commit rekor for openSUSE:Factory

2024-02-05 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2024-02-05 22:02:38

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1815 (New)


Package is "rekor"

Mon Feb  5 22:02:38 2024 rev:21 rq:1144326 version:1.3.5

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2024-01-29 
22:33:10.258469005 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1815/rekor.changes2024-02-05 
22:02:53.678689888 +0100
@@ -1,0 +2,13 @@
+Mon Feb  5 14:38:58 UTC 2024 - Marcus Meissner 
+
+- update to 1.3.5 (jsc#SLE-23476):
+  - Additional unique index correction
+  - Remove timestamp from checkpoint
+  - Drop conditional when verifying entry checkpoint
+  - Fix panic for DSSE canonicalization
+  - Change Redis value for locking mechanism
+  - give log timestamps nanosecond precision
+  - output trace in slog and override correlation header name
+- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack 
CVE-2023-48795 (bsc#1218207)
+
+---

Old:

  rekor-1.3.4.tar.gz

New:

  rekor-1.3.5.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.0E7B6R/_old  2024-02-05 22:02:54.310712753 +0100
+++ /var/tmp/diff_new_pack.0E7B6R/_new  2024-02-05 22:02:54.310712753 +0100
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.3.4
+Version:1.3.5
 Release:0
-%define revision 5072901241fc6370a78457219e7aa2da490f399f
+%define revision 488eb9782d8d95c83ac70bfb2f5049928504127e
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-1.3.4.tar.gz -> rekor-1.3.5.tar.gz ++
 3933 lines of diff (skipped)

++ vendor.tar.zst ++
Binary files /var/tmp/diff_new_pack.0E7B6R/_old and 
/var/tmp/diff_new_pack.0E7B6R/_new differ

commit rekor for openSUSE:Factory

2024-01-29 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2024-01-29 22:32:47

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1815 (New)


Package is "rekor"

Mon Jan 29 22:32:47 2024 rev:20 rq:1142230 version:1.3.4

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2023-11-24 
23:36:11.858546483 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1815/rekor.changes2024-01-29 
22:33:10.258469005 +0100
@@ -1,0 +2,13 @@
+Sun Jan 28 18:45:08 UTC 2024 - Dirk Müller 
+
+- update to 1.3.4:
+  * add mysql indexstorage backend
+  * add s3 storage for attestations
+  * fix: Do not check for pubsub.topics.get on initialization
+  * fix optional field in cose schema
+  * Update ranges.go
+  * update indexstorage interface to reduce roundtrips
+  * use a single validator library in rekor-cli
+  * Remove go-playground/validator dependency from pkg/pki
+
+---

Old:

  rekor-1.3.3.tar.gz
  vendor.tar.xz

New:

  _service
  rekor-1.3.4.tar.gz
  vendor.tar.zst



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.69Wms0/_old  2024-01-29 22:33:20.198828783 +0100
+++ /var/tmp/diff_new_pack.69Wms0/_new  2024-01-29 22:33:20.198828783 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package rekor
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,18 +19,18 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.3.3
+Version:1.3.4
 Release:0
-%define revision 2ea1ef00f03b493ace47b1f26a8bfd4ab3b17fe9
+%define revision 5072901241fc6370a78457219e7aa2da490f399f
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor
 Source: 
https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1:vendor.tar.xz
+Source1:vendor.tar.zst
 Source2:rekor-zypper-verify.sh
 BuildRequires:  golang-packaging
+BuildRequires:  zstd
 BuildRequires:  golang(API)
-%{go_nostrip}
 
 %description
 Rekor's goals are to provide an immutable tamper resistant ledger of metadata 
generated within a software projects supply chain. Rekor will enable software 
maintainers and build systems to record signed metadata to an immutable record. 
Other parties can then query said metadata to enable them to make informed 
decisions on trust and non-repudiation of an object's lifecycle. For more 
details visit the sigstore website
@@ -46,9 +46,9 @@
 DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ"
 BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || 
date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u 
"${DATE_FMT}")
 for app in %{apps} ; do
-CLI_PKG=github.com/sigstore/rekor/cmd/rekor-${app}/app
+CLI_PKG=sigs.k8s.io/release-utils/version
 CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X 
${CLI_PKG}.gitCommit=%{revision} -X ${CLI_PKG}.gitTreeState=release -X 
${CLI_PKG}.buildDate=${BUILD_DATE}"
-go build -mod=vendor -buildmode=pie -ldflags "${CLI_LDFLAGS}" 
./cmd/rekor-${app}
+go build -mod=vendor -trimpath -buildmode=pie -ldflags "${CLI_LDFLAGS}" 
./cmd/rekor-${app}
 ./rekor-${app} version
 done
 

++ _service ++

  
zst
  


++ rekor-1.3.3.tar.gz -> rekor-1.3.4.tar.gz ++
 4435 lines of diff (skipped)

commit rekor for openSUSE:Factory

2023-09-02 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2023-09-02 22:07:19

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1766 (New)


Package is "rekor"

Sat Sep  2 22:07:19 2023 rev:18 rq:1108430 version:1.3.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2023-05-30 
22:03:07.407251125 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1766/rekor.changes2023-09-02 
22:07:45.823500976 +0200
@@ -1,0 +2,21 @@
+Fri Sep  1 08:54:06 UTC 2023 - Marcus Meissner 
+
+- updated to rekor 1.3.0 (jsc#SLE-23476):
+  - Update openapi.yaml (#1655)
+  - pass transient errors through retrieveLogEntry (#1653)
+  - return full entryID on HTTP 409 responses (#1650)
+  - feat: Support publishing new log entries to Pub/Sub topics (#1580)
+  - Change values of Identity.Raw, add fingerprints (#1628)
+  - Extract all subjects from SANs for x509 verifier (#1632)
+  - Fix type comment for Identity struct (#1619)
+  - Refactor Identities API (#1611)
+  - Refactor Verifiers to return multiple keys (#1601)
+  - Update checkpoint link (#1597)
+  - Use correct log index in inclusion proof (#1599)
+  - remove instrumentation library (#1595)
+
+- updated to rekor 1.2.2 (jsc#SLE-23476):
+  - pass down error with message instead of nil
+  - swap killswitch for 'docker-compose restart'
+
+---

Old:

  rekor-1.2.1.tar.gz

New:

  rekor-1.3.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.GywOOJ/_old  2023-09-02 22:07:47.631565584 +0200
+++ /var/tmp/diff_new_pack.GywOOJ/_new  2023-09-02 22:07:47.639565870 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.2.1
+Version:1.3.0
 Release:0
-%define revision 576458cb53269ed54dccf8a43271ee02a785c191
+%define revision ed3d0b15a97e6497e3ab758e3102a6ef540fff50
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-1.2.1.tar.gz -> rekor-1.3.0.tar.gz ++
 10188 lines of diff (skipped)

