Releases: ratify-project/ratify
Releases · ratify-project/ratify
v1.4.0
✨ New Features
- feat: support certificate revocation checking using Certificate Revocation List (CRL) with cache support during Notary Project signature validation. @junczhu in #1890 , #1900 , #1941
- feat: improve the Ratify out-of-box experience by incorporating additional Helm chart parameters for configuring the Notary Project trust policy by @shahramk64 in #1982
- feat: support enabled status for kmp keys/certs by @duffney in #1874
- feat: support alibaba cloud rrsa store auth provider by @DahuK in #1909
✨ Other Enhancements
- Report more debug info in external data response by @binbin-li #1697
- Make notation verifier installation optional on ratify installation by @shahramk64 #1719
- Migrate to latest Azure container registry SDK by @shahramk64 #1829
- Refactor Azure authentication support to use azidentity by @shahramk64 #1904
- Sign Ratify release assets by @akashsinghal #1947
- Update Kubernetes support matrix by @shahramk64 #2013
- Additional env vars for ratify container via helm chart by @mannbiher in #1854
- Allow service account annotations by @mannbiher in #1907
- Remove prefix from notation verifiers trustedIdentities by @shahramk64 #2057
🔐 Security
- chore: bump up golang.org/x/crypto pkg to fix vuln by @junczhu in #1981
- fix: fix vuln in /x/net pkg by @junczhu in #1993
- fix: enforce host checking before exchanging a refresh token (#2069) by @binbin-li in #2071
- chore: add more acr endpoints (#2079) by @binbin-li in #2080
- chore: bump ristretto pkg version (#2085) by @akashsinghal in #2087
📄 Documentation
- docs: add config path arg to launch.json, update instructions by @shahramk64 in #1800
- docs: some improvement in release instructions by @junczhu in #1815
- docs: add commits doc to contributing guide by @susanshi in #1844
- docs: design proposal for tag and digest co-existing [ISSUE 1657] by @emalprokt in #1793
- docs: add CRL Design by @junczhu in #1789
- docs: Create proposal for verifying 'last-n' artifacts only. by @asafalgawi in #1797
- docs: nVersionCount support for KMP design doc by @duffney in #1831
- docs: update dev image release guidance by @akashsinghal in #1974
- docs: Fix typos in CONTRIBUTING.md by @cclauss in #2005
🎉 New Contributors
- @emalprokt made their first contribution in #1793
- @asafalgawi made their first contribution in #1797
- @JoupainMD made their first contribution in #1954
- @cclauss made their first contribution in #2005
- @DahuK made their first contribution in #2012
Full Changelog: v1.3.2...v1.4.0
Contributors
DahuK, cclauss, and 10 other contributors
Assets 13
- 1.01 KB
2025-01-30T23:36:01Z - 48.3 MB
2025-01-30T23:35:56Z - 731 KB
2025-01-30T23:36:01Z - 45.3 MB
2025-01-30T23:35:56Z - 731 KB
2025-01-30T23:36:00Z - 47.5 MB
2025-01-30T23:36:00Z - 730 KB
2025-01-30T23:36:01Z - 43.2 MB
2025-01-30T23:35:56Z - 730 KB
2025-01-30T23:36:00Z - 48.6 MB
2025-01-30T23:35:56Z -
2025-01-30T23:03:58Z -
2025-01-30T23:03:58Z - Loading
v1.3.2
v1.2.3
v1.4.0-rc.1
✨ New Features
- feat: support enabled status for kmp keys/certs by @duffney in #1874
- feat: support alibaba cloud rrsa store auth provider by @DahuK in #1909
- feat: add support for crl basic functionality with built-in cache by @junczhu in #1890
- feat: implementation of KMP CRL revocation factory with cache by @junczhu in #1900
- feat: enables CRL configuration by @junczhu in #1941
- feat: add more notation trust policy attributes to values.yaml by @shahramk64 in #1982
Other Enhancements
- Report more debug info in external data response by @binbin-li #1697
- Make notation verifier installation optional on ratify installation by @shahramk64 #1719
