Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cosign for openSUSE:Factory checked
in at 2023-09-02 22:07:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cosign (Old)
and /work/SRC/openSUSE:Factory/.cosign.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign"
Sat Sep 2 22:07:21 2023 rev:16 rq:1108432 version:2.2.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2023-04-17
17:41:33.574312809 +0200
+++ /work/SRC/openSUSE:Factory/.cosign.new.1766/cosign.changes 2023-09-02
22:07:49.727640484 +0200
@@ -1,0 +2,87 @@
+Fri Sep 1 08:45:59 UTC 2023 - Marcus Meissner <meiss...@suse.com>
+
+- updated to 2.2.0 (jsc#SLE-23879)
+ - Enhancements
+ * switch to uploading DSSE types to rekor instead of intoto (#3113)
+ * add 'cosign sign' command-line parameters for mTLS (#3052)
+ * improve error messages around bundle != payload hash (#3146)
+ * make VerifyImageAttestation function public (#3156)
+ * Switch to cryptoutils function for SANS (#3185)
+ * Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
+ - Bug Fixes
+ * Fix nondeterminsitic timestamps (#3121)
+ - Documentation
+ * doc: Add example of sign-blob with key in env var (#3152)
+ * add deprecation notice for cosign-releases GCS bucket (#3148)
+ * update doc links (#3186)
+
+-------------------------------------------------------------------
+Tue Jun 27 09:33:07 UTC 2023 - Marcus Meissner <meiss...@suse.com>
+
+- updated to 2.1.1 (jsc#SLE-23879)
+
+ - Bug Fixes
+
+ - wait for the workers become available again to continue the execution
(#3084)
+ - fix help text when in a container (#3082)
+
+
+- updated to 2.1.0 (jsc#SLE-23879)
+
+ - Breaking Change: The predicate is now a required flag in the attest
commands, set via the --type flag.
+
+ - Enhancements
+
+ - Verify sigs and attestations in parallel (#3066)
+ - Deep inspect attestations when filtering download (#3031)
+ - refactor bundle validation code, add support for DSSE rekor type (#3016)
+ - Allow overriding remote options (#3049)
+ - feat: adds no cert found on sig exit code (#3038)
+ - Make predicate a required flag in attest commands (#3033)
+ - Added support for attaching Time stamp authority Response in attach
command (#3001)
+ - Add sign --sign-container-identity CLI (#2984)
+ - Feature: Allow cosign to sign digests before they are uploaded. (#2959)
+ - accepts attachment-tag-prefix for cosign copy (#3014)
+ - Feature: adds '--allow-insecure-registry' for cosign load (#3000)
+ - download attestation: support --platform flag (#2980)
+ - Cleanup: Add Digest to the SignedEntity interface. (#2960)
+ - verify command: support keyless verification using only a provided
certificate chain with non-fulcio roots (#2845)
+ - verify: use workers to limit the paralellism when verifying images with
--max-workers flag (#3069)
+
+ - Bug Fixes
+
+ - Fix pkg/cosign/errors (#3050)
+ - Fix: update doc to refer to github-actions oidc provider (#3040)
+ - Fix: prefer GitHub OIDC provider if enabled (#3044)
+ - Fix --sig-only in cosign copy (#3074)
+
+ - Documentation
+
+ - Fix links to sigstore/docs in markdown files (#3064)
+
+-------------------------------------------------------------------
+Sun May 7 11:58:02 UTC 2023 - Marcus Meissner <meiss...@suse.com>
+
+- update to 2.0.2 (jsc#SLE-23879)
+ Enhancements
+
+ - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
+ - feat: Make cosign copy faster (#2901)
+ - remove sget (#2885)
+ - Require a payload to be provided with a signature (#2785)
+
+ Bug Fixes
+
+ - cmd: Change error message from KeyParseError to PubKeyParseError for
verify-blob. (#2876)
+ - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)
+
+ Documentation
+
+ - Remove experimental warning from Fulcio flags (#2923)
+ - add missing oidc provider (#2922)
+ - Add zot as a supported registry (#2920)
+ - deprecates kms_support docs (#2900)
+ - chore(docs) deprecate note for usage docs (#2906)
+ - adds note of deprecation for examples.md docs (#2899)
+
+-------------------------------------------------------------------
Old:
----
cosign-2.0.1.tar.gz
New:
----
cosign-2.2.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cosign.spec ++++++
--- /var/tmp/diff_new_pack.gQjPDI/_old 2023-09-02 22:07:52.343733964 +0200
+++ /var/tmp/diff_new_pack.gQjPDI/_new 2023-09-02 22:07:52.391735680 +0200
@@ -16,9 +16,9 @@
#
-%define revision 8faaee4d2b5f65678eb0831a8a3d5990a0271d3a
+%define revision 546f1c5b91ef58d6b034a402d0211d980184a0e5
Name: cosign
-Version: 2.0.1
+Version: 2.2.0
Release: 0
Summary: Container Signing, Verification and Storage in an OCI registry
License: Apache-2.0
@@ -27,7 +27,7 @@
Source1: vendor.tar.zst
BuildRequires: golang-packaging
BuildRequires: zstd
-BuildRequires: golang(API) = 1.20
+BuildRequires: golang(API) = 1.21
%description
Cosign aims to make signatures invisible infrastructure.
@@ -50,21 +50,16 @@
CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X
${CLI_PKG}.gitCommit=%{revision} -X ${CLI_PKG}.gitTreeState=release -X
${CLI_PKG}.buildDate=${BUILD_DATE}"
CGO_ENABLED=0 go build -mod=vendor -buildmode=pie -trimpath -ldflags
"${CLI_LDFLAGS}" -o cosign ./cmd/cosign
-go build -mod=vendor -buildmode=pie -trimpath -ldflags "${CLI_LDFLAGS}" -o
sget ./cmd/sget
%check
./cosign version
-./cosign version | grep -q unknown && exit 1
-./sget version
%install
install -D -m 0755 cosign %{buildroot}%{_bindir}/cosign
-install -D -m 0755 sget %{buildroot}%{_bindir}/sget
%files
%license LICENSE
%doc *.md
%{_bindir}/cosign
-%{_bindir}/sget
%changelog
++++++ cosign-2.0.1.tar.gz -> cosign-2.2.0.tar.gz ++++++
/work/SRC/openSUSE:Factory/cosign/cosign-2.0.1.tar.gz
/work/SRC/openSUSE:Factory/.cosign.new.1766/cosign-2.2.0.tar.gz differ: char
13, line 1
++++++ vendor.tar.zst ++++++
Binary files /var/tmp/diff_new_pack.gQjPDI/_old and
/var/tmp/diff_new_pack.gQjPDI/_new differ
