and EntryID (sigstore#957)
- Persist and check attestations across harness tests (sigstore#952)
- Add rekor harness tests for adding and getting entries from previous versions (sigstore#945)
- fix: make rekor verify work with sharded uuids (sigstore#970)
- fix incorrect schema id for cose type (sigstore#979)
- fix nil-pointer error when artifact-hash is passed without artifact (sigstore#965)
- change default value for rekor_server.hostname to server's hostname (sigstore#963)
- api: fix inclusion proof verification flake (sigstore#956)
- Update sccorecard-action to v2:alpha (sigstore#987)
- add changelog for v0.11.0 release (sigstore#982)
- remove trailing slash on directories (sigstore#984)
- update builder and cosign images (sigstore#981)
- Bump github.com/go-openapi/spec from 0.20.6 to 0.20.7 (sigstore#976)
- Bump github.com/go-openapi/loads from 0.21.1 to 0.21.2 (sigstore#977)
- Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 (sigstore#978)
- Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (sigstore#975)
- Bump github.com/mediocregopher/radix/v4 from 4.1.0 to 4.1.1 (sigstore#972)
- Bump actions/github-script from 6.1.0 to 6.1.1 (sigstore#971)
- Bump github.com/go-openapi/errors from 0.20.2 to 0.20.3 (sigstore#964)
- Bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 (sigstore#960)
- Bump go.uber.org/zap from 1.21.0 to 1.22.0 (sigstore#961)
- Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 (sigstore#959)
- Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (sigstore#958)
- Bump github/codeql-action from 2.1.17 to 2.1.18 (sigstore#955)
- Bump golang from 1.18.4 to 1.18.5 (sigstore#950)
- Bump golang from
6e10f44
to8a62670
(sigstore#948) - Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (sigstore#947)
- Asra Ali (@asraa)
- Azeem Shaikh (@azeemshaikh38)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Samsondeen (@dsa0x)
- Priya Wadhwa (@priyawadhwa)
** Note: Rekor will not send application/yaml
responses anymore only application/json
responses
- Drop application/yaml content type (sigstore#933)
- Return 404 if entry isn't found in log (sigstore#915)
- reuse dsse signature wrappers instead of having a copy (sigstore#912)
- update go mod in hack/tools to go1.18 (sigstore#935)
- Enable Scorecard badge (sigstore#941)
- Add rekor test harness to presubmit tests (sigstore#921)
- Bump imjasonh/setup-ko from 0.4 to 0.5 (sigstore#940)
- update go builder and cosign image (sigstore#934)
- Bump sigs.k8s.io/release-utils from 0.7.2 to 0.7.3 (sigstore#937)
- Bump github.com/google/trillian from 1.4.1 to 1.4.2 in /hack/tools (sigstore#939)
- Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (sigstore#936)
- Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (sigstore#930)
- Update cosign image in validate-release job (sigstore#931)
- Bump sigs.k8s.io/release-utils from 0.7.1 to 0.7.2 (sigstore#927)
- Bump github.com/veraison/go-cose from 1.0.0-alpha.1 to 1.0.0-rc.1 (sigstore#928)
- Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (sigstore#925)
- Bump github/codeql-action from 2.1.15 to 2.1.16 (sigstore#924)
- Bump golang from 1.18.3 to 1.18.4 (sigstore#919)
- Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (sigstore#920)
- Bump actions/setup-go from 3.2.0 to 3.2.1 (sigstore#916)
- Updates on the release job/makefile cleanup (sigstore#914)
- add changelog for v0.9.1 (sigstore#911)
- Azeem Shaikh (@azeemshaikh38)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Priya Wadhwa (@priyawadhwa)
- Optimize lookup of attestation from storage layer (sigstore#909)
- feat: add subject URIs to index for x509 certificates (sigstore#897)
- ensure log messages have requestID where possible (sigstore#907)
- Check inactive shards for UUID for /retrieve endpoint (sigstore#905)
- Fix bug where /retrieve endpoint returns wrong logIndex across shards (sigstore#908)
- fix: sql syntax in dbcreate script (sigstore#903)
- cleanup makefile with generated code; cleanup unused files (sigstore#910)
- Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1 (sigstore#906)
- Pin release-utils to v0.7.1 (sigstore#904)
- Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (sigstore#898)
- Asra Ali (@asraa)
- Bob Callaway (@bobcallaway)
- Priya Wadhwa (@priyawadhwa)
- Romain Aviolat (@xens)
- Sascha Grunert (@saschagrunert)
- Add COSE support to Rekor (sigstore#867)
- Resolve virtual log index when calling /api/v1/log/entries/retrieve endpoint (sigstore#894)