- Migrate to latest Azure container registry SDK by @shahramk64 #1829
- Refactor Azure authentication support to use azidentity by @shahramk64 #1904
- Sign Ratify release assets by @akashsinghal #1947
- Ratify to support out-of-box experience for typical scenarios by @shahramk64 #1982
- Update Kubernetes support matrix by @shahramk64 #2013
- Additional env vars for ratify container via helm chart by @mannbiher in #1854
- Allow service account annotations by @mannbiher in #1907
🔐 Security
- chore: bump up golang.org/x/crypto pkg to fix vuln by @junczhu in #1981
- fix: fix vuln in /x/net pkg by @junczhu in #1993
📄 Documentation
- docs: add config path arg to launch.json, update instructions by @shahramk64 in #1800
- docs: some improvement in release instructions by @junczhu in #1815
- docs: add commits doc to contributing guide by @susanshi in #1844
- docs: design proposal for tag and digest co-existing [ISSUE 1657] by @emalprokt in #1793
- docs: add CRL Design by @junczhu in #1789
- docs: Create proposal for verifying 'last-n' artifacts only. by @asafalgawi in #1797
- docs: nVersionCount support for KMP design doc by @duffney in #1831
- docs: update dev image release guidance by @akashsinghal in #1974
- docs: Fix typos in CONTRIBUTING.md by @cclauss in #2005
🎉 New Contributors
- @emalprokt made their first contribution in #1793
- @asafalgawi made their first contribution in #1797
- @JoupainMD made their first contribution in #1954
- @cclauss made their first contribution in #2005
- @DahuK made their first contribution in #2012
Changelog
- 0ee96d8 Create ratify-weekly-notes-2023-Jun-2024-Jun.md
- 3bafc56 Merge branch 'dev' into clean-package
- 581be1e Merge branch 'dev' into dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
- 7e387db Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
- bd2f5ca Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
- cca0a13 Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
- 72025fb Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.4
- bb8d7f0 Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.6
- 0447079 Merge branch 'dev' into dependabot/github_actions/anchore/sbom-action-0.17.1
- e353f38 Merge branch 'dev' into dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
- 6ebd6f1 Merge branch 'dev' into dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
- bb8516e Merge branch 'dev' into dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
- 52f92d1 Merge branch 'dev' into dev
- 5b7c4e0 Merge branch 'dev' into error-log-message
- 220dfce Merge branch 'dev' into error-log-message
- 451390b Merge branch 'dev' into error-log-message
- 18f071a Merge branch 'dev' into fix-codecov
- 7e74e12 Merge branch 'dev' into ignore-experimental-test
- 9c534dc Merge branch 'dev' into isolate-metrics
- 4cf6b6c Merge branch 'dev' into isolate-metrics
- ec20d28 Merge branch 'dev' into isolate-metrics
- 50b334d Merge branch 'dev' into isolate-metrics
- 0b58daf Merge branch 'dev' into notes
- 4bbd9f1 Merge branch 'dev' into proposal_errorimprovements
- 8549d91 Merge branch 'dev' into ratify-err-doc
- 060c5a5 Merge branch 'dev' into ratify-err-doc
- 518ad3d Merge branch 'dev' into remove-autorest-adal
- f510dd9 Merge branch 'dev' into remove-autorest-adal
- 6f92077 Merge branch 'dev' into template-result
- e757310 Merge branch 'dev' into verification-response
- 34fbf9f Merge branch 'main' into dev
- 49201e9 Merge branch 'main' into staging
- f201712 Merge branch 'main' into staging
- 8c87951 Merge branch 'staging' into dependabot/github_actions/codecov/codecov-action-4.3.0
- 73ef709 Merge branch 'staging' into multi-tenancy-pr-2
- 6a93bbf Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
