Releases: slsa-framework/slsa-verifier
v2.4.0-rc.0
Pre-release for testing.
v2.3.0
Summary
Initial support was added to the verify-npm-package
command for the Node.js builder.
What's Changed
- docs: remove duplicated table of contents by @asraa in #557
- docs: Update docs for 2.2.0 release. by @ianlewis in #556
- fix: Slack badge by @ianlewis in #558
- chore(deps): update github-actions by @renovate-bot in #560
- chore(deps): update golang:1.19 docker digest to 9f2dd04 by @renovate-bot in #516
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 42311d8 by @renovate-bot in #504
- fix(deps): update github.com/sigstore/protobuf-specs digest to b6d2576 by @renovate-bot in #559
- feat: support for BYOB verification by @laurentsimon in #562
- fix: Read newer attestation file format by @ianlewis in #564
- chore(deps): update github/codeql-action action to v2.3.2 by @renovate-bot in #569
- fix(deps): update github.com/sigstore/protobuf-specs digest to 13e09aa by @renovate-bot in #578
- feat: npm: Make package name and version mandatory for verification by @laurentsimon in #576
- chore(deps): update npm dev by @renovate-bot in #568
- feat: Use low-perms delegator for Node.js builder by @ianlewis in #577
- docs(gh-action): update actions installer path by @sunnyyip in #581
- chore: update slsa provenance to v1 by @asraa in #579
- fix(deps): update github.com/sigstore/protobuf-specs digest to 91485b4 by @renovate-bot in #584
- chore(deps): update github/codeql-action action to v2.3.3 by @renovate-bot in #585
- feat: verify claims in provenance match the certificate by @laurentsimon in #572
- docs: Add docs for npm package verification by @ianlewis in #587
- chore(deps): update npm dev by @renovate-bot in #586
New Contributors
Full Changelog: v2.2.0...v2.3.0
v2.3.0-rc.3
What's Changed
- feat: verify claims in provenance match the certificate by @laurentsimon in #572
- docs: Add docs for npm package verification by @ianlewis in #587
- chore(deps): update npm dev by @renovate-bot in #586
Full Changelog: v2.3.0-rc.2...v2.3.0-rc.3
v2.3.0-rc.2
What's Changed
- docs(gh-action): update actions installer path by @sunnyyip in #581
- chore: update slsa provenance to v1 by @asraa in #579
- fix(deps): update github.com/sigstore/protobuf-specs digest to 91485b4 by @renovate-bot in #584
- chore(deps): update github/codeql-action action to v2.3.3 by @renovate-bot in #585
New Contributors
Full Changelog: v2.3.0-rc.1...v2.3.0-rc.2
v2.3.0-rc.1
What's Changed
- chore(deps): update github/codeql-action action to v2.3.2 by @renovate-bot in #569
- fix(deps): update github.com/sigstore/protobuf-specs digest to 13e09aa by @renovate-bot in #578
- feat: npm: Make package name and version mandatory for verification by @laurentsimon in #576
- chore(deps): update npm dev by @renovate-bot in #568
- feat: Use low-perms delegator for Node.js builder by @ianlewis in #577
Full Changelog: v2.3.0-rc.0...v2.3.0-rc.1
v2.3.0-rc.0
Summary
Initial support was added to the verify-npm-package
command for the Node.js builder.
What's Changed
- docs: remove duplicated table of contents by @asraa in #557
- docs: Update docs for 2.2.0 release. by @ianlewis in #556
- fix: Slack badge by @ianlewis in #558
- chore(deps): update github-actions by @renovate-bot in #560
- chore(deps): update golang:1.19 docker digest to 9f2dd04 by @renovate-bot in #516
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 42311d8 by @renovate-bot in #504
- fix(deps): update github.com/sigstore/protobuf-specs digest to b6d2576 by @renovate-bot in #559
- feat: support for BYOB verification by @laurentsimon in #562
- fix: Read newer attestation file format by @ianlewis in #564
Full Changelog: v2.2.0...v2.3.0-rc.0
v2.2.0
Summary
Support was added for the --source-tag
and --source-versioned-tag
flags for GCB container provenance verification.
