Skip to content

v5.24.0
Compare
Choose a tag to compare
@mtrmac mtrmac released this 23 Jan 19:39
· 1698 commits to main since this release
v5.24.0
a3252d0

Now supports both creating and verifying sigstore signatures that use
Fulcio and Rekor.
A New API for signing images during copy.
docker-archive: now can read non-seekable streams.
Improved error messages for registry errors.

  • Introduce oci/{archive,layout}.ImageNotFoundError
  • Don't use any default path fallbacks if the user specified a path
  • Introduce signature/sigstore.NewSigner
  • Introduce signature/simplesigning.NewSigner
  • Add pkg/cli/sigstore
  • Add functional-option NewPRSigstoreSigned
  • Add signature/sigstore.GenerateKeyPair
  • Avoid confusion about 404 on lookaside
  • Heuristically warn about lookaside servers serving HTML
  • Add a limit for the total number of signatures in lookaside
  • Update the public.ecr.aws error with current data
  • Add a test for isManifestUnknownError
  • Consolidate handleErrorResponse calls to registryHTTPResponseToError
  • Discard any but the first element of errcode.Errors
  • Add more detailed error tests
  • Make invalid HTTP bodies unwrappable as unexpectedHTTPResponseError
  • Use registryHTTPResponseToError on /tags/list failure
  • Simplify error messages using the default error text
  • Use registryHttpResponseToError in many more places
  • set directory transport destination as thread-safe
  • Recognize invalid error responses of registry.redhat.io
  • Make the pseudo-config used in sigstore attachments a bit more valid
  • Convert TestSignatureStorageBaseURL to table-based
  • Don't call net/url.URL.Parse when we mean net/url.Parse
  • Rename all "url" variables to something else
  • Fix documentation comment of the stubs package
  • Simplify ociReference.getManifestDescriptor
  • Simplify ociReference.getManifestDescriptor a bit
  • Fix typos
  • Remove unnecessary conversions
  • Actually test the caller-requested function
  • Remove ineffective assignments
  • Fix an always-true condition
  • Fix unordered list formatting in containers-policy.json(5)
  • docker/reference: reduce regex compilations
  • docker/reference/regexp.go: constify strings
  • docker/reference.literal: return QuoteMeta directly
  • docker/reference.expression: use strings.Join()
  • Run (gofmt -s)
  • Don't incorrectly report success on failure paths
  • Clarify the semantics of the optional.creator field in simple signature payload
  • Call x509.SystemCertPool directly instead of tlsconfig.SystemCertPool
  • Remove sockets.DialerFromEnvironment
  • Use io.SeekStart instead of a hard-coded 0
  • Add support for non-seekable files in docker-archive: sources
  • Add comments to BlobInfo to warn against adding more edit fields
  • Split test data from TestV1RegistriesConfNonempty and TestV2RegistriesConfNonempty
  • Reject files mixing v1 and v2 registries.conf, even with empty fields
  • Fix a typo
  • Move the "human-readable description" of a helper into setAuthToCredHelper
  • Correctly report a credHelpers location in SetCredentials
  • Add missing documentation of build tags
  • Fix comments about exponential backoff with Retry-After
  • storage source: Don't store small blobs on disk in GetBlob()
  • config: use authPath struct consistently
  • config: Make parsing function a method on authFile
  • storage: Immediately unlink tmpfile
  • Don't duplicate the getPathToAuth rules for user-specified paths in getAuthPaths
  • Move killGPGAgent into a helper package
  • Terminate the GPG agent spawned by c/image/signature tests
  • Speed up pkg/blobcache tests
  • Turn copy.TestCreateSignature into a table-based test
  • Reorder the tests in copy.TestCreateSignature
  • Add a test case for signing dir: with an explicit identity
  • Fix a documentation typo
  • Return a generic signature.Signature from SignDockerManifestWithPrivateKeyFileUnstable
  • Introduce Signer = internal/signer.Signer, and internal/signer.SignerImplementation
  • Introduce signature/sigstore/internal.SigstoreSigner
  • Make SigstoreSigner implement signer.SignerImplementation
  • Rename signature/sigstore/sign.go to signer.go
  • Consolidate the two signing implementations to copier.createSignatureWithSigner
  • Refactor copy.Image to sign using []*signer.Signer
  • Add copy.Options.Signers
  • Don't use GPG in copy.TestCreateSignatures
  • Make sure value types also implement json.Marshaler
  • Add signature/internal.UntrustedRekor{SET,Payload}
  • Refactor SigstoreSigner.SignImageManifest a bit
  • Rekor upload
  • Move the docker client User-Agent value to a shared subpackage
  • Add Fulcio with OIDC authentication
  • Add Fulcio with user-provided OIDC token
  • Drop dead code that causes a regex compilation on init
  • Do not preallocate regex in init program
  • Replace copy&pasted code by a shared modifiedJSON function
  • Add VerifyRekorSET
  • manifest: pull Variant from an OCI config
  • Remove left-over logging from test development
  • Cirrus: Use F37 CI VM Image
  • Add Fulcio certificate acceptance logic
  • Split loadBytesFromDataOrPath and prepareTrustRoot in prSigstoreSigned
  • Make a part of TestPRSigstoreSignedIsSignatureAccepted table-driven
  • Split sigstore configuration parsing and API into separate files
  • Add tests to reject neither of keyPath / keyData being set
  • Add support for Fulcio and Rekor to sigstoreSigned
Assets 2
Loading