Package Release Info

cosign-2.5.3-160000.1.2

Update Info: Base Release
Available in Package Hub : 16.0

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

cosign-bash-completion

cosign-fish-completion

cosign-zsh-completion

Change Logs

* Fri Jul 18 2025 meissner@suse.com

- Update to version 2.5.3 (jsc#SLE-23879)
  - Add signing-config create command (#4280)
  - Allow multiple services to be specified for trusted-root create (#4285)
  - force when copying the latest image to overwrite (#4298)
  - Fix cert verification logic for trusted-root/SCTs (#4294)
  - Fix lint error for types package (#4295)
  - feat: Add OCI 1.1+ experimental support to tree (#4205)
  - Add validity period end for trusted-root create (#4271)
  - avoid double-loading trustedroot from file (#4264)
- Update to 2.5.2:
  - Do not load trusted root when CT env key is set
  - docs: improve doc for --no-upload option (#4206)
- Update to 2.5.1:
  * Features
  - Add Rekor v2 support for trusted-root create (#4242)
  - Add baseUrl and Uri to trusted-root create command
  - Upgrade to TUF v2 client with trusted root
  - Don't verify SCT for a private PKI cert (#4225)
  - Bump TSA library to relax EKU chain validation rules (#4219)
  * Bug Fixes
  - Bump sigstore-go to pick up log index=0 fix (#4162)
  - remove unused recursive flag on attest command (#4187)
  * Docs
  - Fix indentation in verify-blob cmd examples (#4160)
  * GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego (bsc#1246725)

* Wed May 28 2025 meissner@suse.com

- switch to go1.24, enable fips build

* Sun Apr 13 2025 meissner@suse.com

- Update to version 2.5.0:
  * Update sigstore-go to pick up bug fixes (#4150)
  * Update golangci-lint to v2, update golangci-lint-action (#4143)
  * Feat/non filename completions (#4115)
  * update builder to use go1.24.1 (#4116)
  * Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
  * Remove cert log line (#4113)
  * cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
  * bump to latest scaffolding release for testing (#4099)
  * increase 2e2_test docker compose tiemout to 180s (#4091)
  * Fix replace with compliant image mediatype (#4077)
  * Add TSA certificate related flags and fields for cosign attest (#4079)
- Security issues fixed:
  - CVE-2024-6104: cosign: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227031)
  - CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (bsc#1232985)
  - CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237682)
  - CVE-2025-22870: cosign: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs (bsc#1238693)
  - CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239204)
  - CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239337)

* Thu Feb 20 2025 meissner@suse.com

- Update to version 2.4.3:
  * Enable fetching signatures without remote get. (#4047)
  * Bump sigstore/sigstore to support KMS plugins (#4073)
  * sort properly Go imports (#4071)
  * sync comment with parameter name in function signature (#4063)
  * fix go imports order to be alphabetical (#4062)
  * fix comment typo and imports order (#4061)
  * Feat/file flag completion improvements (#4028)
  * Udpate builder to use go1.23.6 (#4052)
  * Refactor verifyNewBundle into library function (#4013)
  * fix parsing error in --only for cosign copy (#4049)
  * Fix codeowners syntax, add dep-maintainers (#4046)

* Wed Feb 05 2025 meissner@suse.com

- Update to version 2.4.2:
  - Updated open-policy-agent to 1.1.0 library (#4036)
  - Note that only Rego v0 policies are supported at this time
  - Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
  - Add support for verifying root checksum in cosign initialize (#3953)
  - Detect if user supplied a valid protobuf bundle (#3931)
  - Add a log message if user doesn't provide --trusted-root (#3933)
  - Support mTLS towards container registry (#3922)
  - Add bundle create helper command (#3901)
  - Add trusted-root create helper command (#3876)
  Bug Fixes:
  - fix: set tls config while retaining other fields from default http transport (#4007)
  - policy fuzzer: ignore known panics (#3993)
  - Fix for multiple WithRemote options (#3982)
  - Add nightly conformance test workflow (#3979)
  - Fix copy --only for signatures + update/align docs (#3904)
- use "osc service mr" to update

* Wed Oct 02 2024 meissner@suse.com

- update to 2.4.0 (jsc#SLE-23879)
  - Add new bundle support to verify-blob and verify-blob-attestation (#3796)
  - Adding protobuf bundle support to sign-blob and attest-blob (#3752)
  - Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
  - Conformance testing for cosign (#3806)
  - move incremental builds per commit to GHCR instead of GCR (#3808)
  - Add support for recording creation timestamp for cosign attest (#3797)
  - Include SCT verification failure details in error message (#3799)

* Tue Aug 20 2024 sarah.kriesch@opensuse.org

- Set CGO_ENABLED=1 for fixing s390x failed build

* Wed Jul 24 2024 meissner@suse.com

- update to 2.3.0 (jsc#SLE-23879)
  * Features
  - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
  - add registry options to cosign save (#3645)
  - Add debug providers command. (#3728)
  - Make config layers in ociremote mountable (#3741)
  - adds tsa cert chain check for env var or tuf targets. (#3600)
  - add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
  - add handling of keyless verification for all verify commands (#3761)
  * Bug Fixes
  - fix: close attestationFile (#3679)
  - Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
  * Documentation
  - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)

* Fri May 31 2024 opensuse_buildservice@ojkastl.de

- add completion subpackages (bash, fish, zsh)

* Mon Apr 15 2024 meissner@suse.com

- updated to 2.2.4 (jsc#SLE-23879)
  * Bug Fixes
  * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
  - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
  - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
  * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
  * fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
  * Honor creation timestamp for signatures again (#3549)
  * Features
  * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
  * Documentation
  * add oci bundle spec (#3622)
  * Correct help text of triangulate cmd (#3551)
  * Correct help text of verify-attestation policy argument (#3527)
  * feat: add OVHcloud MPR registry tested with cosign (#3639)