What's Changed
- fix: Update references check by @ianlewis in #533
- chore: update docs for release v2.1.0 by @asraa in #530
- feat: verification for provenance by @developer-guy in #537
- feat: GCB tag and versioned-tag support for containers by @laurentsimon in #540
- chore(deps): update github-actions (major) by @renovate-bot in #536
- fix(deps): update github.com/sigstore/protobuf-specs digest to c8a23a4 by @renovate-bot in #528
- chore(deps): update github-actions by @renovate-bot in #529
- chore: report scheduled release workflow failures by @asraa in #543
- fix: Support pre-releases on trusted repos by @ianlewis in #552
- chore(deps): update dependency typescript to v5 by @renovate-bot in #545
- fix(deps): update github.com/sigstore/protobuf-specs digest to 4dbf10b by @renovate-bot in #553
- chore(deps): update npm dev by @renovate-bot in #534
- chore(deps): update github-actions by @renovate-bot in #544
- docs: Update README.md by @drewroengoogle in #541
- fix(deps): update npm by @renovate-bot in #535
New Contributors
- @developer-guy made their first contribution in #537
- @drewroengoogle made their first contribution in #541
Full Changelog: v2.1.0...v2.2.0
v2.2.0-rc.0
Summary
Support was added for the --source-tag
and --source-versioned-tag
flags for GCB container provenance verification.
What's Changed
- fix: Update references check by @ianlewis in #533
- chore: update docs for release v2.1.0 by @asraa in #530
- feat: verification for provenance by @developer-guy in #537
- feat: GCB tag and versioned-tag support for containers by @laurentsimon in #540
- chore(deps): update github-actions (major) by @renovate-bot in #536
- fix(deps): update github.com/sigstore/protobuf-specs digest to c8a23a4 by @renovate-bot in #528
- chore(deps): update github-actions by @renovate-bot in #529
- chore: report scheduled release workflow failures by @asraa in #543
- fix: Support pre-releases on trusted repos by @ianlewis in #552
- chore(deps): update dependency typescript to v5 by @renovate-bot in #545
- fix(deps): update github.com/sigstore/protobuf-specs digest to 4dbf10b by @renovate-bot in #553
- chore(deps): update npm dev by @renovate-bot in #534
- chore(deps): update github-actions by @renovate-bot in #544
- docs: Update README.md by @drewroengoogle in #541
- fix(deps): update npm by @renovate-bot in #535
New Contributors
- @developer-guy made their first contribution in #537
- @drewroengoogle made their first contribution in #541
Full Changelog: v2.1.0...v2.1.1-rc.0
v2.1.0
Summary
This release adds support for:
- GCB V1's global signing key that uses PAE encoding for signing
- Installer Action to install the slsa-verifier in GitHub workflows. See Setup GitHub Action
- Verification of multiple artifacts via the CLI
Fixes:
- GCB now adds a prefix
git+
to their material source URIs. This is fixed in #519
This release also includes the following experimental changes:
- npm package verification from the public registry via an
SLSA_VERIFIER_EXPERIMENTAL=1
flag. - Offline verification using a Sigstore bundle behind the
SLSA_VERIFIER_EXPERIMENTAL=1
flag.