- Fix intoto index keys (sigstore#889)
- ensure fallback logic executes if attestation key is empty when fetching attestation (sigstore#878)
- Bump github/codeql-action from 2.1.14 to 2.1.15 (sigstore#893)
- Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (sigstore#888)
- Bump github/codeql-action from 2.1.13 to 2.1.14 (sigstore#885)
- add changelog for v0.8.2 (sigstore#882)
- Bump github/codeql-action from 2.1.12 to 2.1.13 (sigstore#880)
- Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (sigstore#881)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Fredrik Skogman (@kommendorkapten)
- Priya Wadhwa (@priyawadhwa)
- ensure fallback logic executes if attestation key is empty when fetching attestation (sigstore#878)
- Bump github/codeql-action from 2.1.12 to 2.1.13 (sigstore#880)
- Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (sigstore#881)
- collect docker-compose logs if sharding tests fail, also trim IDs (sigstore#869)
- Bob Callaway (@bobcallaway)
- Allow an expired certificate chain to be uploaded and verified (sigstore#873)
- Fix indexing bug for intoto attestations (sigstore#870)
- Bump actions/dependency-review-action from 1.0.2 to 2 (sigstore#871)
- Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (sigstore#868)
- add changelog for v0.8.0 (sigstore#866)
- Carlos Tadeu Panato Junior (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Priya Wadhwa (@priyawadhwa)
- Print total tree size, including inactive shards in
rekor-cli loginfo
(sigstore#864) - Allow retrieving entryIDs or UUIDs via
/api/v1/log/entries/retrieve
endpoint (sigstore#859) - Improve error message when using ED25519 with HashedRekord type (sigstore#862)
- Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (sigstore#844)
- Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (sigstore#863)
- update go.mod to go1.17 (sigstore#861)
- update cross-builder image to use go1.17.11 and dockerfile base image (sigstore#860)
- Bump github/codeql-action from 2.1.11 to 2.1.12 (sigstore#858)
- Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (sigstore#857)
- Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (sigstore#852)
- Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#853)
- Configure rekor server in e2e tests via env variable (sigstore#850)
- Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (sigstore#848)
- Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (sigstore#847)
- Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (sigstore#846)
- Carlos Tadeu Panato Junior (@cpanato)
- dhaus67 (@dhaus67)
- Hayden Blauzvern (@haydentherapper)
- Priya Wadhwa (@priyawadhwa)
Breaking Change: Removed timestamping authority API. This is a breaking API change. If you are relying on the timestamping authority to issue signed timestamps, create signed timestamps using either OpenSSL or a service such as FreeTSA.
- Remove timestamping authority (sigstore#813)
- Limit the number of certificates parsed in a chain (sigstore#823)
- Retrieve shard tree length if it isn't provided in the config (sigstore#810)
- Don't try to index on hash for intoto obj if one isn't available (sigstore#800)
- intoto: add index on materials digest of slsa provenance (sigstore#793)
- remove URL fetch of keys/artifacts server-side (sigstore#735)
- all: remove dependency on deprecated github.com/pkg/errors (sigstore#834)
- Add back owners for rfc3161 package type (sigstore#833)
- Bump google-github-actions/auth from 0.7.2 to 0.7.3 (sigstore#832)
- Bump github/codeql-action from 2.1.10 to 2.1.11 (sigstore#829)
- Bump google-github-actions/auth from 0.7.1 to 0.7.2 (sigstore#830)
- Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (sigstore#828)
- Bump actions/dependency-review-action (sigstore#825)
- Bump actions/github-script from 6.0.0 to 6.1.0 (sigstore#826)
- Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (sigstore#827)
- update go to 1.17.10 in the dockerfile (sigstore#819)
- Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (sigstore#818)
- Bump github.com/google/trillian from 1.4.0 to 1.4.1 (sigstore#817)
- Bump actions/setup-go from 3.0.0 to 3.1.0 (sigstore#822)
- Bump github/codeql-action (sigstore#821)
- update release builder images to use go 1.17.10 and cosign image to 1.18.0 (sigstore#820)
- Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (sigstore#815)
- Bump github/codeql-action from 2.1.9 to 2.1.10 (sigstore#816)
- Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (sigstore#811)
- Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (sigstore#802)
- Move trillian/merkly to transparency-dev (sigstore#807)
- Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (sigstore#803)
- chore(deps): Included dependency review (sigstore#788)
- Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (sigstore#799)
- Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (sigstore#794)
- Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (sigstore#795)
- Bump github/codeql-action from 2.1.8 to 2.1.9 (sigstore#796)
- Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (sigstore#791)
- Bump google-github-actions/auth from 0.7.0 to 0.7.1 (sigstore#790)
- Bump actions/checkout from 3.0.1 to 3.0.2 (sigstore#786)
- Bump codecov/codecov-action from 3.0.0 to 3.1.0 (sigstore#785)
- Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (sigstore#782)
- Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (sigstore#781)
- Bump anchore/sbom-action from 0.10.0 to 0.11.0 (sigstore#779)
- Bump actions/checkout from 3.0.0 to 3.0.1 (sigstore#778)
- Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (sigstore#777)
- Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (sigstore#776)
- Asra Ali (@asraa)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Koichi Shiraishi (@zchee)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
Notice: The server side remote fetching of resources will be removed in the next release
- Create EntryID for new artifacts and return EntryID to user (sigstore#623)
- Add search through inactive shards for GET by UUID (sigstore#750)
- Add in configmap to release for sharding config (sigstore#766)
- set p.Block after parsing; other cleanup (sigstore#759)
- Add index to hashed intoto envelope (sigstore#761)
- Add the SHA256 digest of the intoto payload into the rekor entry (sigstore#764)
- Add support for providing certificate chain for X509 signature types (sigstore#747)
- Specify public key for inactive shards in shard config (sigstore#746)
- Use active tree on server startup (sigstore#727)
- Require tlog_id when inactive shard config file is passed in (sigstore#739)
- Replace
trillian_log_server.log_id_ranges
flag with a config file (sigstore#742) - Update loginfo API endpoint to return information about inactive shards (sigstore#738)
- Refactor rekor-cli loginfo (sigstore#734)
- Get log proofs by Tree ID (sigstore#733)
- Return virtual index when creating and getting a log entry (sigstore#725)
- Clearer logging for createAndInitTree (sigstore#724)
- Change TreeID to be of type
string
instead ofint64
(sigstore#712) - Switch to using the swag library for pointer manipulation. (sigstore#719)
- Make the loginfo command a bit more future/backwards proof. (sigstore#718)
- Use logRangesFlag in API, route reads based on TreeID (sigstore#671)
- Set rekor-cli User-Agent header on requests (sigstore#684)
- create namespace for rekor config in yaml. (sigstore#680)
- add securityContext to deployment. (sigstore#678)
- Move k8s objects out of the default namespace (sigstore#674)
- Fix search without sha prefix (sigstore#767)
- Fix link in types README (sigstore#765)
- fix typo in filename (sigstore#758)
- fix build date format for version command (sigstore#745)
- fix merge conflict (sigstore#720)
- Add documentation about Alpine type (sigstore#697)
- update security process link (sigstore#685)
- Add intoto type documentation (sigstore#679)
- Add docs about API stabilitly and deprecation policy (sigstore#661)
- Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (sigstore#768)
- Bump anchore/sbom-action from 0.9.0 to 0.10.0 (sigstore#763)
- Bump github/codeql-action from 2.1.7 to 2.1.8 (sigstore#762)
- Update release jobs and trillian images (sigstore#756)
- Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (sigstore#757)
- Bump anchore/sbom-action from 0.8.0 to 0.9.0 (sigstore#754)
- Bump codecov/codecov-action from 2.1.0 to 3 (sigstore#753)
- Bump github/codeql-action from 2.1.6 to 2.1.7 (sigstore#752)
- Bump google-github-actions/auth from 0.6.0 to 0.7.0 (sigstore#751)
- Bump github/codeql-action from 1.1.5 to 2.1.6 (sigstore#748)
- Bump anchore/sbom-action from 0.7.0 to 0.8.0 (sigstore#743)
- Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (sigstore#744)
- Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (sigstore#740)
- Bump github/codeql-action from 1.1.4 to 1.1.5 (sigstore#736)
