canary

This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

v2.7.0

Spin v2.7.0

The v2.7.0 release of Spin brings a number of features, improvements, and bug fixes.

Some highlights in v2.7.0 at a glance:

✨ Features

• Added support for client certificate-based authentication and custom root CA in outbound requests for HTTP triggers, with a new client_tls runtime configuration option. (PR #2596 )
• Azure CosmosDB key value implementation support for workload identity (PR #2566) Thanks, @devigned, for your first contribution 💟

🌐 Spin Governance and Documentation

• Governance Updates: Implemented a new SIP for governance changes and updated documentation to reflect substantial changes in project governance procedures. ( PR #2593)
• Documentation Enhancements: Revised release-process.md to include a notes template, and added MAINTAINERS.md for clarity on project maintainers. (PR #2622, PR #2683)
• Code of Conduct: Integrated Fermyon's Code of Conduct into the project's documentation. (PR #2691)

🧪 Better Test Coverage

• Expanded Test Coverage: Added key-value and Redis tests to conformance checks to ensure broader validation of functionalities. (PR #2591, PR #2603)
• TCP Runtime Tests Fixes: Resolved issues with TCP runtime tests to ensure accurate performance assessment. (PR #2608)
• Template Manager Testing: Improved the test setups for TemplateManagers, including deduplicating test code to streamline testing processes. (PR #2657)

🩹 Fixes and Improvement

• CI Fixes: Addressed issues with CI integration tests and updated dependencies for conformance testing to stabilize the build process. (PR #2614, PR #2669)
• Rust and Clippy Compatibility: Applied changes to maintain compatibility with Rust 1.79, 1.80 and address Clippy lint warnings. (PR #2569, PR #2680)
• Improved error handling to provide clearer messages for registry component issues and refined the behavior of the spin new command. (PR #2634)
• Follow OCI standards by inferring predefined annotation when pushed to the registry (PR #2618)
• Better handling when the file path is outside root (PR #2574) and if the file is missing (PR #2674)
• Improve OTel error logging #2572

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.7.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha a11151706449fa1ba39bfe96597fe1041438dc67 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog

• Add deprecation warning for uncomponentizable modules by @lann in #2571
• Update README with Spin Project meeting information by @mikkelhegn in #2576
• fix: add error message when file path outside root by @me-diru in #2574
• Fix warnings introduced by new Rust 1.79 release by @rylev in #2569
• Fix typo in meeting info by @itowlson in #2581
• Improve OTel error logging by @calebschoepp in #2572
• chore(*): post-2.6.0 release bumps by @vdice in #2586
• Upgrade to wasmtime 22.0.0 by @lann in #2587
• Bump wasm-pkg-loader to 0.4.1 by @fibonacci1729 in #2588
• Remove duplicate crate definitions in Cargo.lock by @rylev in #2592
• docs(Makefile): fix comment typos by @vdice in #2594
• Update from's help output for the up subcommand by @tpmccallum in #2595
• Conformance Tests Update by @rylev in #2591
• Update conformance to include Redis and SQLite tests by @rylev in #2603
• Fix broken TCP runtime tests. by @rylev in #2608
• add support for client certs by @rajatjindal in #2596
• Infer predefined annotations when pushing to registry by @itowlson in #2618
• add SIP for governance.md by @michelleN in #2593
• docs(releasing): update release-process.md; add notes template by @vdice in #2622
• Better error if component from registry has regrettable version by @itowlson in #2634
• Improve non-interactive behaviour of spin new by @itowlson in #2643
• Fixes watch rebuild loop if empty watch by @itowlson in #2642
• Deduplicate template tests by @itowlson in #2657
• Update conformance test version by @rylev in #2615
• Break circular dependency between http and testing crates by @itowlson in #2668
• Fix CI issue in integration tests by updating conformance-test dependency by @rylev in #2669
• Bump rustls from 0.22.3 to 0.22.4 by @dependabot in #2614
• Allow sqlite migrations for non-default databases. by @rylev in #2610
• Run conformance tests as part of runtime tests by @rylev in #2663
• Revert "Run conformance tests as part of runtime tests" by @rylev in #2671
• Add support for workload identity in the Azure CosmosDB Key/Value impl by @devigned in #2566
• Tell user which file we failed to read by @itowlson in #2674
• Summarise plugins list by @itowlson in #2662
• Retry running conformance tests as part of runtime tests by @rylev in #2675
• Changes need to make Rust and Clippy happy on Rust 1.80 by @rylev in #2680
• trigger: Tweak wording of AOT compilation code by @lann in #2682
• add MAINTAINERS.md by @michelleN in #2683
• [COC]: Embed content from Fermyon COC by @endocrimes in #2691
• Bump versions for v2.7 release by @me-diru in #2694