- 6daec5d Merge pull request #1376 from deislabs/staging
- 9ac7d5a Merge pull request #1379 from deislabs/dependabot/github_actions/codecov/codecov-action-4.3.0
- 6a5f10c Merge pull request #1388 from deislabs/staging
- 6a26a56 Merge pull request #1424 from deislabs/dev
- 194c2aa Merge pull request #1431 from akashsinghal/akashsinghal/fixCosignConfig
- f0b1e6b Merge pull request #1444 from deislabs/dev
- d78461a Merge pull request #1480 from deislabs/dev
- c92687d Merge pull request #1499 from deislabs/dev
- 61f7c60 Merge pull request #1520 from binbin-li/isolate-metrics
- 340c4db Merge pull request #1521 from susanshi/dev
- 8a6f018 Merge pull request #1532 from binbin-li/clean-package
- b6a5701 Merge pull request #1533 from ratify-project/dev
- 6443a65 Merge pull request #1539 from binbin-li/run-scorecard-on-dev
- d9d46fe Merge pull request #1542 from binbin-li/fix-vulnerability
- 5d4720f Merge pull request #1563 from ratify-project/dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
- 5e81022 Merge pull request #1581 from ratify-project/dev
- 9bf9232 Merge pull request #1585 from ratify-project/dev
- 47b3331 Merge pull request #1589 from ratify-project/dependabot/docker/httpserver/golang-b405b62
- e4c58e2 Merge pull request #1590 from ratify-project/dependabot/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
- db3b86f Merge pull request #1597 from ratify-project/dev
- 7f1ecfb Merge pull request #1608 from susanshi/notes
- 357eb51 Merge pull request #1613 from ZAFT-Armored-Keeper-of-Unity/helmfile-update-1.13.2
- db7e6ee Merge pull request #1614 from ratify-project/dev
- 61e0fed Merge pull request #1621 from ratify-project/dependabot/docker/httpserver/golang-fcae9e0
- e62cd8e Merge pull request #1622 from ratify-project/dependabot/github_actions/actions/upload-artifact-4.3.4
- 9551205 Merge pull request #1624 from binbin-li/ignore-experimental-test
- 03216af Merge pull request #1628 from ratify-project/dependabot/github_actions/actions/setup-go-5.0.2
- 11a683d Merge pull request #1631 from ratify-project/dev
- 643e98a Merge pull request #1632 from ratify-project/dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
- e7aa02a Merge pull request #1634 from ratify-project/dependabot/go_modules/github.com/sigstore/sigstore-1.8.7
- 9549d66 Merge pull request #1635 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.26
- 9c9cb05 Merge pull request #1636 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/credentials-1.17.26
- 1d6e824 Merge pull request #1637 from ratify-project/dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
- 089edf1 Merge pull request #1643 from ratify-project/dev
- dfe9d0a Merge pull request #1647 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.27
- 9db35b0 Merge pull request #1651 from ratify-project/dependabot/github_actions/docker/login-action-3.3.0
- b8f0e29 Merge pull request #1656 from binbin-li/template-result
- 99d5629 Merge pull request #1661 from ratify-project/dev
- 1ecd579 Merge pull request #1662 from yizha1/proposal_errorimprovements
- 3c28fd4 Merge pull request #1665 from ratify-project/dependabot/github_actions/github/codeql-action-3.25.15
- d442fad Merge pull request #1666 from ratify-project/dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
- 90367de Merge pull request #1668 from binbin-li/ratify-err-doc
- 294a715 Merge pull request #1671 from binbin-li/verification-response
- b0d8a2d Merge pull request #1672 from ratify-project/dependabot/github_actions/golangci/golangci-lint-action-6.1.0
- bd87979 Merge pull request #1674 from ratify-project/dependabot/go_modules/github.com/docker/docker-26.1.4incompatible
- e8f8000 Merge pull request #1675 from binbin-li/error-log-message
- ba5638e Merg...
