Releases: sylabs/sif
v2.11.2
What's Changed
- build(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #276
- build(deps): bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 by @dependabot in #277
- ci: use official Goreleaser bash script by @tri-adam in #279
- build(deps): bump github.com/sigstore/sigstore from 1.6.1 to 1.6.2 by @dependabot in #280
- build(deps): bump github.com/sigstore/sigstore from 1.6.2 to 1.6.3 by @dependabot in #281
- test: fix gen-keys for ED25519 algo by @tri-adam in #283
- fix: preserve arch in SetPrimPart by @tri-adam in #286
- fix: address "Bare URL used" lint by @tri-adam in #287
Full Changelog: v2.11.1...v2.11.2
v2.11.1
v2.11.0
This release allows a user to get/set arbitrary metadata stored directly in an object descriptor. Previously, metadata could only be utilized for a limited set of data types (DataCryptoMessage
, DataPartition
, DataSignature
, DataSBOM
.)
Specifically, the following APIs have been added:
- func OptMetadata: set metadata when creating an object
Descriptor
with func NewDescriptorInput. - func (Descriptor) GetMetadata: get metadata from a
Descriptor
.
What's Changed
- build(deps): bump github.com/sigstore/sigstore from 1.5.2 to 1.6.0 by @dependabot in #267
- feat: custom metadata support by @tri-adam in #268
- fix: set descriptor timestamp(s) in SetPrimPart by @tri-adam in #272
Full Changelog: v2.10.0...v2.11.0
v2.10.0
This release adds , which allows a context.Context to be used for cancellation of sign/verify operations.
Specifically, the following APIs have been added:
- func OptSignWithContext: supply a
context.Context
when calling NewSigner - func OptVerifyWithContext: supply a
context.Context
when calling NewVerifier
What's Changed
- fix: add nolint to silence go-errorlint by @tri-adam in #264
- build(deps): bump github.com/sigstore/sigstore from 1.5.1 to 1.5.2 by @dependabot in #263
- Expose Context in Sign/Verify by @tri-adam in #259
Full Changelog: v2.9.2...v2.10.0
v2.9.2
What's Changed
- build(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.4.0 to 0.5.0 by @dependabot in #257
- build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #260
- deps: bump github.com/ProtonMail/go-crypto by @tri-adam in #261
Full Changelog: v2.9.1...v2.9.2
v2.9.1
What's Changed
- test: move gen_sifs.go to images dir by @tri-adam in #248
- test: add testing against Go 1.20 RC by @tri-adam in #250
- build(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 by @dependabot in #252
- build(deps): bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1 by @dependabot in #253
- Bump Go Version by @tri-adam in #254
- ci: bump golangci-lint to v1.51 by @tri-adam in #255
- Refactor Test Key Corpus by @tri-adam in #256
Full Changelog: v2.9.0...v2.9.1
v2.9.0
This release adds support for digital signature data objects in Dead Simple Signing Envelope (DSSE) format. This adds support for digital signatures that use non-PGP key material sources.
Specifically, the following APIs have been added:
- func OptSignWithSigner: use a signature.Signer as key material when calling NewSigner.
- func OptVerifyWithVerifier: use one or more signature.Verifier as key material when calling NewVerifier.
- func (VerifyResult) Keys: get the public key(s) used to verify a signature.
What's Changed
- Rename PGP test files by @tri-adam in #243
- DSSE support by @tri-adam in #228
- build(deps): bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 by @dependabot in #246
- Expose non-PGP digital signature support by @tri-adam in #245
- chore: bump node version by @tri-adam in #247
Full Changelog: v2.8.3...v2.9.0
v2.8.3
What's Changed
- SBOM support for siftool by @tri-adam in #238
- build(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in #240
- Handle signature descriptors without fingerprints by @tri-adam in #241
- Bump github.com/ProtonMail/go-crypto by @tri-adam in #242
Full Changelog: v2.8.2...v2.8.3
v2.8.2
What's Changed
- Refactor groupSigner by @tri-adam in #231
- ci: run govulncheck during build-and-test workflow by @tri-adam in #232
- Bump golangci-lint to v1.50 by @tri-adam in #233
- build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in #235
- Refactor verifyTask by @tri-adam in #236
- Bump github.com/ProtonMail/go-crypto by @tri-adam in #237
Full Changelog: v2.8.1...v2.8.2
v2.8.1
This security patch release addresses an issue with previous versions of the github.com/sylabs/sif/v2/pkg/integrity
package, which did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. Users are encouraged to upgrade. More information is available in GHSA-m5m3-46gj-wch8.
Full Changelog: v2.8.0...v2.8.1