New Contributors

• @devigned made their first contribution in #2566

Full Changelog: v2.6.0...v2.7.0

v2.6.0

Spin 2.6.0

The 2.6.0 release of Spin brings a number of features, improvements and bug fixes. There are also a few notable deprecations and breaking changes.

🚀 Some highlights in 2.6.0 at a glance

• Dynamic detection of support for Wasmtime's pooling allocator: #2508
• Components in a Spin App manifest can now be referenced by registry: #2524
• Spin can now run a wasm file as a Spin App without requiring a manifest: #2479
• Spin's listening address can now be overidden via SPIN_HTTP_LISTEN_ADDR: #2547
• Spin's data directory can now be overidden via SPIN_DATA_DIR: #2568

🐞 Notable fixes

• Validation of the Spin App manifest at build-time: #2527
• Validation of variable keys at build-time: #2530
• Ensure the Spin application name is in kebab-case: #2531 (Thank you @brehen!)
• Fixes issues around spin watch build exclusions: #2554

💅 Miscellaneous

• Wasmtime has been upgraded to 21.0.1: #2531

⚠️ Deprecations

• Wasm modules compiled with wasi-sdk version < 19 are likely to contain a critical memory safety bug.
  Spin has deprecated execution of these modules and they will stop working in a future release.
  For more information, see: #2552

🚨 Breaking changes

• The upgrade to wasmtime 21 includes a breaking change to how headers are handled.
  Spin app guest modules can no longer set the Host header on outbound requests: #2575

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.6.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.6.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha a4ddd3921d9ea3d694774858408e918f3e5cec60 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full changelog

• ref(*): Standardize on using tracing::* instead of tracing::log::* by @calebschoepp in #2498
• fix(docs): update release process to remove spin-macro consideration by @kate-goldenring in #2500
• Bump version to v2.6.0-pre0 by @kate-goldenring in #2499
• ref(telemetry): Provide the abililty to turn off the tracing-log compat layer in tracing-subscriber dep of telemetry by @calebschoepp in #2501
• spin templates install: allow --repo by @itowlson in #2504
• spin templates install: allow repo name instead of URL by @itowlson in #2505
• Dynamically detect support for Wasmtime's pooling allocator by @alexcrichton in #2508
• Update Wasmtime to 20.0.2 by @alexcrichton in #2512
• Lift http handler type discovery up a layer by @alexcrichton in #2373
• feat(oci/client.rs): add registry_from_input helper by @vdice in #2513
• Update to Wasmtime 21.0.0 by @alexcrichton in #2521
• feat(telemetry): Add a compatibility layer that emits app logs as tracing events. by @calebschoepp in #2511
• Try to load manifest during spin build by @itowlson in #2527
• Load components from a registry by @itowlson in #2524
• ref(oci/client): update unpack_archive_layer to take cache; make pub by @vdice in #2523
• Run a Wasm file as an application without a manifest by @itowlson in #2479
• Validate variable keys as part of schema by @itowlson in #2530
• fix(templates/../spin.toml): skewer spin application name like a kebab by @brehen in #2531
• spin build: build inline components by @itowlson in #2533
• feat(telemetry): Send logs to OTel collector directly using OTel libraries by @calebschoepp in #2516
• Upgrade to wasmtime 21.0.1 by @lann in #2538
• chore(loader): bump wasm-pkg-tools by @vdice in #2539
• feat(oci): add env var to force use of archive layers on push by @vdice in #2540
• allow overriding listen addr using env variable by @rajatjindal in #2547
• Strip trailing slash in allowed_outbound_hosts config. by @rylev in #2548
• fix StoreBuilder::inherit_limited_network by @dicej in #2541
• Fix exclusions in build.watch getting applied to all components by @itowlson in #2554
• Don't prompt to install templates if not interactive by @itowlson in #2558
• Run conformance tests by @rylev in #2542
• Update conformance test by @rylev in #2562
• Override local data directory via env variable by @itowlson in #2568
• [Backport v2.6] Add deprecation warning for uncomponentizable modules by @vdice in #2578
• chore(release): bumps for 2.6 release by @vdice in #2573