++ vendor.tar.xz ++
 237460 lines of diff (skipped)

commit rekor for openSUSE:Factory

2023-05-30 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2023-05-30 22:02:53

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1533 (New)


Package is "rekor"

Tue May 30 22:02:53 2023 rev:17 rq:1089753 version:1.2.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2023-05-10 
16:17:18.766544639 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1533/rekor.changes2023-05-30 
22:03:07.407251125 +0200
@@ -1,0 +2,33 @@
+Tue May 30 07:52:52 UTC 2023 - Marcus Meissner 
+
+- updated to rekor 1.2.1 (jsc#SLE-23476):
+
+  Security fix:
+
+  - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can 
cause a panic (bsc#1211790)
+
+  Functional Enhancements
+
+  - add client method to generate TLE struct (#1498)
+  - add dsse type (#1487)
+  - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP 
(#1488)
+  - Add concurrency to backfill-redis (#1504)
+  - omit informational message if machine-parseable output has been requested 
(#1486)
+  - Publish stable checkpoint periodically to Redis (#1461)
+  - Add intoto v0.0.2 to backfill script (#1500)
+  - add new method to test insertability of proposed entries into log (#1410)
+
+  Quality Enhancements
+
+  - use t.Skip() in fuzzers (#1506)
+  - improve fuzzing coverage (#1499)
+  - Remove watcher script (#1484)
+
+  Bug Fixes
+
+  - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
+  - Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
+  - fix lint errors, bump linter up to 1.52 (#1485)
+  - Remove dependencies from pkg/util (#1469)
+
+---

Old:

  rekor-1.1.1.tar.gz

New:

  rekor-1.2.1.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.wOwiqe/_old  2023-05-30 22:03:08.055254944 +0200
+++ /var/tmp/diff_new_pack.wOwiqe/_new  2023-05-30 22:03:08.059254967 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.1.1
+Version:1.2.1
 Release:0
-%define revision 0c1914e5e955cb9f514e32b222cf61a13e91ab08
+%define revision 576458cb53269ed54dccf8a43271ee02a785c191
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-1.1.1.tar.gz -> rekor-1.2.1.tar.gz ++
 15128 lines of diff (skipped)

++ vendor.tar.xz ++
 186096 lines of diff (skipped)

commit rekor for openSUSE:Factory

2023-05-10 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2023-05-10 16:17:15

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1533 (New)


Package is "rekor"

Wed May 10 16:17:15 2023 rev:16 rq:1085763 version:1.1.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2023-05-04 
17:10:37.244381189 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1533/rekor.changes2023-05-10 
16:17:18.766544639 +0200
@@ -17,0 +18,6 @@
+  Security fixes:
+
+  - CVE-2023-30551: Fixed a potential denial of service (out of memory)
+when processing JAR META-INF files or .SIGN/.PKINFO files in APK files.
+(bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9)
+



Other differences:
--

commit rekor for openSUSE:Factory

2023-05-04 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2023-05-04 17:10:23

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1533 (New)


Package is "rekor"

Thu May  4 17:10:23 2023 rev:15 rq:1084327 version:1.1.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2023-04-05 
21:35:58.442677700 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1533/rekor.changes2023-05-04 
17:10:37.244381189 +0200
@@ -1,0 +2,17 @@
+Wed May  3 12:23:27 UTC 2023 - Marcus Meissner 
+
+- updated to rekor 1.1.1 (jsc#SLE-23476):
+  Functional Enhancements
+
+  - Refactor Trillian client with exported methods (#1454)
+  - Switch to official redis-go client (#1459)
+  - Remove replace in go.mod (#1444)
+  - Add Rekor OID info. (#1390)
+
+  Quality Enhancements
+
+  - remove legacy encrypted cosign key (#1446)
+  - swap cjson dependency (#1441)
+  - Update release readme (#1456)
+
+---

Old:

  rekor-1.1.0.tar.gz

New:

  rekor-1.1.1.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.cowKQ9/_old  2023-05-04 17:10:38.696389691 +0200
+++ /var/tmp/diff_new_pack.cowKQ9/_new  2023-05-04 17:10:38.728389878 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.1.0
+Version:1.1.1
 Release:0
-%define revision 4a6592612dc015f24d0700b6d274b3663d128ad8
+%define revision 0c1914e5e955cb9f514e32b222cf61a13e91ab08
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-1.1.0.tar.gz -> rekor-1.1.1.tar.gz ++
 2771 lines of diff (skipped)

++ vendor.tar.xz ++
 65236 lines of diff (skipped)

commit rekor for openSUSE:Factory

2023-04-05 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2023-04-05 21:28:33

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.19717 (New)


Package is "rekor"

Wed Apr  5 21:28:33 2023 rev:14 rq:1077494 version:1.1.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-12-05 
18:01:52.276800532 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.19717/rekor.changes   2023-04-05 
21:35:58.442677700 +0200
@@ -1,0 +2,40 @@
+Wed Apr  5 08:27:23 UTC 2023 - Marcus Meissner 
+
+- updated to rekor 1.1.0 (jsc#SLE-23476):
+  Functional Enhancements
+
+  - improve validation on intoto v0.0.2 type (#1351)
+  - add feature to limit HTTP request body length to process (#1334)
+  - add information about the file size limit (#1313)
+  - Add script to backfill Redis from Rekor (#1163)
+  - Feature: add search support for sha512 (#1142)
+
+  Quality Enhancements
+
+  - various fuzzing fixes
+
+  Bug Fixes
+
+  - remove goroutine usage from SearchLogQuery (#1407)
+  - drop log messages regarding attestation storage to debug (#1408)
+  - fix validation for proposed vs committed log entries for intoto v0.0.1 
(#1309)
+  - fix: fix regex for multi-digit counts (#1321)
+  - return NotFound if treesize is 0 rather than calling trillian (#1311)
+  - enumerate slice to get sugared logs (#1312)
+  - put a reasonable size limit on ssh key reader (#1288)
+  - CLIENT: Fix Custom Host and Path Issue (#1306)
+  - do not persist local state if log is empty; fail consistency proofs from 0 
size (#1290)
+  - correctly handle invalid or missing pki format (#1281)
+  - Add Verifier to get public key/cert and identities for entry type (#1210)
+  - fix goroutine leak in client; add insecure TLS option (#1238)
+  - Fix - Remove the force-recreate flag (#1179)
+  - trim whitespace around public keys before parsing (#1175)
+  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
+  - Revert "remove double encoding of payload and signature fields for intoto 
(#1150)" (#1158)
+  - remove double encoding of payload and signature fields for intoto (#1150)
+  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
+  - Remove pem-certificate-chain from client (#1138)
+  - fix flag type for operator in search (#1136)
+  - use sigstore/community dep review (#1132)
+
+---