Contributors
DahuK, cclauss, and 10 other contributors
Assets 13
v1.3.1
Bug Fixes
- CVE-2024-8260
- 82893a5 ci: fix tagging in publish-ghcr workflow (#1884)
Changelog
- b274230 Merge pull request #1886 from binbin-li/release-1.3
- 287ba3e chore: Bump github.com/open-policy-agent/opa from 0.63.0 to 0.68.0 including fix CVE-2024-8260(#1819)
- e57c9a9 chore: release-1.3.1 charts (#1891)
- 82893a5 ci: fix tagging in publish-ghcr workflow (#1884)
- 7700de4 feat: additional env vars for ratify container via helm chart (#1854)
🎉 New Contributors
- @mannbiher made their first contribution in #1854
Full Changelog: v1.3.0...v1.3.1
Contributors
mannbiher
Assets 13
v1.3.0
✨ New Features
- Support keyless verification in trust policy of Cosign verifier in #1503
- Support verifying Notary Project timestamped signature in #1538 and #1758
- Support periodic retrieval of key and certificate from Key Management Providers based on the proposal in #1727 and #1773
✨ Other Enhancements
- Improve error messages of artifact validation
- Add more fields to verification response in #1671
- refactor error message format in #1675
- fill ErrorReason and Remediation during verifierReport generation in #1682
- add timestamp and traceId to verification response in #1697
- enhance CR status with clearer brief error message in #1734
- refactor cosign verification error messages in #1750
- Add namespace label to metrics to enhance observability in #1520
- Ability to save errors happened during KMP/CertStore reconciliation which could be checked by verifiers during artifact validation in #1710
🔐 Security
- Generate supply chain metadata for dev assets by adding SBOM & provenance Docker build attestations in #1596
- Add image signing for dev images and add release sbom in #1629
- Add openssf best practices badge by @susanshi in #1696
- Setup scanners for Ratify releases by @susanshi in #1521
📄 Documentation
- chore: refresh roadmap after v1.2.0 release by @yizha1 in #1541
- doc: update README code of conduct by @susanshi in #1553
- doc: Update SECURITY.md by @susanshi in #1555
- doc: add a proposal for periodic retrieval by @yizha1 in #1510
- doc: update minor release branching strategy by @susanshi in #1456
- doc: meeting notes ratify-weekly-notes-2023-Jun-2024-Jun.md by @susanshi in #1608
- doc: remove CLA section from CONTRIBUTING by @akashsinghal in #1626
- doc: design doc for KMP periodic retrieval by @duffney in #1583
- doc: add proposal for producing supply chain metadata for all ratify assets by @akashsinghal in #1641
- doc: Archive ratify error handling scenario doc by @binbin-li in #1668
- doc: proposal for error message improvements by @yizha1 in #1662
- doc: update the contributing guide for a successful cli debugging by @shahramk64 in #1718
- doc: update contributing guide for enhancement by @susanshi in #1715
🐛 🩹 Bug Fixes
- fix: remove Update az cli step in aks test by @binbin-li in #1502
- fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version by @akashsinghal in #1505
- fix: run full validation for release branch by @susanshi in #1512
- fix: fix vulnerabilities by @binbin-li in #1542
- fix: enable automated pr to main by @susanshi in #1582
- fix: validate plugin version for ratify cli by @susanshi in #1604
- fix: warning message is printed to stdout by CLI by @susanshi in #1650
- fix: pass CODECOV_TOKEN to reusable workflow by @binbin-li in #1676
- fix: remove duplicate $ by @binbin-li in #1677
- fix: fix typo in notation verifier by @junczhu in #1678
- fix: bump-up docker dependency by @junczhu in #1679
- fix: Enforce validation on notation signature blob number by @binbin-li in #1726
- fix: remove nonexistent KMP from verifier sample by @binbin-li in #1753
- fix: remove critical cache failure in oras
GetBlobContentby @binbin-li in #1740 - fix: make notation verifier installation optional on ratify installation by @shahramk64 in #1719
- fix: remove unused trust store from sample verifier config by @binbin-li in #1790