New Contributors

• @brehen made their first contribution in #2531

Full Changelog: v2.5.1...v2.6.0

v2.5.1

Spin 2.5.1

This is a patch release to disable a tracing-subscriber crate feature that was breaking spin_telemetry support in downstream projects.

Verifying the Release Signature 🔏

After downloading the v2.5.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.5.0...v2.5.1

v2.5.0

Spin v2.5

The v2.5 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.5.0 at a glance:

• Support for application-internal private endpoints, which allows you to avoid exposing internal components on public routes while still splitting them out to their own microservices. #2418
• Spin now allows you to specify routes with more granularity #2464
• Improved support for OpenTelemetry #2463
• Azure Key Vault Application Variable Provider #2472

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.5.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• chore(release): update versions for v2.5.0-pre0 by @kate-goldenring in #2400
• ci: Run macos builds on M1 by @lann in #2404
• Improved rumqttc event loop check. by @suneetnangia in #2362
• Add recent SIPs to the index document by @tschneidereit in #2403
• chore(trigger-http): bump tls-listener by @vdice in #2409
• feat(oci): deduplicate layers prior to push; archive if needed by @vdice in #2395
• feat(oci): set token expiration for oci client by @vdice in #2417
• feat: add support for setting the pushed oci image manifest annotations by @rgl in #2254
• feat(*): Add tracing to some more host components by @calebschoepp in #2398
• use template from v2.0 branch of spin-python-sdk in test by @dicej in #2421
• Fix outbound-mqtt bug with QoS 2 by @fibonacci1729 in #2420
• Rationalise plugin install prompts by @itowlson in #2412
• Warn when sending bare 404 response by @itowlson in #2410
• Private endpoints by @itowlson in #2418
• Accept runtime config in either JSON or TOML by @lann in #2427
• build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #2430
• ci(dispatch.yml): dispatch to fermyon/homebrew-tap by @vdice in #2428
• ci(release): fix dispatch conditional by @vdice in #2434
• chore(spin-timer): bump whoami per GHSA-w5w5-8vfh-xcjq by @vdice in #2431
• chore(*): bump h2 per GHSA-q6cp-qfwq-4gcv by @vdice in #2432
• ci(build/release): restore mac amd64 builds by @vdice in #2435
• Trace some more host components by @calebschoepp in #2437
• Trace db host components by @calebschoepp in #2439
• style(linting): Fix some linting rules by @calebschoepp in #2442
• Update Rust templates and bump Spin SDK version from 2.2.0 to 3.0.1 by @ThorstenHans in #2445
• Option to suppress plugin on-run compatibility warnings by @itowlson in #2426
• Review new dependencies for known vulnerabilities by @itowlson in #2440
• Add that Python SDK does support Redis Trigger by @tpmccallum in #2429
• ci(build.yml): gate dependency review on PRs only by @vdice in #2450
• ref(*): Refactor host components to avoid returning Result<Result> if they don't trap by @calebschoepp in #2433
• Don't print plugin prerelease warning in middle of help by @itowlson in #2452
• Trigger tracing by @calebschoepp in #2441
• Allow template to have tmpl extension by @rylev in #2456
• Summarise runtime config by @itowlson in #2453
• Bikeshed private endpoint UI by @itowlson in #2451
• Add Redis components to existing app by @itowlson in #2446
• ref(outbound-http): Add a small hack to improve the tracing of outbound http requests through spin core by @calebschoepp in #2459
• Check for illegal file name when copying single file by @itowlson in #2460
• feat(telemetry): Make telemetry support http/protobuf protocol in addition to grpc protocol by @calebschoepp in #2463
• Refactor expressions Resolver to provide sync API by @rylev in #2458
• fixed logic in spin doctor to display 'No problems found' properly by @garikAsplund in #2466
• Setup a docker compose file that creates an o11y stack for Spin to use by @calebschoepp in #2465
• chore(crates): address lint errs when rust is at 1.77+ by @vdice in #2474
• added local_addr() to listeners to display random port numbers by @garikAsplund in #2473
• Don't attempt to cancel workflow if lints fail by @itowlson in #2476
• Taking a first crack at implementing metrics by @calebschoepp in #2475
• Add SIP for configuring and emitting observability by @calebschoepp in #2303
• Granular route matching by @itowlson in #2464
• Fix watch not picking up manifest changes by @itowlson in #2481
• feat: Add Azure Key Vault Variable Provider by @ThorstenHans in #2472
• core: Add note to find_host_component_handle docs by @lann in #2484
• telemetry: Nicen layer return types by @lann in #2488
• Fix incorrect base passed in service chaining by @itowlson in #2489
• Fix 1.78 lints by @itowlson in #2491
• Update version for v2.5.0 release by @kate-goldenring in #2497