Old:

  rekor-1.0.1.tar.gz

New:

  rekor-1.1.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.vKkESf/_old  2023-04-05 21:35:59.070681285 +0200
+++ /var/tmp/diff_new_pack.vKkESf/_new  2023-04-05 21:35:59.078681330 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package rekor
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.0.1
+Version:1.1.0
 Release:0
-%define revision d3162350e96098ca8a24adfdbee42057e43b5de6
+%define revision 4a6592612dc015f24d0700b6d274b3663d128ad8
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-1.0.1.tar.gz -> rekor-1.1.0.tar.gz ++
 19190 lines of diff (skipped)

++ vendor.tar.xz ++
 943257 lines of diff (skipped)

commit rekor for openSUSE:Factory

2022-12-05 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-12-05 18:01:40

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1835 (New)


Package is "rekor"

Mon Dec  5 18:01:40 2022 rev:13 rq:1040165 version:1.0.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-10-19 
13:18:33.401331493 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1835/rekor.changes2022-12-05 
18:01:52.276800532 +0100
@@ -1,0 +2,6 @@
+Tue Nov 29 13:42:54 UTC 2022 - Marcus Meissner 
+
+- updated to rekor 1.0.1 (jsc#SLE-23476):
+  - stop inserting envelope hash for intoto:0.0.2 types into index
+
+---
@@ -4 +10 @@
-- updated to rekor 1.0.0 (sc#SLE-23476):
+- updated to rekor 1.0.0 (jsc#SLE-23476):

Old:

  rekor-1.0.0.tar.gz

New:

  rekor-1.0.1.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.qMZFq0/_old  2022-12-05 18:01:53.436806849 +0100
+++ /var/tmp/diff_new_pack.qMZFq0/_new  2022-12-05 18:01:53.440806871 +0100
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:1.0.0
+Version:1.0.1
 Release:0
-%define revision 7215f5c4782deef0b9c249d39ab6b9bc70d58a94
+%define revision d3162350e96098ca8a24adfdbee42057e43b5de6
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-1.0.0.tar.gz -> rekor-1.0.1.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-1.0.0/.github/workflows/build.yml 
new/rekor-1.0.1/.github/workflows/build.yml
--- old/rekor-1.0.0/.github/workflows/build.yml 2022-10-17 19:35:23.0 
+0200
+++ new/rekor-1.0.1/.github/workflows/build.yml 2022-11-10 16:26:56.0 
+0100
@@ -20,7 +20,7 @@
   push:
 branches:
   - main
-  - release-*
+  - 'release-**'
 tags:
   - '*'
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-1.0.0/.github/workflows/codeql-analysis.yml 
new/rekor-1.0.1/.github/workflows/codeql-analysis.yml
--- old/rekor-1.0.0/.github/workflows/codeql-analysis.yml   2022-10-17 
19:35:23.0 +0200
+++ new/rekor-1.0.1/.github/workflows/codeql-analysis.yml   2022-11-10 
16:26:56.0 +0100
@@ -17,10 +17,13 @@
 name: CodeQL
 on:
   push:
-branches: [ main ]
+branches:
+  - main
+  - 'release-**'
   pull_request:
-# The branches below must be a subset of the branches above
-branches: [ main ]
+branches:
+  - main
+  - 'release-**'
   schedule:
 - cron: '45 10 * * 1'
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-1.0.0/.github/workflows/main.yml 
new/rekor-1.0.1/.github/workflows/main.yml
--- old/rekor-1.0.0/.github/workflows/main.yml  2022-10-17 19:35:23.0 
+0200
+++ new/rekor-1.0.1/.github/workflows/main.yml  2022-11-10 16:26:56.0 
+0100
@@ -17,9 +17,13 @@
 
 on:
   push:
-branches: [ main ]
+branches:
+  - main
+  - 'release-**'
   pull_request:
-branches: [ main ]
+branches:
+  - main
+  - 'release-**'
 
 permissions:
   contents: read
@@ -63,8 +67,10 @@
 
   - name: container
 run: |
-  make ko-local 2>&1 | tee output.txt
-  docker run --rm $(tail -1 output.txt) version
+  make ko-local
+  docker run --rm $(cat rekorImagerefs) version
+  docker run --rm $(cat cliImagerefs) version
+  docker run --rm $(cat redisImagerefs) --version
 
   e2e:
 runs-on: ubuntu-20.04
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-1.0.0/.github/workflows/milestone.yml 
new/rekor-1.0.1/.github/workflows/milestone.yml
--- old/rekor-1.0.0/.github/workflows/milestone.yml 2022-10-17 
19:35:23.0 +0200
+++ new/rekor-1.0.1/.github/workflows/milestone.yml 2022-11-10 
16:26:56.0 +0100
@@ -5,6 +5,7 @@
 types: [closed]
 branches:
   - main
+  - 'release-**'
 
 jobs:
   milestone:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-1.0.0/.github/workflows/scorecard_action.yml 
new/rekor-1.0.1/.github/workflows/scorecard_action.yml
--- old/rekor-1.0.0/.github/workflows/scorecard_action.yml  2022-10-17 
19:35:23.0 +0200
+++ new/rekor-1.0.1/.github/workflows/scorecard_action.yml  2022-11-10 
16:26:56.0 +0100
@@ -6,7 +6,9 @@
 # Weekly on Saturdays.
 - cron: '30 1 * * 6'
   push:
-branches:

commit rekor for openSUSE:Factory

2022-10-19 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-10-19 13:18:02

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.2275 (New)


Package is "rekor"