- Use reusuable release workflow in sigstore/sigstore (sigstore#729)
- Fix copy/paste mistake in repo name. (sigstore#730)
- Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (sigstore#728)
- Bump golang from
ca70980
toc7c9458
(sigstore#722) - Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (sigstore#723)
- Add sharding e2e test to Github Actions (sigstore#714)
- Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (sigstore#717)
- Bump github/codeql-action from 1.1.3 to 1.1.4 (sigstore#716)
- Add trillian container to existing release. (sigstore#715)
- Bump golang from
0168c35
toca70980
(sigstore#707) - Mirror signed release images from GCR to GHCR as part of release (sigstore#701)
- Bump anchore/sbom-action from 0.6.0 to 0.7.0 (sigstore#709)
- Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (sigstore#710)
- Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (sigstore#708)
- Generate release yaml artifact. (sigstore#702)
- Bump actions/upload-artifact from 2.3.1 to 3 (sigstore#704)
- Go update to 1.17.8 and cosign to 1.6.0 (sigstore#705)
- Consistent parenthesis use in Makefile (sigstore#700)
- add code coverage to pull request. (sigstore#676)
- Bump actions/checkout from 2.4.0 to 3 (sigstore#698)
- Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (sigstore#696)
- Bump actions/setup-go from 2.2.0 to 3.0.0 (sigstore#694)
- Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#695)
- Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (sigstore#693)
- Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (sigstore#692)
- Bump golangci/golangci-lint-action from 2.5.2 to 3 (sigstore#691)
- Bump github/codeql-action from 1.1.2 to 1.1.3 (sigstore#690)
- Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (sigstore#689)
- explicitly set permissions for github actions (sigstore#687)
- Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (sigstore#686)
- Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (sigstore#683)
- Bump github/codeql-action from 1.1.0 to 1.1.2 (sigstore#682)
- Bump actions/github-script from 5.1.0 to 6 (sigstore#669)
- Bump github/codeql-action from 1.0.32 to 1.1.0 (sigstore#668)
- update cross-build and dockerfile to use go 1.17.7 (sigstore#666)
- Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (sigstore#664)
- Bump actions/setup-go from 2.1.5 to 2.2.0 (sigstore#663)
- Bump golang from
301609e
tofff998d
(sigstore#662) - use upstream k8s version lib (sigstore#657)
- Bump github/codeql-action from 1.0.31 to 1.0.32 (sigstore#659)
- Bump go.uber.org/zap from 1.20.0 to 1.21.0 (sigstore#660)
- Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (sigstore#656)
- Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (sigstore#655)
- Update the warning text for the GA release. (sigstore#654)
- attempting to fix codeowners file (sigstore#653)
- update release job (sigstore#651)
- Bump google-github-actions/auth from 0.5.0 to 0.6.0 (sigstore#652)
- Asra Ali (@asraa)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Eddie Zaneski (@eddiezane)
- Hayden Blauzvern (@haydentherapper)
- John Speed Meyers
- Kenny Leung (@k4leung4)
- Lily Sturmann (@lkatalin)
- Priya Wadhwa (@priyawadhwa)
- Scott Nichols (@n3wscott)
- Add Rekor logo to README (sigstore#650)
- update API calls to v5 (sigstore#591)
- Refactor helm type to remove intermediate state. (sigstore#575)
- Refactor the shard map parsing so we can pass it down into the API object. (sigstore#564)
- Refactor the alpine type to reduce intermediate state. (sigstore#573)
- Add logic to GET artifacts via old or new UUID (sigstore#587)
- helpful error message for hashedrekord types (sigstore#605)
- Set Accept header in dynamic counter requests (sigstore#594)
- Add sharding package and update validators (sigstore#583)
- rekor-cli: show the url in case of error (sigstore#581)
- Enable parsing of incomplete minisign keys, to enable re-indexing. (sigstore#567)
- Cleanups on the TUF pluggable type. (sigstore#563)
- Refactor the RPM type to remove more intermediate state. (sigstore#566)
- Do some cleanups of the jar type to remove intermediate state. (sigstore#561)
- Update Makefile (sigstore#621)
- update version comments since dependabot doesn't do it (sigstore#617)
- Use workload identity provider instead of GitHub Secret for GCR access (sigstore#600)
- add OSSF scorecard action (sigstore#599)
- enable the sbom for rekor releases (sigstore#586)