- fix: showing verifier config parse detail in err log by @junczhu in #1791
- fix: missing status update in KMP controller by @duffney in #1761
🎉 New Contributors
- @shahramk64 made their first contribution in #1718
Changes since v1.2.2
- 0ee96d8 Create ratify-weekly-notes-2023-Jun-2024-Jun.md
- 3bafc56 Merge branch 'dev' into clean-package
- 581be1e Merge branch 'dev' into dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
- 7e387db Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
- bd2f5ca Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
- cca0a13 Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
- 72025fb Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.4
- bb8d7f0 Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.6
- 0447079 Merge branch 'dev' into dependabot/github_actions/anchore/sbom-action-0.17.1
- e353f38 Merge branch 'dev' into dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
- 6ebd6f1 Merge branch 'dev' into dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
- bb8516e Merge branch 'dev' into dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
- 52f92d1 Merge branch 'dev' into dev
- 451390b Merge branch 'dev' into error-log-message
- 220dfce Merge branch 'dev' into error-log-message
- 5b7c4e0 Merge branch 'dev' into error-log-message
- 18f071a Merge branch 'dev' into fix-codecov
- 7e74e12 Merge branch 'dev' into ignore-experimental-test
- 4cf6b6c Merge branch 'dev' into isolate-metrics
- ec20d28 Merge branch 'dev' into isolate-metrics
- 9c534dc Merge branch 'dev' into isolate-metrics
- 50b334d Merge branch 'dev' into isolate-metrics
- 0b58daf Merge branch 'dev' into notes
- 4bbd9f1 Merge branch 'dev' into proposal_errorimprovements
- 8549d91 Merge branch 'dev' into ratify-err-doc
- 060c5a5 Merge branch 'dev' into ratify-err-doc
- f510dd9 Merge branch 'dev' into remove-autorest-adal
- 518ad3d Merge branch 'dev' into remove-autorest-adal
- 6f92077 Merge branch 'dev' into template-result
- e757310 Merge branch 'dev' into verification-response
- 34fbf9f Merge branch 'main' into dev
- 49201e9 Merge branch 'main' into staging
- f201712 Merge branch 'main' into staging
- 8c87951 Merge branch 'staging' into dependabot/github_actions/codecov/codecov-action-4.3.0
- 73ef709 Merge branch 'staging' into multi-tenancy-pr-2
- 6a93bbf Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
- 6daec5d Merge pull request #1376 from deislabs/staging
- 9ac7d5a Merge pull request #1379 from deislabs/dependabot/github_actions/codecov/codecov-action-4.3.0
- 6a5f10c Merge pull request #1388 from deislabs/staging
- 6a26a56 Merge pull request #1424 from deislabs/dev
- 194c2aa Merge pull request #1431 from akashsinghal/akashsinghal/fixCosignConfig
- f0b1e6b Merge pull request #1444 from deislabs/dev
- d78461a Merge pull request #1480 from deislabs/dev
- c92687d Merge pull request #1499 from deislabs/dev
- 61f7c60 Merge pull request #1520 from binbin-li/isolate-metrics
- 340c4db Merge pull request #1521 from susanshi/dev
- 8a6f018 Merge pull request #1532 from binbin-li/clean-package
- b6a5701 Merge pull request #1533 from ratify-project/dev
- 6443a65 Merge pull request #1539 from binbin-li/run-scorecard-on-dev
- d9d46fe Merge pull request #1542 from binbin-li/fix-vulnerability
- 5d4720f Merge pull request #1563 from ratify-project/dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
- 5e81022 Merge pull request #1581 from ratify-project/dev
- 9bf9232 Merge pull request #1585 from ratify-project/dev
- 47b3331 Merge pull request #1589 from ratify-project/dependabot/docker/httpserver/golang-b405b62
- e4c58e2 Merge pull request #1590 from ratify-project/dependabot/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
- db3b86f Merge pull request #1597 from ratify-project/dev
- 7f1ecfb Merge pull request #1608 from susanshi/notes
- 357eb51 Merge pull request #1613 from ZAFT-Armored-Keeper-of-Unity/helmfile-update-1.13.2
- db7e6ee Merge p...