Wed Oct 19 13:18:02 2022 rev:12 rq:1029934 version:1.0.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-10-04 
20:38:19.144966897 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.2275/rekor.changes2022-10-19 
13:18:33.401331493 +0200
@@ -1,0 +2,19 @@
+Wed Oct 19 08:21:25 UTC 2022 - Marcus Meissner 
+
+- updated to rekor 1.0.0 (sc#SLE-23476):
+  - add description on /api/v1/index/retrieve endpoint by @bobcallaway in 
https://github.com/sigstore/rekor/pull/1073
+  - Adding e2e test coverage by @cdris in 
https://github.com/sigstore/rekor/pull/1071
+  - export rekor build/version information by @cpanato in 
https://github.com/sigstore/rekor/pull/1074
+  - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk 
in https://github.com/sigstore/rekor/pull/1083
+  - Search through all shards when searching by hash by @priyawadhwa in 
https://github.com/sigstore/rekor/pull/1082
+  - verify: verify checkpoint's STH against the inclusion proof root hash by 
@asraa in https://github.com/sigstore/rekor/pull/1092
+  - add ability to enable/disable specific rekor API endpoints by @bobcallaway 
in https://github.com/sigstore/rekor/pull/1080
+  - enable configurable client retries with backoff in RekorClient by 
@bobcallaway in https://github.com/sigstore/rekor/pull/1096
+  - remove dead code around api-key and timestamp references by @bobcallaway 
in https://github.com/sigstore/rekor/pull/1098
+  - update swagger API version to 1.0.0 by @bobcallaway in 
https://github.com/sigstore/rekor/pull/1102
+  - remove unused RekorVersion API definition by @bobcallaway in 
https://github.com/sigstore/rekor/pull/1101
+  - install gocovmerge in hack/tools by @bobcallaway in 
https://github.com/sigstore/rekor/pull/1103
+  - add retry command line flag on rekor-cli by @bobcallaway in 
https://github.com/sigstore/rekor/pull/1097
+  - Add some info and debug logging to commonly used funcs by @priyawadhwa in 
https://github.com/sigstore/rekor/pull/1106
+
+---

Old:

  rekor-0.12.2.tar.gz

New:

  rekor-1.0.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.sT9dq1/_old  2022-10-19 13:18:34.189333126 +0200
+++ /var/tmp/diff_new_pack.sT9dq1/_new  2022-10-19 13:18:34.19134 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.12.2
+Version:1.0.0
 Release:0
-%define revision a85980732bda434ba14ed24c65e4f78c6a9d3dfe
+%define revision 7215f5c4782deef0b9c249d39ab6b9bc70d58a94
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.12.2.tar.gz -> rekor-1.0.0.tar.gz ++
 2225 lines of diff (skipped)

++ vendor.tar.xz ++

commit rekor for openSUSE:Factory

2022-10-04 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-10-04 20:38:15

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.2275 (New)


Package is "rekor"

Tue Oct  4 20:38:15 2022 rev:11 rq:1007909 version:0.12.2

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-09-27 
20:14:44.285933151 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.2275/rekor.changes2022-10-04 
20:38:19.144966897 +0200
@@ -1,0 +2,10 @@
+Fri Sep 30 13:59:10 UTC 2022 - Marcus Meissner 
+
+- updated to rekor 0.12.2 (jsc#SLE-23476):
+  - add description on /api/v1/index/retrieve endpoint
+  - Adding e2e test coverage
+  - export rekor build/version information
+  - Use POST instead of GET for /api/log/entries/retrieve metrics.
+  - Search through all shards when searching by hash
+
+---

Old:

  rekor-0.12.1.tar.gz

New:

  rekor-0.12.2.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.GY2ztQ/_old  2022-10-04 20:38:20.108968267 +0200
+++ /var/tmp/diff_new_pack.GY2ztQ/_new  2022-10-04 20:38:20.112968273 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.12.1
+Version:0.12.2
 Release:0
-%define revision 584bc16fc8eba7c7663f540dea12730a71f830c1
+%define revision a85980732bda434ba14ed24c65e4f78c6a9d3dfe
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.12.1.tar.gz -> rekor-0.12.2.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.1/.github/workflows/build.yml 
new/rekor-0.12.2/.github/workflows/build.yml
--- old/rekor-0.12.1/.github/workflows/build.yml2022-09-21 
13:38:41.0 +0200
+++ new/rekor-0.12.2/.github/workflows/build.yml2022-09-29 
17:43:35.0 +0200
@@ -35,7 +35,7 @@
 
 steps:
   - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # 
v3.0.2
-  - uses: 
sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 # v2.6.0
+  - uses: 
sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # v2.7.0
 
   - name: Extract version of Go to use
 run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } 
' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.1/.github/workflows/codeql-analysis.yml 
new/rekor-0.12.2/.github/workflows/codeql-analysis.yml
--- old/rekor-0.12.1/.github/workflows/codeql-analysis.yml  2022-09-21 
13:38:41.0 +0200
+++ new/rekor-0.12.2/.github/workflows/codeql-analysis.yml  2022-09-29 
17:43:35.0 +0200
@@ -43,12 +43,12 @@
 
 # Initializes the CodeQL tools for scanning.
 - name: Initialize CodeQL
-  uses: github/codeql-action/init@904260d7d935dff982205cbdb42025ce30b7a34f 
# v2.1.24
+  uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4 
# v2.1.25
   with:
 languages: ${{ matrix.language }}
 
 - name: Autobuild
-  uses: 
github/codeql-action/autobuild@904260d7d935dff982205cbdb42025ce30b7a34f # 
v2.1.24
+  uses: 
github/codeql-action/autobuild@86f3159a697a097a813ad9bfa0002412d97690a4 # 
v2.1.25
 
 - name: Perform CodeQL Analysis
-  uses: 
github/codeql-action/analyze@904260d7d935dff982205cbdb42025ce30b7a34f # v2.1.24
+  uses: 
github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4 # v2.1.25
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.1/.github/workflows/depsreview.yml 
new/rekor-0.12.2/.github/workflows/depsreview.yml
--- old/rekor-0.12.1/.github/workflows/depsreview.yml   2022-09-21 
13:38:41.0 +0200
+++ new/rekor-0.12.2/.github/workflows/depsreview.yml   2022-09-29 
17:43:35.0 +0200
@@ -25,4 +25,4 @@
   - name: 'Checkout Repository'
 uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
   - name: 'Dependency Review'
-uses: 
actions/dependency-review-action@2b96ea7f03d82de498e97b42e6bee3f7cb0dafaa # v2
+uses: 
actions/dependency-review-action@375c5370086bfff256c37f8beec0f437e2e72ae1 # 
v2.4.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.1/.github/workflows/main.yml 
new/rekor-0.12.2/.github/workflows/main.yml
--- old/rekor-0.12.1/.github/workflows/main.yml 2022-09-21 13:38:41.0 
+0200
+++

commit rekor for openSUSE:Factory

2022-09-27 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-09-27 20:14:31

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.2275 (New)


Package is "rekor"

Tue Sep 27 20:14:31 2022 rev:10 rq:1006397 version:0.12.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-09-15 
23:01:18.453574043 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.2275/rekor.changes2022-09-27 
20:14:44.285933151 +0200
@@ -1,0 +2,11 @@
+Tue Sep 27 12:22:57 UTC 2022 - Marcus Meissner 
+
+- updated to rekor 0.12.1 (jsc#SLE-23476):
+  - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. 
Users of rekor-cli MUST upgrade to the latest version
+The addition of the intotov2 created a breaking change for the rekor-cli
+  - What's Changed
+- fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
+- feat: add file based signer and password by @asraa in #1049
+- Adds new rekor metrics for latency and QPS. by @var-sdk in #1059
+
+---