- Point to the official website (instead of a 404) (sigstore#580)
- add milestone to closed prs (sigstore#574)
- Add a Makefile target for the "ko apply" step. (sigstore#572)
- types/README.md: Corrected documentation link (sigstore#568)
- Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (sigstore#636)
- Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (sigstore#635)
- Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (sigstore#634)
- Bump golang from
f71d4ca
to301609e
(sigstore#627) - Bump golang from
0fa6504
tof71d4ca
(sigstore#624) - Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (sigstore#622)
- Bump github/codeql-action from 1.0.29 to 1.0.30 (sigstore#619)
- Bump ossf/scorecard-action from 1.0.1 to 1.0.2 (sigstore#618)
- bump swagger and go mod tidy (sigstore#616)
- Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (sigstore#614)
- Bump github.com/go-openapi/errors from 0.20.1 to 0.20.2 (sigstore#613)
- Bump google-github-actions/auth from 0.4.4 to 0.5.0 (sigstore#612)
- Bump github/codeql-action from 1.0.28 to 1.0.29 (sigstore#611)
- Bump gopkg.in/ini.v1 from 1.66.2 to 1.66.3 (sigstore#608)
- Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (sigstore#609)
- Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 (sigstore#606)
- Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (sigstore#607)
- Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 (sigstore#603)
- Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (sigstore#602)
- Bump golang from
8c0269d
to0fa6504
(sigstore#597) - Pin dependencies in github action workflows and Dockerfile (sigstore#595)
- update release image to use go 1.17.6 (sigstore#589)
- Bump golang from 1.17.5 to 1.17.6 (sigstore#588)
- Bump go.uber.org/goleak from 1.1.11 to 1.1.12 (sigstore#585)
- Bump go.uber.org/zap from 1.19.1 to 1.20.0 (sigstore#584)
- Bump github.com/go-playground/validator/v10 from 10.9.0 to 10.10.0 (sigstore#579)
- Bump actions/github-script from 4 to 5 (sigstore#577)
- Asra Ali (@asraa)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Jason Hall (@imjasonh)
- Lily Sturmann (@lkatalin)
- Morten Linderud (@Foxboron)
- Nathan Smith (@nsmith5)
- Sylvestre Ledru (@sylvestre)
- Trishank Karthik Kuppusamy (@trishankatdatadog)
- Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (sigstore#501)
- Update the schema to match that of Trillian repo. The map specific (sigstore#528)
- allow setting the user-agent string sent from the client (sigstore#521)
- update key usage for ts cert (sigstore#504)
- api/index/retrieve: allow searching on indicies with sha1 hashes (sigstore#499)
- Only include Attestation data if attestation storage enabled (sigstore#494)
- Fuzzing RequestFromRekor API (sigstore#488)
- Included pprof for profiling the application. (sigstore#485)
- refactor release and add signing (sigstore#483)
- More verbose error message for redis connection failure (sigstore#479) (sigstore#480)
- Fixed modtime for reproducible goreleaser (sigstore#473)
- add goreleaser and cloudbuild for releases (sigstore#443)
- Add dynamic JS tree size counter (sigstore#468)
- check that entry UUID == leafHash of returned entry (sigstore#469)
- chore: upgrade cosign version (sigstore#465)
- Reproducible builds with trimpath (sigstore#464)
- correct links, add Table of Contents of sorts (sigstore#449)
- update go tuf for rsa key impl (sigstore#446)
- Canonicalize JSON before inserting into trillian (sigstore#445)
- Export search UUIDs field (sigstore#438)
- Add a flag to start specifying log index ranges for virtual indices. (sigstore#435)
- Cleanup some initialization/flag parsing in rekor-server. (sigstore#433)
- Drop 404 errors down to a warning. (sigstore#426)
- Cleanup the output of search (the text goes to stderr not stdout). (sigstore#421)
- remove extradata field from types (sigstore#418)
- Update usage of ./cmd/rekor-cli/ from
rekor
torekor-cli
(sigstore#417) - Add TUF type (sigstore#383)
- Updates to INSTALLATION.md notes (sigstore#415)
- Update snippets to use
console
type for snippets (sigstore#410) - version: add way to display a version when using go get or go install (sigstore#405)
- Use an in memory timestamping key (sigstore#402)
- Links are case sensitive (sigstore#401)
- Installation guide (sigstore#400)
- Add a SignedTimestampNote (sigstore#397)
- Provide instructions on verifying releases (sigstore#399)
- rekor-server: add html page when humans reach the server via the browser (sigstore#394)