Contributors
binbin-li, duffney, and 5 other contributors
Assets 13
v1.2.2
v1.2.1
Bug Fixes
Changelog
- ca750c7 Merge pull request #1609 from ZAFT-Armored-Keeper-of-Unity/release-1.2.1
- ac7c142 Merge pull request #1611 from ZAFT-Armored-Keeper-of-Unity/ratify-1.13.2
- ca7c358 chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
- 2dfab79 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.18 (#1557)
- 1472bfa chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.18 to 1.27.21 (#1586)
- 1f59f71 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.21 to 1.27.23 (#1602)
- e21a23c chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.21 to 1.17.22 (#1594)
- c28d56b chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.22 to 1.17.23 (#1600)
- a9b89b5 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.3 to 1.28.5 (#1558)
- bac0633 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.5 to 1.28.6 (#1587)
- 9ec06c4 chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 CVE GO-2024-2947 (#1595)
- 2b19603 chore: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#1577)
- 1afc81e chore: Bump k8s.io/client-go from 0.28.10 to 0.28.11 (#1573)
- ca3f41b chore: cherry pick vuln scanner to release 1.2 (#1564)
- ceffa17 chore: prepare release 1.2.1 charts update 2
- 8e173a4 chore: prepare release 1.2.1 charts update 3
- 975ac96 chore: update deislabs.github.io to ratify-project.github.io (#1566)
- bf8e96d chore: update helm charts
- bf227cf chore:add no-lint config
- 78c3fbc ci: switch region from eastus to westus2 (#1591)
- 19f55c4 fix go.mod
v1.2.0
🚨 Deprecations
CertificateStoreis deprecated in favor ofKeyManagementProvider. Please migrate toKeyManagementProviderby following guide here. Support will be removed in Ratify v2.0.0- Certain helm values have been deprecated in favor of new ones. (Note: deprecated values will continue to be supported)
.Values.notationCertis deprecated. Use.Values.notationCerts[*]to provide a list certificates to configure with notation verifier.Values.akvCertConfig.*section has been deprecated. Use the equivalent.Values.azurekeyvault.*section for configuring keys + certificates from Azure Key Vault
✨ New Features
-
Cosign Verifier enhancements:
- feat: move cosign to be a built in verifier by @akashsinghal in #1343
- feat: add key support to key management provider including akv integration by @akashsinghal in #1333
- feat: add cosign trust policies by @akashsinghal in #1381
-
Kubernetes multi-tenancy support:
- feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
- feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
- feat: add cache isolation by @binbin-li in #1213
- feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382
-
CRD improvements:
- feat: add version to CRD spec by @susanshi in #1215
- feat: validate plugin name on CR create by @susanshi in #1265
- feat: add key management provider resource by @akashsinghal in #1293
- feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422
📄 Documentation
- docs: add roadmap by @yizha1 in #1344
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- docs: Update log format in doc by @junczhu in #1240
- docs: update COC and add adopters.md by @FeynmanZhou in #1360
- fix: updated community meeting time to UTC by @susanshi in #1364
- build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
- docs: cosign upgrade design document by @akashsinghal in #1246
- docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399
🎉 New Contributors
- @duffney made their first contribution in #1254
- @mannbiher made their first contribution in #1418
🐛 🩹 Bug Fixes
- fix: surface plugin error in exec.go by @susanshi in #1228
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
- fix: add missing CRD conversion methods by @binbin-li in #1289
- fix: fix unit tests that fail in local environment by @binbin-li in #1292
- fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
- fix: update azure tenantId casing by @akashsinghal in #1385
- fix: rename staging to dev branch by @susanshi in #1401
- fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
- fix: add top-level read permission by @binbin-li in #1419
- fix: add akv keys check on cosign-verifier by @binbin-li in #1427
- fix: handle empty trust policies by @akashsinghal in #1431
- fix: fix missing separator in helm template by @binbin-li in #1463
- fix: check label value on pull_request_target by @binbin-li in #1471
- fix: DecodeCertificates cert length check by @susanshi in #1470
- fix: update cosign chart and remove extra logs by @akashsinghal in #1475
Changes since v1.2.0-rc.1
- 63c7bb2 Merge pull request #1519 from deislabs/cherry-pick-for-1.2.0
- 35aad7f chore: ignore CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 (#1498)
- dbc2d74 chore: ignore CVE-2023-42366 (#1494)
- da2cdca chore: prepare for release 1.2 (#1524)
- 7e00bb2 ci: switch azure ci test to use rbac for key vault access (#1523)
- 1e79038 fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version (#1505)
- c6f9483 fix: full validation should run on release branch (#1511)
- 510dd58 go mod tidy
Contributors
binbin-li, duffney, and 6 other contributors
Assets 8
v1.2.0-rc.1
🚨 Deprecations
