Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2022-09-15 23:00:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Thu Sep 15 23:00:06 2022 rev:10 rq:1003868 version:1.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2022-08-05 19:52:47.501733106 +0200 +++ /work/SRC/openSUSE:Factory/.cosign.new.2083/cosign.changes 2022-09-15 23:01:20.833580762 +0200 @@ -1,0 +2,38 @@ +Thu Sep 15 12:14:37 UTC 2022 - Marcus Meissner <meiss...@suse.com> + +- updated to 1.12.0 (jsc#SLE-23879) + - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430) + - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203 + - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008 + - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205 + - Clarify error when KMS provider fails to load by @znewman01 in #2220 + - feat: set annotations to generate additional bash completion information by @dirien in #2221 + - Add deprecation warning for sget CLI and packages by @imjasonh in #2019 + - upgrade setup-ko to point to new repo by @imjasonh in #2225 + - Temp fix for e2e test by @haydentherapper in #2247 + - update kind to use release v0.15.0 and some version comments by @cpanato in #2246 + - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248 + - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249 +- updated to 1.11.1 + - add stale workflow using the workflow template by @cpanato in #2175 + - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177 + - add release cadence section in the readme by @cpanato in #2179 + - feat: Rework fig autocomplete command by @dirien in #2187 + - fix: fix typo that caused attestation verification failure by @asraa in #2199 +- updated to 1.11.0 + - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139 + - Add notes to clarify registry use. by @bendory in #2145 + - Use TUF from scaffolding for validating cosign. by @vaikas in #2146 + - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152 + - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157 + - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118 + - fix handling of verify-attestation types for URIs by @otms61 in #2159 + - fix oidc post-merge job by @cpanato in #2164 + - Remove third_party by @imjasonh in #2166 + - use updated device flow logic with PKCE by @bobcallaway in #2163 + - fix: rekor get tlog entry with uuid by @asraa in #2058 + - update e2e job to run only when push to main by @cpanato in #2169 + - fix: add env cmd to root by @developer-guy in #2171 + - fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162 + +------------------------------------------------------------------- Old: ---- cosign-1.10.1.tar.gz New: ---- cosign-1.12.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.WJ33DE/_old 2022-09-15 23:01:21.637583033 +0200 +++ /var/tmp/diff_new_pack.WJ33DE/_new 2022-09-15 23:01:21.637583033 +0200 @@ -17,15 +17,15 @@ Name: cosign -Version: 1.10.1 +Version: 1.12.0 Release: 0 -%define revision a39ce91fadc582e0efce3321744a79ccd3c8b39c +%define revision 8483d6c71f153f38f237ba79c88d0fda6306e6e3 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 URL: https://github.com/sigstore/cosign Source: https://github.com/sigstore/cosign/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.bz2 -BuildRequires: go1.17 +BuildRequires: go1.18 BuildRequires: golang-packaging BuildRequires: golang(API) %{go_nostrip} ++++++ cosign-1.10.1.tar.gz -> cosign-1.12.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/cosign/cosign-1.10.1.tar.gz /work/SRC/openSUSE:Factory/.cosign.new.2083/cosign-1.12.0.tar.gz differ: char 15, line 1 ++++++ vendor.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/cosign/vendor.tar.bz2 /work/SRC/openSUSE:Factory/.cosign.new.2083/vendor.tar.bz2 differ: char 11, line 1