- use go modules to track tools (sigstore#395)
- bug: fix minisign prehashed entries (sigstore#639)
- fix timestamp addition and unmarshal (sigstore#525)
- Correct & parallelize tests (sigstore#522)
- Fix fuzz go.sum issue (sigstore#509)
- fix validation error (sigstore#503)
- Correct Helm index keys (sigstore#474)
- Fix a bug in x509 certificate handling. (sigstore#461)
- Fix a conflict from parallel dependabot merges. (sigstore#456)
- fix tuf metadata marshalling (sigstore#447)
- Switch DSSE provider to go-securesystemslib (sigstore#442)
- fix unmarshalling sth (sigstore#409)
- Fix port flag override (sigstore#396)
- makefile: small fix on the makefile for the rekor-server (sigstore#393)
- Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (sigstore#531)
- Bump sigstore/cosign-installer from 1.3.1 to 1.4.1 (sigstore#530)
- Bump the DSSE signing library. (sigstore#529)
- Bump golang from 1.17.4 to 1.17.5 (sigstore#527)
- Bump golang from 1.17.3 to 1.17.4 (sigstore#523)
- Bump gopkg.in/ini.v1 from 1.66.0 to 1.66.2 (sigstore#520)
- Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (sigstore#517)
- Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#516)
- Bump gopkg.in/ini.v1 from 1.64.0 to 1.66.0 (sigstore#513)
- Upgraded go-playground/validator module to v10 (sigstore#507)
- Bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (sigstore#495)
- Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (sigstore#510)
- Bump the trillian import to v1.4.0. (sigstore#502)
- Bump the trillian versions to v1.4.0 in our docker-compose setup. (sigstore#500)
- update go.mod for go-fuzz (sigstore#496)
- Bump sigstore/cosign-installer from 1.3.0 to 1.3.1 (sigstore#491)
- Bump golang from 1.17.2 to 1.17.3 (sigstore#482)
- Bump google.golang.org/grpc from 1.41.0 to 1.42.0 (sigstore#478)
- Bump actions/checkout from 2.3.5 to 2.4.0 (sigstore#477)
- Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (sigstore#470)
- bump go-swagger to v0.28.0 (sigstore#463)
- Bump github.com/in-toto/in-toto-golang from 0.3.2 to 0.3.3 (sigstore#459)
- Bump actions/checkout from 2.3.4 to 2.3.5 (sigstore#458)
- Bump github.com/mediocregopher/radix/v4 from 4.0.0-beta.1 to 4.0.0 (sigstore#460)
- Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (sigstore#451)
- Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (sigstore#454)
- Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (sigstore#453)
- Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (sigstore#452)
- Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (sigstore#450)
- Bump golang from 1.17.1 to 1.17.2 (sigstore#448)
- Bump google.golang.org/grpc from 1.40.0 to 1.41.0 (sigstore#441)
- Bump golang.org/x/mod from 0.5.0 to 0.5.1 (sigstore#440)
- Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (sigstore#439)
- Bump gopkg.in/ini.v1 from 1.63.0 to 1.63.2 (sigstore#437)
- Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (sigstore#436)
- Bump gocloud to v0.24.0. (sigstore#434)
- Bump golang from 1.17.0 to 1.17.1 (sigstore#432)
- Bump go.uber.org/zap from 1.19.0 to 1.19.1 (sigstore#431)
- Bump gopkg.in/ini.v1 from 1.62.0 to 1.63.0 (sigstore#429)
- Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (sigstore#425)
- Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (sigstore#423)
- Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (sigstore#422)
- Bump golang from 1.16.7 to 1.17.0 (sigstore#413)
- Bump golang.org/x/mod from 0.4.2 to 0.5.0 (sigstore#412)
- Bump google.golang.org/grpc from 1.39.1 to 1.40.0 (sigstore#411)
- Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (sigstore#408)
- Bump go.uber.org/zap from 1.18.1 to 1.19.0 (sigstore#407)
- Bump golang from 1.16.6 to 1.16.7 (sigstore#403)
- Bump google.golang.org/grpc from 1.39.0 to 1.39.1 (sigstore#404)
- Aditya Sirish (@adityasaky)
- Andrew Block (@sabre1041)
- Asra Ali (@asraa)
- Axel Simon (@axelsimon)
- Batuhan Apaydın (@developer-guy)
- Bob Callaway (@bobcallaway)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Harry Fallows (@harryfallows)
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Lily Sturmann (@lkatalin)
- Luke Hinds (@lukehinds)
- Marina Moore (@mnm678)
- Mikhail Swift (@mikhailswift)
- Naveen Srinivasan (@naveensrinivasan)
- Robert James Hernandez (@sarcasticadmin)
- Santiago Torres (@SantiagoTorres)
- Tiziano Santoro (@tiziano88)
- Trishank Karthik Kuppusamy (@trishankatdatadog)
- Ville Aikas (@vaikas)
- kpcyrd (@kpcyrd)