Old:

  rekor-0.12.0.tar.gz

New:

  rekor-0.12.1.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.Onf6lT/_old  2022-09-27 20:14:44.993934693 +0200
+++ /var/tmp/diff_new_pack.Onf6lT/_new  2022-09-27 20:14:45.001934710 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.12.0
+Version:0.12.1
 Release:0
-%define revision e7dc6c558491c108ed109557fad5404a5bef2197
+%define revision 584bc16fc8eba7c7663f540dea12730a71f830c1
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.12.0.tar.gz -> rekor-0.12.1.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/codeql-analysis.yml 
new/rekor-0.12.1/.github/workflows/codeql-analysis.yml
--- old/rekor-0.12.0/.github/workflows/codeql-analysis.yml  2022-09-13 
17:00:10.0 +0200
+++ new/rekor-0.12.1/.github/workflows/codeql-analysis.yml  2022-09-21 
13:38:41.0 +0200
@@ -43,12 +43,12 @@
 
 # Initializes the CodeQL tools for scanning.
 - name: Initialize CodeQL
-  uses: github/codeql-action/init@b398f525a5587552e573b247ac661067fafa920b 
# v2.1.22
+  uses: github/codeql-action/init@904260d7d935dff982205cbdb42025ce30b7a34f 
# v2.1.24
   with:
 languages: ${{ matrix.language }}
 
 - name: Autobuild
-  uses: 
github/codeql-action/autobuild@b398f525a5587552e573b247ac661067fafa920b # 
v2.1.22
+  uses: 
github/codeql-action/autobuild@904260d7d935dff982205cbdb42025ce30b7a34f # 
v2.1.24
 
 - name: Perform CodeQL Analysis
-  uses: 
github/codeql-action/analyze@b398f525a5587552e573b247ac661067fafa920b # v2.1.22
+  uses: 
github/codeql-action/analyze@904260d7d935dff982205cbdb42025ce30b7a34f # v2.1.24
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/depsreview.yml 
new/rekor-0.12.1/.github/workflows/depsreview.yml
--- old/rekor-0.12.0/.github/workflows/depsreview.yml   2022-09-13 
17:00:10.0 +0200
+++ new/rekor-0.12.1/.github/workflows/depsreview.yml   2022-09-21 
13:38:41.0 +0200
@@ -25,4 +25,4 @@
   - name: 'Checkout Repository'
 uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
   - name: 'Dependency Review'
-uses: 
actions/dependency-review-action@23d1b6fa5401173051ec21eba8c35242733f # v2
+uses: 
actions/dependency-review-action@2b96ea7f03d82de498e97b42e6bee3f7cb0dafaa # v2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/main.yml 
new/rekor-0.12.1/.github/workflows/main.yml
--- old/rekor-0.12.0/.github/workflows/main.yml 2022-09-13 17:00:10.0 
+0200
+++ new/rekor-0.12.1/.github/workflows/main.yml 2022-09-21 13:38:41.0 
+0200
@@ -43,7 +43,7 @@
   - name: Test
 run: go test -v -coverprofile=coverage.txt -covermode=atomic ./...
   - name: Upload Coverage Report
-uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 
# v3.1.0
+uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 
# v3.1.0
   - name: Ensure no files were modified as a result of the build
 run: git update-index --refresh && git diff-index --quiet HEAD -- || 
git diff --exit-code
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore'

commit rekor for openSUSE:Factory

2022-09-15 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-09-15 23:00:05

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.2083 (New)


Package is "rekor"

Thu Sep 15 23:00:05 2022 rev:9 rq:1003863 version:0.12.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-07-28 
20:58:56.547619556 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.2083/rekor.changes2022-09-15 
23:01:18.453574043 +0200
@@ -1,0 +2,49 @@
+Thu Sep 15 12:33:21 UTC 2022 - Marcus Meissner 
+
+- updated to rekor 0.12.0 (jsc#SLE-23476):
+  - check supportedVersions list rather than directly reading from version map 
by @bobcallaway in #1003
+  - enable blocking specific pluggable type versions from being inserted into 
the log by @bobcallaway in #1004
+  - api.SearchLogQueryHandler thread safety by @cdris in #1006
+  - 'docker compose' to 'docker-compose' by @bobcallaway in #1009
+  - Intoto v0.0.2 by @pxp928 in #973
+  - Add bounds on number of elements in api/v1/log/entries/retrieve by 
@priyawadhwa in #1011
+  - Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in 
#1013
+  - feat: add verification functions by @asraa in #986
+  - Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa 
in #1017
+  - Include checkpoint (STH) in entry upload and retrieve responses by 
@haydentherapper in #1015
+  - fix: use entry uuid uniformly in return responses by @asraa in #1012
+  - remove /api/v1/version endpoint by @bobcallaway in #1022
+  - Fix rekor-cli backwards incompatibility & run harness tests against HEAD 
by @priyawadhwa in #1030
+  - Fix harness tests @ main by @priyawadhwa in #1038
+  - Fetch all tags in harness tests by @priyawadhwa in #1039
+  - fix retrieve endpoint response code and add testing by @asraa in #1043
+- updated to rekor 0.11.0:
+  - Add rekor harness tests by @priyawadhwa in #945
+  - Persist and check attestations across harness tests by @priyawadhwa in #952
+  - Add harness test for getting all entries by UUID and EntryID by 
@priyawadhwa in #957
+  - api: fix inclusion proof verification flake by @asraa in #956
+  - change default value for rekor_server.hostname to server's hostname by 
@bobcallaway in #963
+  - fix nil-pointer error when artifact-hash is passed without artifact by 
@dsa0x in #965
+  - Add prometheus summary to track metric latency by @priyawadhwa in #966
+  - compute payload and envelope hashes upon validating intoto proposed 
entries by @bobcallaway in #967
+  - update field documentation on publicKey for hashedrekord by @bobcallaway 
in #969
+  - Allow sharding config to be written in yaml or json by @priyawadhwa in #974
+  - fix incorrect schema id for cose type by @bobcallaway in #979
+  - fix: make rekor verify work with sharded uuids by @asraa in #970
+  - update builder and cosign images by @cpanato in #981
+  - remove trailing slash on directories by @bobcallaway in #984
+  - add support for intersection & union in search operations by @dsa0x in #968
+  - Update scorecard-action to v2:alpha by @azeemshaikh38 in #987
+- updated to rekor 0.10.0:
+  - reuse DSSE signature wrappers instead of a local copy by @bobcallaway in 
#912
+  - Updates on the release job/makefile cleanup by @cpanato in #914
+  - Return 404 if entry isn't found in log by @priyawadhwa in #915
+  - Update cosign image in validate-release job by @priyawadhwa in #931
+  - update go builder and cosign image by @cpanato in #934
+  - Drop application/yaml content type by @haydentherapper in #933
+  - Add rekor test harness to presubmit tests by @priyawadhwa in #921
+  - sparkles Enable Scorecard badge by @azeemshaikh38 in #941
+  - update go mod in hack/tools to go1.18 by @cpanato in #935
+  - add ldflags back by @cpanato in #944
+
+---