New Contributors

• @rgl made their first contribution in #2254
• @garikAsplund made their first contribution in #2466

Full Changelog: v2.4.3...v2.5.0

v2.4.3

Spin 2.4.3

This is a security patch release to resolve GHSA-f3h7-gpjj-wcvh

Fix: ed8a665

Verifying the Release Signature 🔏

After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Addendum: Due to #2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.

The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:

cosign verify-blob \
  --signature spin.sig \
  --certificate crt.pem \
  --certificate-identity [email protected] \
  --certificate-oidc-issuer https://github.com/login/oauth \
  spin

Full Changelog: v2.4.2...v2.4.3

v2.4.2

Spin 2.4.2

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation when publishing messages with a QoS level of 2.

Verifying the Release Signature 🔏

After downloading the v2.4.2 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.2 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.1...v2.4.2

v2.4.1

Spin 2.4.1

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation.

Verifying the Release Signature 🔏

After downloading the v2.4.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.0...v2.4.1

v2.4.0

Spin v2.4

The v2.4 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.4.0 at a glace:

• experimental support for the OpenTelemetry (OTEL) observability standard (#2348). When configured Spin will now emit traces of your Spin App as an OTEL signal.
• service chaining (#2305) to remove the overhead of network requests when Spin app components call each other.

If curious about the vision for service chaining and other efforts, check out the SIP (Spin Improvement Proposal) directory. Perhaps it will spark an idea for a SIP of your own!

