Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2023-09-02 22:07:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cosign" Sat Sep 2 22:07:21 2023 rev:16 rq:1108432 version:2.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2023-04-17 17:41:33.574312809 +0200 +++ /work/SRC/openSUSE:Factory/.cosign.new.1766/cosign.changes 2023-09-02 22:07:49.727640484 +0200 @@ -1,0 +2,87 @@ +Fri Sep 1 08:45:59 UTC 2023 - Marcus Meissner <meissner@suse.com> + +- updated to 2.2.0 (jsc#SLE-23879) + - Enhancements + * switch to uploading DSSE types to rekor instead of intoto (#3113) + * add 'cosign sign' command-line parameters for mTLS (#3052) + * improve error messages around bundle != payload hash (#3146) + * make VerifyImageAttestation function public (#3156) + * Switch to cryptoutils function for SANS (#3185) + * Handle HTTP_1_1_REQUIRED errors in github provider (#3172) + - Bug Fixes + * Fix nondeterminsitic timestamps (#3121) + - Documentation + * doc: Add example of sign-blob with key in env var (#3152) + * add deprecation notice for cosign-releases GCS bucket (#3148) + * update doc links (#3186) + +------------------------------------------------------------------- +Tue Jun 27 09:33:07 UTC 2023 - Marcus Meissner <meissner@suse.com> + +- updated to 2.1.1 (jsc#SLE-23879) + + - Bug Fixes + + - wait for the workers become available again to continue the execution (#3084) + - fix help text when in a container (#3082) + + +- updated to 2.1.0 (jsc#SLE-23879) + + - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. + + - Enhancements + + - Verify sigs and attestations in parallel (#3066) + - Deep inspect attestations when filtering download (#3031) + - refactor bundle validation code, add support for DSSE rekor type (#3016) + - Allow overriding remote options (#3049) + - feat: adds no cert found on sig exit code (#3038) + - Make predicate a required flag in attest commands (#3033) + - Added support for attaching Time stamp authority Response in attach command (#3001) + - Add sign --sign-container-identity CLI (#2984) + - Feature: Allow cosign to sign digests before they are uploaded. (#2959) + - accepts attachment-tag-prefix for cosign copy (#3014) + - Feature: adds '--allow-insecure-registry' for cosign load (#3000) + - download attestation: support --platform flag (#2980) + - Cleanup: Add Digest to the SignedEntity interface. (#2960) + - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845) + - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069) + + - Bug Fixes + + - Fix pkg/cosign/errors (#3050) + - Fix: update doc to refer to github-actions oidc provider (#3040) + - Fix: prefer GitHub OIDC provider if enabled (#3044) + - Fix --sig-only in cosign copy (#3074) + + - Documentation + + - Fix links to sigstore/docs in markdown files (#3064) + +------------------------------------------------------------------- +Sun May 7 11:58:02 UTC 2023 - Marcus Meissner <meissner@suse.com> + +- update to 2.0.2 (jsc#SLE-23879) + Enhancements + + - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891) + - feat: Make cosign copy faster (#2901) + - remove sget (#2885) + - Require a payload to be provided with a signature (#2785) + + Bug Fixes + + - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876) + - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878) + + Documentation + + - Remove experimental warning from Fulcio flags (#2923) + - add missing oidc provider (#2922) + - Add zot as a supported registry (#2920) + - deprecates kms_support docs (#2900) + - chore(docs) deprecate note for usage docs (#2906) + - adds note of deprecation for examples.md docs (#2899) + +------------------------------------------------------------------- Old: ---- cosign-2.0.1.tar.gz New: ---- cosign-2.2.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.gQjPDI/_old 2023-09-02 22:07:52.343733964 +0200 +++ /var/tmp/diff_new_pack.gQjPDI/_new 2023-09-02 22:07:52.391735680 +0200 @@ -16,9 +16,9 @@ # -%define revision 8faaee4d2b5f65678eb0831a8a3d5990a0271d3a +%define revision 546f1c5b91ef58d6b034a402d0211d980184a0e5 Name: cosign -Version: 2.0.1 +Version: 2.2.0 Release: 0 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 @@ -27,7 +27,7 @@ Source1: vendor.tar.zst BuildRequires: golang-packaging BuildRequires: zstd -BuildRequires: golang(API) = 1.20 +BuildRequires: golang(API) = 1.21 %description Cosign aims to make signatures invisible infrastructure. @@ -50,21 +50,16 @@ CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X ${CLI_PKG}.gitCommit=%{revision} -X ${CLI_PKG}.gitTreeState=release -X ${CLI_PKG}.buildDate=${BUILD_DATE}" CGO_ENABLED=0 go build -mod=vendor -buildmode=pie -trimpath -ldflags "${CLI_LDFLAGS}" -o cosign ./cmd/cosign -go build -mod=vendor -buildmode=pie -trimpath -ldflags "${CLI_LDFLAGS}" -o sget ./cmd/sget %check ./cosign version -./cosign version | grep -q unknown && exit 1 -./sget version %install install -D -m 0755 cosign %{buildroot}%{_bindir}/cosign -install -D -m 0755 sget %{buildroot}%{_bindir}/sget %files %license LICENSE %doc *.md %{_bindir}/cosign -%{_bindir}/sget %changelog ++++++ cosign-2.0.1.tar.gz -> cosign-2.2.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/cosign/cosign-2.0.1.tar.gz /work/SRC/openSUSE:Factory/.cosign.new.1766/cosign-2.2.0.tar.gz differ: char 13, line 1 ++++++ vendor.tar.zst ++++++ Binary files /var/tmp/diff_new_pack.gQjPDI/_old and /var/tmp/diff_new_pack.gQjPDI/_new differ