Old:

  rekor-0.9.1.tar.gz

New:

  rekor-0.12.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.zZrBQh/_old  2022-09-15 23:01:18.917575353 +0200
+++ /var/tmp/diff_new_pack.zZrBQh/_new  2022-09-15 23:01:18.925575376 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.9.1
+Version:0.12.0
 Release:0
-%define revision fb4ed403d0ee6366a2a06c5703700af19864c90f
+%define revision e7dc6c558491c108ed109557fad5404a5bef2197
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.9.1.tar.gz -> rekor-0.12.0.tar.gz ++
 16076 lines of diff (skipped)

++ vendor.tar.xz ++
 84384 lines of diff (skipped)

commit rekor for openSUSE:Factory

2022-07-28 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-07-28 20:58:38

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1533 (New)


Package is "rekor"

Thu Jul 28 20:58:38 2022 rev:8 rq:991395 version:0.9.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-06-30 
13:18:22.757534145 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1533/rekor.changes2022-07-28 
20:58:56.547619556 +0200
@@ -1,0 +2,20 @@
+Wed Jul 27 13:26:17 UTC 2022 - Marcus Meissner 
+
+- updated to rekor 0.9.1
+  - feat: add subject URIs to index for x509 certificates by @asraa in #897
+  - fix: sql syntax in dbcreate script by @xens in #903
+  - Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904
+  - Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in 
#905
+  - ensure log messages have requestID where possible by @bobcallaway in #907
+  - Remove unnecessary lookup of non-existent attestations from storage layer 
by @bobcallaway in #909
+  - Fix bug where /retrieve endpoint returns wrong logIndex across shards by 
@priyawadhwa in #908
+
+- updated to rekor 0.9.0
+  - Add COSE support to Rekor by @kommendorkapten in #867
+  - Fix intoto index keys by @bobcallaway in #889
+  - Resolve virtual log index when calling /retrieve endpoint by @priyawadhwa 
in #894
+- updated to rekor 0.8.2
+  - collect docker-compose logs if sharding tests fail, also trim IDs by 
@bobcallaway in #869
+  - ensure fallback logic executes if attestation key is empty when fetching 
attestation by @bobcallaway in #878
+
+---

Old:

  rekor-0.8.1.tar.gz

New:

  rekor-0.9.1.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.Btt5PE/_old  2022-07-28 20:58:57.223621459 +0200
+++ /var/tmp/diff_new_pack.Btt5PE/_new  2022-07-28 20:58:57.227621471 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.8.1
+Version:0.9.1
 Release:0
-%define revision e981811726530c70ec707902022c336d1f1c37b4
+%define revision fb4ed403d0ee6366a2a06c5703700af19864c90f
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.8.1.tar.gz -> rekor-0.9.1.tar.gz ++
 8369 lines of diff (skipped)

++ vendor.tar.xz ++
 12423 lines of diff (skipped)

commit rekor for openSUSE:Factory

2022-06-30 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-06-30 13:18:16

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1548 (New)


Package is "rekor"

Thu Jun 30 13:18:16 2022 rev:7 rq:985790 version:0.8.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-06-20 
15:39:11.939028278 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1548/rekor.changes2022-06-30 
13:18:22.757534145 +0200
@@ -1,0 +2,6 @@
+Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner 
+
+- rekor-zypper-verify.sh: add a small script that verifies the on-system
+  zypper repo cache against rekor transparency log.
+
+---

New:

  rekor-zypper-verify.sh



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.1YmLM2/_old  2022-06-30 13:18:23.225534496 +0200
+++ /var/tmp/diff_new_pack.1YmLM2/_new  2022-06-30 13:18:23.229534500 +0200
@@ -27,6 +27,7 @@
 URL:https://github.com/sigstore/rekor
 Source: 
https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:vendor.tar.xz
+Source2:rekor-zypper-verify.sh
 BuildRequires:  golang-packaging
 BuildRequires:  golang(API)
 %{go_nostrip}
@@ -55,6 +56,7 @@
 for app in %{apps} ; do
 install -D -m 0755 rekor-${app} %{buildroot}%{_bindir}/rekor-${app}
 done
+install -m 0755 %SOURCE2 %{buildroot}%{_bindir}/rekor-zypp-verify
 
 %files
 %license LICENSE

++ rekor-zypper-verify.sh ++
#!/bin/bash
#
# This scripts verifies presence of the current repomd signatures in the rekor 
log
# for each of existing libzypp tracked repos.
#

zypper -q refresh

for repo in /etc/zypp/repos.d/*.repo
do
if grep enabled=1 $repo >/dev/null; then
repodirname=`grep '^\[' "$repo"|sed -e 's/.*\[//;s/\].*//;'`
name="`grep ^name= $repo|sed -e 's/name=//;'`"
if [ "x$name" == "x" ]; then
name="$repodirname"
fi

# echo "name: $name, repodirname $repodirname"

repodata="/var/cache/zypp/raw/$repodirname/repodata"
if [ -d "$repodata" ]; then
if rekor-cli verify --artifact "$repodata/repomd.xml" 
--signature "$repodata/repomd.xml.asc" --public-key "$repodata/repomd.xml.key" 
>/dev/null 2>&1; then
echo "$name repomd.xml signature is in rekor 
log"
else
echo "$name repomd.xml signature is NOT in 
rekor log"
fi
else
echo "$name has no repodata/ directory in $repodata, 
not a RPM-MD repository?"
fi
fi
done

commit rekor for openSUSE:Factory

2022-06-20 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-06-20 15:38:21

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1548 (New)


Package is "rekor"