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.4.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• fix cross-rs cmake config and update cargo config for static build targets by @rajatjindal in #2307
• feat(oci): update dkregistry dep to support ACR login by @vdice in #2308
• fix push-templates-tag grep pattern by @dicej in #2313
• Subdomain wildcards by @itowlson in #2314
• chore(release): Bump version to 2.4.0-pre0 by @lann in #2312
• point Go templates to v2.2.0 instead of main by @dicej in #2317
• Tweak spin-loader to be able to run in Wasm by @rylev in #2304
• fix(example): update variables example to use constant time comparison by @kate-goldenring in #2311
• fix(cmd/up): --help takes precedence over --build by @endocrimes in #2324
• fix(oci/config): ensure unique OCI image config by @radu-matei in #2322
• Feature/mqtt publisher by @suneetnangia in #2287
• feat(loader): support loading AOT compiled components by @kate-goldenring in #2318
• Use the bundled version of paho and remove vendored openssl by @rylev in #2328
• Use rumqttc instead of paho-mqtt by @itowlson in #2330
• Variables in redis.address and allowed_outbound_hosts by @itowlson in #2299
• allow redis trigger to connect to multiple servers by @karthik2804 in #2242
• outbound-networking: Don't pass &Arc unnecessarily by @lann in #2342
• Fixed issue around swallowing mqtt publish errors. by @suneetnangia in #2344
• Service chaining SIP by @itowlson in #2290
• Enable templating of Redis trigger channel by @itowlson in #2346
• Remove credentials before printing Redis subscriptions by @itowlson in #2349
• set host header on self outbound requests by @karthik2804 in #2298
• handle connection errors on redis-trigger init by @karthik2804 in #2350
• Because I can never remember if it's --temp or --tmp by @itowlson in #2357
• Inherit workspace metadata by @fibonacci1729 in #2351
• update spin-timer mio version to 0.8.11 by @dicej in #2359
• add ability to specify env vars for spin build in test runner by @karthik2804 in #2360
• Seize control of the means of producing 404s by @itowlson in #2363
• Fix build when RUSTFLAGS is set for native builds by @alexcrichton in #2365
• core: Remove unnecessary Arc from (Module)InstancePre by @lann in #2367
• Refactor TriggerExecutor to have associated types for instances by @alexcrichton in #2366
• added no_vcs flag by @thesuhas in #2370
• Add missing wasi:random/insecure{,_seed} interfaces by @alexcrichton in #2374
• Remove unused dependency that was causing a cycle by @itowlson in #2375
• nit: fix label on openssl setup by @rajatjindal in #2372
• use ubuntu 20.04 for PR workflow to make it consistent with release workflow by @rajatjindal in #2378
• ci: Include os-release in cache key by @lann in #2383
• Less worse error if file mount source doesn't exist by @itowlson in #2384
• Service chaining by @itowlson in #2305
• update cosign-installer and cosign version by @rajatjindal in #2385
• testing-framework: Add HEALTHCHECK to vault.Dockerfile by @lann in #2382
• More forgiving caching by @itowlson in #2377
• Create assets directory from fileserver template by @itowlson in #2387
• feat(*): Implement the skeleton of an OTEL observability system by @calebschoepp in #2348
• Remove dead code newly discovered by Rust 1.77.0 by @rylev in #2389
• Allow spin-expressions and spin-outbound-networking to compile to wasm by @rylev in #2390
• Fix spin add static-fileserver putting the asset directory in the wrong place by @itowlson in #2388
• Update libsql to latest version by @rylev in #2394
• chore(release): update version for 2.4 release by @kate-goldenring in #2399

New Contributors

• @thesuhas made their first contribution in #2370

Full Changelog: v2.3.1...v2.4.0

v2.3.1

Spin 2.3.1

This is a patch release of Spin to enable fuller functionality in the Spin containerd shim.

Changes

• #2322 updates the OCI crate to set the digest of the locked Spin application in the OCI image config to ensure that image config digests are updated when Spin apps are updated. This resolves an issue with the Spin containerd shim serving outdated content due to the image config digest not updating.
• #2318 add support for loading precompiled Spin applications. This can provide performance improvements for users of the crate, such as the Spin containerd shim.

Verifying the Release Signature 🔏

After downloading the v2.3.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.3.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.3.0...v2.3.1