What's Changed
- feat: scheduled tests for installer Action by @laurentsimon in #398
- feat: allow version to be empty for Installer tests by @laurentsimon in #404
- chore: Add CODEOWNERS by @ianlewis in #401
- docs: update docs for release v2.0.1 by @asraa in #403
- fix: token permission in Installer scheduled tests by @laurentsimon in #407
- fix: permissions for script by @laurentsimon in #408
- fix: installer tests by @laurentsimon in #410
- ci: Use github.token to create issues by @ianlewis in #412
- ci: Add regression build tag by @ianlewis in #400
- feat: Enhance help message by @mihaimaruseac in #418
- ci: add git sign off to renovate-bot by @asraa in #420
- feat: Verify all artifacts passed in cmdline by @mihaimaruseac in #419
- fix: Expect at least one artifact in verification by @mihaimaruseac in #426
- fix: Use
Run
instead ofRunE
to handle usage/errors by @mihaimaruseac in #424 - fix: fix exit status on command execution errors by @asraa in #429
- ci: add verifier e2e presubmit that runs CLI at main by @asraa in #430
- fix: remove accidental checked in binary by @asraa in #432
- ci: Add large file pre-submit check by @ianlewis in #433
- ci: fix a deprecation warning by @suzuki-shunsuke in #435
- chore: release assets for multiple platforms by @suzuki-shunsuke in #434
- docs: Add instructions for GHA container generator by @ianlewis in #438
- ci: Add javascript to CodeQL analysis by @ianlewis in #413
- test: add v1.4.0 build tests for gha_go gha_generic and gha_generic_container by @asraa in #439
- chore: enable some Go linters by @asraa in #456
- test: add builder id tests for short form by @asraa in #455
- ci: Ensure all version references are up-to-date prior to release by @pnacht in #447
- feat: add experimental offline bundle signature verification by @asraa in #457
- refactor: generalize provenance out of predicate type info by @asraa in #463
- feat: add slsa v1?draft provenance experimental support by @asraa in #470
- feat: support branch and tag from slsa v1 provenance by @asraa in #476
- fix: use a uniform verifier interface for provenance type by @asraa in #478
- ci: Add go mod tidy to renovate post update by @ianlewis in #484
- test: add docker based spport and start adding tests by @asraa in #486
- test: Add test data for v1.5.0 by @ianlewis in #506
- feat: npm default runner support by @laurentsimon in #495
- feat: Update SLSA verifier to support a global signing key for GCB V1 which… by @khalkie in #509
- fix: fix GCB verification with git material source prefix by @asraa in #519
- feat: verify sourceURI for npm packages by @laurentsimon in #521
- docs: update installation to cover the Action and to receive updates by @laurentsimon in #523
- chore: add a file extension ".exe" to Windows artifacts by @suzuki-shunsuke in #527
New Contributors
- @mihaimaruseac made their first contribution in #418
- @pnacht made their first contribution in #447
- @khalkie made their first contribution in #509
Full Changelog: v2.0.1...v2.1.0
v2.0.1
v2.0.1
This patch release fixes the Go module path for the major version update to support installation via go install
.
It also ensures a version is displayed in the version
command.
Bug Fixes
- fix: fix the Go package version to v2 by @suzuki-shunsuke in #373
- fix: handle workflow input flag parsing by @asraa in #379
- fix: show version in
version
command by @laurentsimon in #392
What's Changed
- fix: fix the Go package version to v2 by @suzuki-shunsuke in #373
- docs: refer v2.0.0 in README by @suzuki-shunsuke in #375
- docs: add the checksum of v2.0.0 by @suzuki-shunsuke in #374
- docs: fix go install by @suzuki-shunsuke in #376
- fix: handle workflow input flag parsing by @asraa in #379
- docs: add release steps for a new major release by @asraa in #378
- docs: Add comment for signature decoding by @laurentsimon in #380
- fix: Fix error check for decodeSignature by @ianlewis in #385
- feat: add more tests for GCB verification by @laurentsimon in #389
- fix: show version in
version
command by @laurentsimon in #392 - feat: Add env variable to facilitate CI tests of Action installer by @laurentsimon in #393
- fix: TUF error in GHA installer by @laurentsimon in #394
- fix: command in installer Action by @laurentsimon in #396
Full Changelog: v2.0.0...v2.0.1