Mon Jun 20 15:38:21 2022 rev:6 rq:983855 version:0.8.1

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-04-26 
20:17:36.656749242 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1548/rekor.changes2022-06-20 
15:39:11.939028278 +0200
@@ -1,0 +2,29 @@
+Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner 
+
+- Updated to rekor 0.8.1
+  - Fix indexing bug for intoto attestations by @priyawadhwa in #870
+  - Allow an expired certificate chain to be uploaded and verified by 
@haydentherapper in #873
+- Updated to rekor 0.8.0
+  - Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by 
@dhaus67 in #847
+  - Configure rekor server in e2e tests via env variable by @priyawadhwa in 
#850
+  - update cross-builder image to use go1.17.11 and dockerfile base image by 
@cpanato in #860
+  - update go.mod to go1.17 by @cpanato in #861
+  - Improve error message when using ED25519 with HashedRekord type by 
@haydentherapper in #862
+  - Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve 
endpoint by @priyawadhwa in #859
+  - Print total tree size, including inactive shards in rekor-cli loginfo by 
@priyawadhwa in #864
+- Updated to rekor 0.7.0
+  - remove URL fetch of keys/artifacts server-side by @bobcallaway in #735
+  - intoto: add index on materials digest of slsa provenance by @asraa in #793
+  - chore(deps): Included dependency review by @naveensrinivasan in #788
+  - Check if intoto hash is available before accessing it as an index key by 
@priyawadhwa in #800
+  - Move deprecated dependency: google/trillian/merkle to transparency-dev by 
@asraa in #807
+  - Retrieve shard tree length if it isn't provided in the config by 
@priyawadhwa in #810
+  - update release builder images to use go 1.17.10 and cosign image to 1.8.0 
by @cpanato in #820
+  - update go to 1.17.10 in the dockerfile by @cpanato in #819
+  - Limit the number of certificates parsed in a chain by @haydentherapper in 
#823
+  - Breaking change: Remove timestamping authority by @haydentherapper in #813
+  - Add back owners for rfc3161 package type by @haydentherapper in #833
+  - all: remove dependency on deprecated github.com/pkg/errors by @zchee in 
#834
+  - name stored attestations by digest instead of UUID by @bobcallaway in #769
+
+---

Old:

  rekor-0.6.0.tar.gz

New:

  rekor-0.8.1.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.sC0uEH/_old  2022-06-20 15:39:12.771029495 +0200
+++ /var/tmp/diff_new_pack.sC0uEH/_new  2022-06-20 15:39:12.779029507 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.6.0
+Version:0.8.1
 Release:0
-%define revision 5c52ad228cb698ea4320dada5cd0a7cd31a5eb9a
+%define revision e981811726530c70ec707902022c336d1f1c37b4
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.6.0.tar.gz -> rekor-0.8.1.tar.gz ++
 13620 lines of diff (skipped)

++ vendor.tar.xz ++
 870377 lines of diff (skipped)

commit rekor for openSUSE:Factory

2022-04-26 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-04-26 20:15:39

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1538 (New)


Package is "rekor"

Tue Apr 26 20:15:39 2022 rev:5 rq:972809 version:0.6.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-04-03 
21:31:31.115472087 +0200
+++ /work/SRC/openSUSE:Factory/.rekor.new.1538/rekor.changes2022-04-26 
20:17:36.656749242 +0200
@@ -1,0 +2,53 @@
+Tue Apr 26 09:41:49 UTC 2022 - Marcus Meissner 
+
+- Updated to rekor 0.6.0
+
+  - attempting to fix codeowners file by @bobcallaway in #653
+  - Update the warning text for the GA release. by @dlorenc in #654
+  - Add docs about API stability and deprecation policy by @priyawadhwa in #661
+  - update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666
+  - Move k8s objects out of the default namespace by @k4leung4 in #674
+  - add securityContext to deployment. by @k4leung4 in #678
+  - Add intoto type documentation by @jspeed-meyers in #679
+  - create namespace for rekor config in yaml. by @k4leung4 in #680
+  - Set rekor-cli User-Agent header on requests by @bobcallaway in #684
+  - update security process link by @bobcallaway in #685
+  - explicitly set permissions for github actions by @k4leung4 in #687
+  - Add documentation about Alpine type by @jspeed-meyers in #697
+  - Add code coverage to pull requests. by @k4leung4 in #676
+  - Consistent parenthesis use in Makefile by @k4leung4 in #700
+  - Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671
+  - Generate release yaml for non-CI builds. by @k4leung4 in #702
+  - Mirror signed release images from GCR to GHCR as part of release by 
@k4leung4 in #701
+  - build trillian container to existing release. by @k4leung4 in #715
+  - Make the loginfo command a bit more future/backwards proof. by @dlorenc in 
#718
+  - Switch to using the swag library for pointer manipulation. by @dlorenc in 
#719
+  - Change TreeID to be of type string instead of int64 by @priyawadhwa in #712
+  - Add sharding e2e test to Github Actions by @priyawadhwa in #714
+  - fix merge conflict by @priyawadhwa in #720
+  - Clearer logging for createAndInitTree by @priyawadhwa in #724
+  - Return virtual index when creating and getting a log entry by @priyawadhwa 
in #725
+  - Fix copy/paste mistake in repo name. by @k4leung4 in #730
+  - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729
+  - Get log proofs by Tree ID by @priyawadhwa in #733
+  - Refactor rekor-cli loginfo by @priyawadhwa in #734
+  - Update loginfo API endpoint to return information about inactive shards by 
@priyawadhwa in #738
+  - Replace trillian_log_server.log_id_ranges flag with a config file by 
@priyawadhwa in #742
+  - fix build date format for version command by @cpanato in #745
+  - Require tlog_id when log_id_ranges is passed in by @lkatalin in #739
+  - Use active tree on server startup by @lkatalin in #727
+  - Specify public key for inactive shards in shard config by @priyawadhwa in 
#746
+  - Add support for providing certificate chain for X509 signature types by 
@haydentherapper in #747
+  - fix typo in filename by @bobcallaway in #758
+  - Update release jobs and trillian images by @cpanato in #756
+  - Add the SHA256 digest of the intoto payload into the rekor entry by 
@bobcallaway in #764
+  - Add index to hashed intoto envelope by @asraa in #761
+  - Fix link in types README by @eddiezane in #765
+  - set p.Block after parsing in helm provenance type by @bobcallaway in #759
+  - Fix search without sha prefix by @eddiezane in #767
+  - Add in configmap to release for sharding config by @priyawadhwa in #766
+  - Search inactive trees for GET by UUID requests by @lkatalin in #750
+  - Create EntryID for new artifacts and return EntryID to user by @lkatalin 
in #623
+  - Update cloudbuild to not fail when copy the images by @cpanato in #773
+
+---

Old:

  rekor-0.5.0.tar.gz

New:

  rekor-0.6.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.gFxfDD/_old  2022-04-26 20:17:37.228749934 +0200
+++ /var/tmp/diff_new_pack.gFxfDD/_new  2022-04-26 20:17:37.232749939 +0200
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:   rekor
-Version:0.5.0
+Version:0.6.0
 Release:0
-%define revision 09ecf71dff57de24ec5e779b4077b187956edf0e
+%define revision 5c52ad228cb698ea4320dada5cd0a7cd31a5eb9a
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

commit rekor for openSUSE:Factory

2022-04-03 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-04-03 21:31:08

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1900 (New)


