v2.1.0

Summary

This release adds support for:

• GCB V1's global signing key that uses PAE encoding for signing
• Installer Action to install the slsa-verifier in GitHub workflows. See Setup GitHub Action
• Verification of multiple artifacts via the CLI

Fixes:

• GCB now adds a prefix git+ to their material source URIs. This is fixed in #519

This release also includes the following experimental changes:

• npm package verification from the public registry via an SLSA_VERIFIER_EXPERIMENTAL=1 flag.
• Offline verification using a Sigstore bundle behind the SLSA_VERIFIER_EXPERIMENTAL=1 flag.

What's Changed

• feat: scheduled tests for installer Action by @laurentsimon in #398
• feat: allow version to be empty for Installer tests by @laurentsimon in #404
• chore: Add CODEOWNERS by @ianlewis in #401
• docs: update docs for release v2.0.1 by @asraa in #403
• fix: token permission in Installer scheduled tests by @laurentsimon in #407
• fix: permissions for script by @laurentsimon in #408
• fix: installer tests by @laurentsimon in #410
• ci: Use github.token to create issues by @ianlewis in #412
• ci: Add regression build tag by @ianlewis in #400
• feat: Enhance help message by @mihaimaruseac in #418
• ci: add git sign off to renovate-bot by @asraa in #420
• feat: Verify all artifacts passed in cmdline by @mihaimaruseac in #419
• fix: Expect at least one artifact in verification by @mihaimaruseac in #426
• fix: Use Run instead of RunE to handle usage/errors by @mihaimaruseac in #424
• fix: fix exit status on command execution errors by @asraa in #429
• ci: add verifier e2e presubmit that runs CLI at main by @asraa in #430
• fix: remove accidental checked in binary by @asraa in #432
• ci: Add large file pre-submit check by @ianlewis in #433
• ci: fix a deprecation warning by @suzuki-shunsuke in #435
• chore: release assets for multiple platforms by @suzuki-shunsuke in #434
• docs: Add instructions for GHA container generator by @ianlewis in #438
• ci: Add javascript to CodeQL analysis by @ianlewis in #413
• test: add v1.4.0 build tests for gha_go gha_generic and gha_generic_container by @asraa in #439
• chore: enable some Go linters by @asraa in #456
• test: add builder id tests for short form by @asraa in #455
• ci: Ensure all version references are up-to-date prior to release by @pnacht in #447
• feat: add experimental offline bundle signature verification by @asraa in #457
• refactor: generalize provenance out of predicate type info by @asraa in #463
• feat: add slsa v1?draft provenance experimental support by @asraa in #470
• feat: support branch and tag from slsa v1 provenance by @asraa in #476
• fix: use a uniform verifier interface for provenance type by @asraa in #478
• ci: Add go mod tidy to renovate post update by @ianlewis in #484
• test: add docker based spport and start adding tests by @asraa in #486
• test: Add test data for v1.5.0 by @ianlewis in #506
• feat: npm default runner support by @laurentsimon in #495
• feat: Update SLSA verifier to support a global signing key for GCB V1 which… by @khalkie in #509
• fix: fix GCB verification with git material source prefix by @asraa in #519
• feat: verify sourceURI for npm packages by @laurentsimon in #521
• docs: update installation to cover the Action and to receive updates by @laurentsimon in #523
• chore: add a file extension ".exe" to Windows artifacts by @suzuki-shunsuke in #527

New Contributors

• @mihaimaruseac made their first contribution in #418
• @pnacht made their first contribution in #447
• @khalkie made their first contribution in #509

Full Changelog: v2.0.1...v2.1.0