CertificateStoreis deprecated in favor ofKeyManagementProvider. Please migrate toKeyManagementProviderby following guide here. Support will be removed in Ratify v2.0.0
✨ New Features
-
Cosign Verifier enhancements:
- feat: move cosign to be a built in verifier by @akashsinghal in #1343
- feat: add key support to key management provider by @akashsinghal in #1333
- feat: add cosign trust policies by @akashsinghal in #1381
-
Kubernetes multi-tenancy support:
- feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
- feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
- feat: add cache isolation by @binbin-li in #1213
- feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382
-
CRD improvements:
- feat: add version to CRD spec by @susanshi in #1215
- feat: validate plugin name on CR create by @susanshi in #1265
- feat: add key management provider resource by @akashsinghal in #1293
- feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422
📄 Documentation
- docs: add roadmap by @yizha1 in #1344
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- docs: Update log format in doc by @junczhu in #1240
- docs: update COC and add adopters.md by @FeynmanZhou in #1360
- fix: updated community meeting time to UTC by @susanshi in #1364
- build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
- docs: cosign upgrade design document by @akashsinghal in #1246
- docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399
🎉 New Contributors
- @duffney made their first contribution in #1254
- @mannbiher made their first contribution in #1418
🐛 🩹 Bug Fixes
- fix: surface plugin error in exec.go by @susanshi in #1228
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
- fix: add missing CRD conversion methods by @binbin-li in #1289
- fix: fix unit tests that fail in local environment by @binbin-li in #1292
- fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
- fix: update azure tenantId casing by @akashsinghal in #1385
- fix: rename staging to dev branch by @susanshi in #1401
- fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
- fix: add top-level read permission by @binbin-li in #1419
- fix: add akv keys check on cosign-verifier by @binbin-li in #1427
- fix: handle empty trust policies by @akashsinghal in #1431
- fix: fix missing separator in helm template by @binbin-li in #1463
- fix: check label value on pull_request_target by @binbin-li in #1471
- fix: DecodeCertificates cert length check by @susanshi in #1470
- fix: update cosign chart and remove extra logs by @akashsinghal in #1475
What's Changed
- fix: bump dev helmfile ratify chart versions by @akashsinghal in #1216
- feat: add namespace to external data request key by @binbin-li in #1201
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.9 to 1.16.12 by @dependabot in #1224
- chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.9.1 by @dependabot in #1225
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.25.11 to 1.25.12 by @dependabot in #1226
- build: bump up upload-artifact action to v4.0.0 by @binbin-li in #1227
- chore: Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #1229
- feat: add version to CRD spec by @susanshi in #1215
- fix: surface plugin error in exec.go by @susanshi in #1228
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.12 to 1.16.13 by @dependabot in #1235
- chore: Bump k8s.io/client-go from 0.28.4 to 0.28.5 by @dependabot in #1232
- chore: Bump apache/skywalking-eyes from ee81ff786927ea6ffa48b1e29c48e5289f4753aa to ed436a5593c63a25f394ea29da61b0ac3731a9fe by @dependabot in #1231
- feat: add cache isolation by @binbin-li in #1213
- chore: update codecov config by @junczhu in #1237
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- fix: differentiate aks logs from e2e log by @susanshi in #1243
- ci: add cache cleanup post merge by @akashsinghal in #1242
- docs: Update log format in doc by @junczhu in #1240
- ci: switch to fail-fast from continue-on-error by @binbin-li in #1245
- ci: add dev helm chart publishing workflow by @akashsinghal in #1209
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- feat: improve plugin config dependency by @junczhu in #1223
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.13 to 1.16.14 by @dependabot in #1250
- chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.0 to 1.2.1 by @dependabot in #1252
- chore: Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 by @dependabot in #1253
- chore: Bump azure/login from 1.5.1 to 1.6.0 by @dependabot in #1255
- chore: rename func for readability by @junczhu in #1257
- chore: Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #1261
- chore: Bump azure/login from 1.6.0 to 1.6.1 by @dependabot in #1266
- chore: Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #1270
- chore: Bump k8s.io/client-go from 0.28.5 to 0.28.6 by @dependabot in #1273
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.14 to 1.16.16 by @dependabot in #1275
- chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1.0-rc6 by @dependabot in #1271
- chore: Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #1279
- chore: Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #1281
- chore: Bump github.com/docker/cli from 24.0.7+incompatible to 24.0.8+inco...
