Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2022-01-25 17:36:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.1938 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Tue Jan 25 17:36:09 2022 rev:2 rq:949015 version:1.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2022-01-07 12:48:13.343922166 +0100 +++ /work/SRC/openSUSE:Factory/.cosign.new.1938/cosign.changes 2022-01-25 17:37:48.957612887 +0100 @@ -1,0 +2,71 @@ +Tue Jan 25 12:39:54 UTC 2022 - Marcus Meissner <meiss...@suse.com> + +- updated to 1.5.0 + ## Highlights + + * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261) + * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260) + * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253) + * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245) + * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237) + * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168) + * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220) + * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236) + * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) + + ## Enhancements + + * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279) + * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334) + * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267) + * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310) + * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306) + * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308) + * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318) + * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316) + * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305) + * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294) + * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300) + * add error message (https://github.com/sigstore/cosign/pull/1296) + * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295) + * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286) + * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268) + * refactor common utilities (https://github.com/sigstore/cosign/pull/1266) + * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050) + * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252) + * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255) + * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256) + * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251) + * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241) + * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243) + * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230) + * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225) + * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221) + * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213) + * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199) + * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209) + * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200) + * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201) + * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189) + + ## Bug Fixes + + * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328) + * fix missing goimports (https://github.com/sigstore/cosign/pull/1327) + * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320) + * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287) + * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280) + * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270) + * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264) + * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250) + * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249) + * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248) + +- vendor.tar.bz2: go mod vendor + +------------------------------------------------------------------- +Tue Jan 25 09:05:54 UTC 2022 - Bernhard Wiedemann <bwiedem...@suse.com> + +- Fix BUILD_DATE for reproducible build results (boo#1047218) + +------------------------------------------------------------------- Old: ---- cosign-1.4.1.tar.gz New: ---- cosign-1.5.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.IKOE5f/_old 2022-01-25 17:37:49.913606302 +0100 +++ /var/tmp/diff_new_pack.IKOE5f/_new 2022-01-25 17:37:49.921606247 +0100 @@ -1,5 +1,7 @@ # -# Copyright (c) 2021 SUSE LLC +# spec file for package cosign +# +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -13,17 +15,18 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + Name: cosign -Version: 1.4.1 -%define revision 934567a4c606cf59e6ab17af889b4db3ee0a3f0b +Version: 1.5.0 Release: 0 +%define revision 757252063bf4724f11a52336ef13a724059a39b6 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 -Url: https://github.com/sigstore/cosign +URL: https://github.com/sigstore/cosign Source: https://github.com/sigstore/cosign/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.bz2 -BuildRequires: golang(API) BuildRequires: golang-packaging +BuildRequires: golang(API) %{go_nostrip} %description @@ -41,8 +44,8 @@ %autosetup -p1 -a1 %build -DATE_FMT="+%Y-%m-%dT%H:%M:%SZ" -BUILD_DATE=$(shell date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}") +DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ" +BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}") CLI_PKG=github.com/sigstore/cosign/pkg/version CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X ${CLI_PKG}.gitCommit=%{revision} -X ${CLI_PKG}.gitTreeState=release -X ${CLI_PKG}.buildDate=${BUILD_DATE}" ++++++ cosign-1.4.1.tar.gz -> cosign-1.5.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/cosign/cosign-1.4.1.tar.gz /work/SRC/openSUSE:Factory/.cosign.new.1938/cosign-1.5.0.tar.gz differ: char 12, line 1 ++++++ vendor.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/cosign/vendor.tar.bz2 /work/SRC/openSUSE:Factory/.cosign.new.1938/vendor.tar.bz2 differ: char 11, line 1