Package is "rekor"

Sun Apr  3 21:31:08 2022 rev:4 rq:966624 version:0.5.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-01-25 
17:37:44.713642117 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1900/rekor.changes2022-04-03 
21:31:31.115472087 +0200
@@ -1,0 +2,35 @@
+Fri Apr  1 15:13:27 UTC 2022 - Marcus Meissner 
+
+- Updated to rekor 0.5.0
+  * Highlights
+- Add Rekor logo to README (#650)
+- update API calls to v5 (#591)
+- Refactor helm type to remove intermediate state. (#575)
+- Refactor the shard map parsing so we can pass it down into the API 
object. (#564)
+- Refactor the alpine type to reduce intermediate state. (#573)
+  * Enhancements
+- Add logic to GET artifacts via old or new UUID (#587)
+- helpful error message for hashedrekord types (#605)
+- Set Accept header in dynamic counter requests (#594)
+- Add sharding package and update validators (#583)
+- rekor-cli: show the url in case of error (#581)
+- Enable parsing of incomplete minisign keys, to enable re-indexing. (#567)
+- Cleanups on the TUF pluggable type. (#563)
+- Refactor the RPM type to remove more intermediate state. (#566)
+- Do some cleanups of the jar type to remove intermediate state. (#561)
+  * Others
+- update version comments since dependabot doesn't do it (#617)
+- Use workload identity provider instead of GitHub Secret for GCR access 
(#600)
+- add OSSF scorecard action (#599)
+- enable the sbom for rekor releases (#586)
+- Point to the official website (instead of a 404) (#580)
+- Add a Makefile target for the "ko apply" step. (#572)
+- types/README.md: Corrected documentation link (#568)
+
+---
+Thu Feb  3 09:46:25 UTC 2022 - Marcus Meissner 
+
+- enable server build too, as people might want to deploy rekor chain
+  themselves.
+
+---

Old:

  rekor-0.4.0.tar.gz

New:

  rekor-0.5.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.dWKRBR/_old  2022-04-03 21:31:31.823464379 +0200
+++ /var/tmp/diff_new_pack.dWKRBR/_new  2022-04-03 21:31:31.831464293 +0200
@@ -16,12 +16,12 @@
 #
 
 
-%define apps cli
+%define apps cli server
 
 Name:   rekor
-Version:0.4.0
+Version:0.5.0
 Release:0
-%define revision 5025a24e2861d1876d67a09cf6bfad0ee76d64c8
+%define revision 09ecf71dff57de24ec5e779b4077b187956edf0e
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
 URL:https://github.com/sigstore/rekor

++ rekor-0.4.0.tar.gz -> rekor-0.5.0.tar.gz ++
 8974 lines of diff (skipped)

++ vendor.tar.xz ++
 1110500 lines of diff (skipped)

commit rekor for openSUSE:Factory

2022-01-25 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-01-25 17:36:07

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1938 (New)


Package is "rekor"

Tue Jan 25 17:36:07 2022 rev:3 rq:948953 version:0.4.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-01-07 
12:47:20.827885699 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1938/rekor.changes2022-01-25 
17:37:44.713642117 +0100
@@ -1,0 +2,5 @@
+Tue Jan 25 08:32:11 UTC 2022 - Bernhard Wiedemann 
+
+- Fix BUILD_DATE for reproducible build results (boo#1047218)
+
+---



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.iyTMTZ/_old  2022-01-25 17:37:47.057625973 +0100
+++ /var/tmp/diff_new_pack.iyTMTZ/_new  2022-01-25 17:37:47.065625917 +0100
@@ -42,8 +42,8 @@
 %autosetup -p1 -a1
 
 %build
-DATE_FMT="+%Y-%m-%dT%H:%M:%SZ"
-BUILD_DATE=$(shell date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 
2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || 
date -u "${DATE_FMT}")
+DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ"
+BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || 
date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u 
"${DATE_FMT}")
 for app in %{apps} ; do
 CLI_PKG=github.com/sigstore/rekor/cmd/rekor-${app}/app
 CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X 
${CLI_PKG}.gitCommit=%{revision} -X ${CLI_PKG}.gitTreeState=release -X 
${CLI_PKG}.buildDate=${BUILD_DATE}"

commit rekor for openSUSE:Factory

2022-01-07 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2022-01-07 12:45:52

Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and  /work/SRC/openSUSE:Factory/.rekor.new.1896 (New)


Package is "rekor"

Fri Jan  7 12:45:52 2022 rev:2 rq:944481 version:0.4.0

Changes:

--- /work/SRC/openSUSE:Factory/rekor/rekor.changes  2022-01-03 
10:50:39.275608826 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1896/rekor.changes2022-01-07 
12:47:20.827885699 +0100
@@ -1,0 +2,8 @@
+Thu Jan  6 14:52:16 UTC 2022 - Marcus Meissner 
+
+- updated to 0.4.0
+  Highlights
+
+  - Adds hashed rekord type that can be used to upload signatures along with 
the hashed content signed (#501)
+
+---

Old:

  rekor-0.3.0.tar.gz

New:

  rekor-0.4.0.tar.gz



Other differences:
--
++ rekor.spec ++
--- /var/tmp/diff_new_pack.aW1g55/_old  2022-01-07 12:47:21.695886302 +0100
+++ /var/tmp/diff_new_pack.aW1g55/_new  2022-01-07 12:47:21.699886305 +0100
@@ -1,5 +1,7 @@
 #
-# Copyright (c) 2021 SUSE LLC
+# spec file for package rekor
+#
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -13,19 +15,20 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
+
 %define apps cli
 
 Name:   rekor
-Version:0.3.0
+Version:0.4.0
 Release:0
-%define revision e4303a8
+%define revision 5025a24e2861d1876d67a09cf6bfad0ee76d64c8
 Summary:Supply Chain Transparency Log
 License:Apache-2.0
-Url:https://github.com/sigstore/rekor
+URL:https://github.com/sigstore/rekor
 Source: 
https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:vendor.tar.xz
-BuildRequires:  golang(API)
 BuildRequires:  golang-packaging
+BuildRequires:  golang(API)
 %{go_nostrip}
 
 %description

++ rekor-0.3.0.tar.gz -> rekor-0.4.0.tar.gz ++
 16794 lines of diff (skipped)

++ vendor.tar.xz ++
 432407 lines of diff (skipped)