Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2022-09-27 20:14:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Tue Sep 27 20:14:29 2022 rev:11 rq:1006386 version:1.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2022-09-15 23:01:20.833580762 +0200 +++ /work/SRC/openSUSE:Factory/.cosign.new.2275/cosign.changes 2022-09-27 20:14:41.805927749 +0200 @@ -1,0 +2,17 @@ +Tue Sep 27 12:05:43 UTC 2022 - Dirk M??ller <dmuel...@suse.com> + +- update to 1.12.1: + * fix: Pulls Fulcio root and intermediate when --certificate-chain is not + passed into verify-blob command. The v1.12.0 release introduced a + regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would + check a --certificate (without a --certificate-chain provided) against the + operating system root CA bundle. In this release, Cosign checks the + certificate against Fulcio's CA root instead (restoring the earlier + behavior). + * fix: fix cert chain validation for verify-blob in non-experimental mode + * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba + * Fix BYO-root with intermediate to fetch intermediates from annotation + * fix: fixing breaking changes in rekor v1.12.0 upgrade +- use go-modules service to generate the vendor.tar and use zstd + +------------------------------------------------------------------- Old: ---- cosign-1.12.0.tar.gz vendor.tar.bz2 New: ---- _service cosign-1.12.1.tar.gz vendor.tar.zst ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.Kee7yY/_old 2022-09-27 20:14:43.085930537 +0200 +++ /var/tmp/diff_new_pack.Kee7yY/_new 2022-09-27 20:14:43.089930546 +0200 @@ -17,18 +17,18 @@ Name: cosign -Version: 1.12.0 +Version: 1.12.1 Release: 0 -%define revision 8483d6c71f153f38f237ba79c88d0fda6306e6e3 +%define revision 0baa044bea61e7c16d56023be20ead3d9204b24a Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 URL: https://github.com/sigstore/cosign Source: https://github.com/sigstore/cosign/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: vendor.tar.bz2 +Source1: vendor.tar.zst BuildRequires: go1.18 BuildRequires: golang-packaging +BuildRequires: zstd BuildRequires: golang(API) -%{go_nostrip} %description Cosign aims to make signatures invisible infrastructure. @@ -40,7 +40,6 @@ - Our free OIDC PKI (Fulcio) - Built-in binary transparency and timestamping service (Rekor) - %prep %autosetup -p1 -a1 ++++++ _service ++++++ <services> <service name="go_modules" mode="disabled"> <param name="compression">zst</param> </service> </services> ++++++ cosign-1.12.0.tar.gz -> cosign-1.12.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/cosign/cosign-1.12.0.tar.gz /work/SRC/openSUSE:Factory/.cosign.new.2275/cosign-1.12.1.tar.gz differ: char 13, line 1
