Gitsign Versions Save

Keyless Git signing using Sigstore

v0.4.0

1 year ago

Overview

  • Added new sub-commands:
    • gitsign show - Prints out in-toto Statement for the specified commit.
    • gitsign attest - Stores attestations for a commit / tree in the repository.
  • Fixed timestamp authority verification.
  • Rekor Log entry now displayed on successful sign.
  • Added fulcioRoot option for configuring private Sigstore instances.

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/gitsign/compare/v0.3.2...v0.4.0

v0.3.2

1 year ago

What's Changed

Full Changelog: https://github.com/sigstore/gitsign/compare/v0.3.1...v0.3.2

v0.3.1

1 year ago

What's new

  • Fixes issue with out-of-band OAuth for non-browser sessions.
  • Fixes issue with gitsign-attest where git objects became corrupted due to unsorted trees.
  • Fixes issue with gitsign-attest where attestation history was not preserved.

Changelog

  • 4902248 update sigstore dependencies (#144)
  • 1d87be8 upgrade go to 1.19 (#145)
  • a7cf346 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#146)
  • 30381ea Bump s/s to latest (#141)
  • 4359c71 Bump cosign to 1.12. (#140)
  • c06f6fd Bump github.com/sigstore/sigstore from 1.4.0 to 1.4.1 (#139)
  • a038546 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#133)
  • 98498a6 Bump github.com/coreos/go-oidc/v3 from 3.3.0 to 3.4.0 (#135)
  • 2153fb9 attest: Make sure trees are sorted. (#132)
  • 06bc251 attest: preserve refs/attestations parent. (#129)
  • 4ee1d4c Bump github.com/coreos/go-oidc/v3 from 3.2.0 to 3.3.0 (#130)
  • bc1202a Bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 (#124)
  • f460b77 Bump actions/setup-go from 3.2.1 to 3.3.0 (#126)
  • 9d55249 Bump actions/cache from 3.0.7 to 3.0.8 (#125)

Thanks to all contributors!

v0.3.0

1 year ago

What's new

  • .gitconfig support - You can now configure Gitsign with your ~/.gitconfig and/or .git/config files! See File Config for more details.

    $ git config gitsign.fulcio https://fulcio.example.com
$ cat ~/.gitconfig
[gitsign]
      fulcio = https://fulcio.example.com

  • Dex connector configuration - You can now configure the Dex connector ID to use when authenticating. This can help speed up workflows by pre-selecting the identity provider to use when signing in. For example, to always sign in with GitHub:

    $ git config gitsign.connectorID https://github.com/login/oauth

    Supported values depend on the OIDC issuer you are using. For the public Sigstore instance (oauth2.sigstore.dev):

    Provider Connector ID
    GitHub https://github.com/login/oauth
    Google https://accounts.google.com
    Microsoft https://login.microsoftonline.com

  • Experimental support for Git based attestations - store attestations about your code directly in your repository! (note: This is not yet included in the main gitsign binary and is not available as a downloadable release artifact - please install from source).

Changelog

  • 707a2cb Recognize SIGSTORE_ prefixed environment variables. (#123)
  • cff750b Add connectorID option (#122)
  • 7fcbc7b Add gitsign-attest (#113)
  • f215bd8 Add file based configuration. (#121)
  • 7916a8b Update go modules to go1.18 (#120)
  • 1eaab67 Bump anchore/sbom-action from 0.11.0 to 0.12.0 (#116)
  • a22383d Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 (#117)
  • a748c05 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#115)
  • 0561fe8 Bump github.com/go-openapi/swag from 0.22.0 to 0.22.3 (#118)
  • ec2da04 Bump github.com/sigstore/cosign from 1.10.1 to 1.11.0 (#119)
  • 1d4fc64 Gitignore and verify consume (#109)
  • bd39f7c Bump actions/cache from 3.0.6 to 3.0.7 (#112)
  • 355fea8 Bump cosign version to 0.10.1 (#111)
  • 084c46f Bump actions/cache from 3.0.5 to 3.0.6 (#106)
  • f0cac92 Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (#107)
  • d9a9aba Add note to credential cache docs about cache directory selection. (#102)
  • edb89df Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#100)
  • da368d7 Bump github.com/sigstore/rekor from 0.9.1 to 0.10.0 (#101)
  • 57bdce0 Bump actions/setup-go from 3.2.0 to 3.2.1 (#95)
  • be797c9 Bump actions/cache from 3.0.4 to 3.0.5 (#96)
  • bf41df3 Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (#97)
  • 31ae988 Bump github.com/sigstore/rekor from 0.9.0 to 0.9.1 (#93)
  • 3a86508 --version: Print out relevant env variables. (#92)

Thanks to all contributors!

v0.2.0

1 year ago

Highlights

  • Adds gitsign-credential-cache: an optional socket based credential cache binary for reusing keys for multiple signing requests without needing to reauth (e.g. rebases).
  • Adds support for out-of-band interactive flows to add support for SSH and other sessions where web browsers are not directly present.
  • Signing errors will now be output to the user TTY directly if available.
  • Fixed Rekor Git SHA generation for tags.

