cosign-1.5.2-150400.1.7 RPM for ppc64le

From OpenSuSE Leap 15.4 for ppc64le

Cosign aims to make signatures invisible infrastructure.

Cosign supports:

- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in binary transparency and timestamping service (Rekor)

Provides

• cosign
• cosign(ppc-64)

Requires

• libc.so.6()(64bit)
• libc.so.6(GLIBC_2.17)(64bit)
• libpthread.so.0()(64bit)
• libpthread.so.0(GLIBC_2.17)(64bit)
• rpmlib(CompressedFileNames) <= 3.0.4-1
• rpmlib(FileDigests) <= 4.6.0-1
• rpmlib(PayloadFilesHavePrefix) <= 4.0-1
• rpmlib(PayloadIsXz) <= 5.2-1

License

Apache-2.0

Changelog

* Mon Feb 21 2022 meissner@suse.com
  - updated to 1.5.2:
    - This release contains fixes for CVE-2022-23649, affecting signature
      validations with Rekor. Only validation is affected, it is not necessary
      to re-sign any artifacts. (bsc#1196239)
  - updated to 1.5.1:
    - Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
    - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
    - expose dafaults fulcio, rekor, oidc issuer urls (#1368)
    - add check to make sure the go modules are in sync (#1369)
    - README: fix link to race conditions (#1367)
    - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
    - docs: verify-attestation cue and rego policy doc (#1362)
    - Update verify-blob to support DSSEs (#1355)
    - organize, update select deps (#1358)
    - Bump go-containerregistry to pick up ACR keychain fix (#1357)
    - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
    - sync go modules (#1353)
* Tue Jan 25 2022 meissner@suse.com
  - updated to 1.5.0
    [#]# Highlights
    * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
    * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
    * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
    * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
    * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
    * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
    * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
    * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
    * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
    [#]# Enhancements
    * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
    * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
    * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
    * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
    * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
    * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
    * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
    * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
    * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
    * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
    * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
    * add error message (https://github.com/sigstore/cosign/pull/1296)
    * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
    * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
    * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
    * refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
    * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
    * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
    * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
    * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
    * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
    * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
    * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
    * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
    * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
    * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
    * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
    * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
    * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
    * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
    * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
    * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
    [#]# Bug Fixes
    * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
    * fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
    * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
    * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
    * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
    * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
    * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
    * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
    * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
    * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
  - vendor.tar.bz2: go mod vendor
* Tue Jan 25 2022 bwiedemann@suse.com
  - Fix BUILD_DATE for reproducible build results (boo#1047218)
* Thu Jan 06 2022 meissner@suse.com
  - cosign 1.4.1 release, initial import
  - provides signing / verification support for sigstore

Files

/usr/bin/cosign
/usr/bin/cosigned
/usr/bin/sget
/usr/share/doc/packages/cosign
/usr/share/doc/packages/cosign/CHANGELOG.md
/usr/share/doc/packages/cosign/CODE_OF_CONDUCT.md
/usr/share/doc/packages/cosign/EXAMPLES.md
/usr/share/doc/packages/cosign/FUN.md
/usr/share/doc/packages/cosign/IMPORT.md
/usr/share/doc/packages/cosign/KEYLESS.md
/usr/share/doc/packages/cosign/KMS.md
/usr/share/doc/packages/cosign/PKCS11.md
/usr/share/doc/packages/cosign/README.md
/usr/share/doc/packages/cosign/TOKENS.md
/usr/share/doc/packages/cosign/USAGE.md
/usr/share/licenses/cosign
/usr/share/licenses/cosign/LICENSE

Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Apr 9 17:00:22 2024