Breaking changes

  • Fixed Rekor Git SHA generation for tags. Since this is fixing how the tag SHA was meant to be calculated, this breaks the rekor entry lookup for older versions that use the incorrect behavior. Those tags will be considered unverified unless they are resigned by a newer version of gitsign: git tag -f -s <tag name> <tag name>

Changelog

  • 4bc492c Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (#90)
  • 319e053 Bump github.com/sigstore/rekor from 0.8.2 to 0.9.0 (#91)
  • ca0cb8d Calculate correct SHA for signed Tags. (#89)
  • 7fb3656 Use TTY output for errors. (#87)
  • 97abf6c Bump github.com/sigstore/rekor from 0.8.1 to 0.8.2 (#85)
  • c52c82e Implement out of band OAuth. (#80)
  • 4fccc27 add gitsign-credential-cache to the build/release jobs (#84)
  • 0fb71e6 Implement Credential Caching (#75)
  • 6663b1b Typo fix (#82)
  • 7bbe200 Document signing tags (#83)
  • 111ffa4 Bump github.com/sigstore/rekor from 0.8.0 to 0.8.1 (#81)
  • 79844de Fix casing in README (#77)
  • 3c72400 Use pkg/fulcioroots from sigstore/sigstore (#67)

Thanks to all contributors!

v0.1.1

1 year ago

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/gitsign/compare/v0.1.0...v0.1.1

Thanks to all contributors!

v0.1.0

1 year ago

⚠️ Note: Due to a bug, gitsign >= v0.1 is now required to work with the public sigstore instance starting 2022/06/01. See https://github.com/sigstore/gitsign/issues/49 for more details.

Changelog

  • 2d9cff2 Fix gitsign for public Sigstore changes. (#50)
  • 61a4195 e2e: Verify commit with command that will return non-zero. (#51)
  • fe9a344 Bump actions/setup-go from 3.1.0 to 3.2.0 (#48)
  • 5cce35c Add privacy section to README. (#47)
  • 05dd77d Verify: check if summary is nil before accessing cert. (#43)
  • 01b9cc3 Unexport NewRekorClient which is only used in its own package (#45)
  • 9861d9d Ensure GITSIGN_REKOR_URL is respected. (#44)
  • 3911553 Added environment variable for OIDC Redirect URL (#39)
  • ab580ed Bump goreleaser/goreleaser-action from 2.9.1 to 3 (#42)
  • 6e70287 all: remove dependency on deprecated github.com/pkg/errors (#41)
  • 7cd8fa3 Resize GitHub unverified image, add link to smime verification. (#38)
  • 20e9e75 Fix GitHub verified limitation typos (#35)
  • 72b4a2d Add GitHub verified badge explaination to limitations. (#34)
  • 71a1010 Fix readme file to allow copy/pasting CLI configuration (#33)
  • dff662e Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#32)
  • cc20420 Some updates on CI, add new jobs and dependabot config (#29)
  • 1d333a3 update goreleaser config to explicity some configurations (#28)
  • 7058874 add initial makefile
  • 107ac24 Drop go version to 1.17. (#23)
  • 4d501b6 Add GITSIGN_LOG environment variable for debug log path.
  • 3a5916b Update error temp log base directory to use os.Tempdir.
  • b9d0176 README: s/cosign/sigstore

Thanks to all contributors!

v0.0.2-alpha

1 year ago

Another pre-release to test out the release pipeline

What's Changed

Full Changelog: https://github.com/sigstore/gitsign/compare/v0.0.1-alpha...v0.0.2-alpha

v0.0.1-alpha

1 year ago

Pre-release of gitsign to test out release automation

What's Changed

Full Changelog: https://github.com/sigstore/gitsign/compare/v0.0.0-test...v0.0.1-alpha

v0.0.0-test

1 year ago

This is a test. Please ignore.