Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2023-11-07 21:28:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Tue Nov 7 21:28:40 2023 rev:17 rq:1124000 version:2.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2023-09-02 22:07:49.727640484 +0200 +++ /work/SRC/openSUSE:Factory/.cosign.new.17445/cosign.changes 2023-11-07 21:29:30.734481632 +0100 @@ -1,0 +2,51 @@ +Tue Nov 7 13:49:48 UTC 2023 - Marcus Meissner <meiss...@suse.com> + +- updated to 2.2.1 (jsc#SLE-23879) + + This release comes with a fix for + CVE-2023-46737 / bsc#1216933 described in this [Github Security + Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). + + Enhancements: + + * feat: Support basic auth and bearer auth login to registry (#3310) + * add support for ignoring certificates with pkcs11 (#3334) + * Support ReplaceOp in Signatures (#3315) + * feat: added ability to get image digest back via triangulate (#3255) + * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247) + * feat: add support attaching a Rekor bundle to a container (#3246) + * feat: add support outputting rekor response on signing (#3248) + * feat: improve dockerfile verify subcommand (#3264) + * Add guard flag for experimental OCI 1.1 verify. (#3272) + * Deprecate SBOM attachments (#3256) + * feat: dedent line in cosign copy doc (#3244) + * feat: add platform flag to cosign copy command (#3234) + * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219) + * attest: pass OCI remote opts to att resolver. (#3225) + + Bug Fixes: + + * Merge pull request from GHSA-vfp6-jrw2-99g9 + * fix: allow cosign download sbom when image is absent (#3245) + * ci: add a OCI registry test for referrers support (#3253) + * Fix ReplaceSignatures (#3292) + * Stop using deprecated in_toto.ProvenanceStatement (#3243) + * Fixes #3236, disable SCT checking for a cosign verification when usin⦠(#3237) + * fix: update error in `SignedEntity` to be more descriptive (#3233) + * Fail timestamp verification if no root is provided (#3224) + + + Documentation: + + * Add some docs about verifying in an air-gapped environment (#3321) + * Update CONTRIBUTING.md (#3268) + * docs: improves the Contribution guidelines (#3257) + * Remove security policy (#3230) + + Others: + + * Set go to min 1.21 and update dependencies (#3327) + * Update contact for code of conduct (#3266) + * Update .ko.yaml (#3240) + +------------------------------------------------------------------- Old: ---- cosign-2.2.0.tar.gz New: ---- cosign-2.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.qqaA62/_old 2023-11-07 21:29:31.550511681 +0100 +++ /var/tmp/diff_new_pack.qqaA62/_new 2023-11-07 21:29:31.550511681 +0100 @@ -16,9 +16,9 @@ # -%define revision 546f1c5b91ef58d6b034a402d0211d980184a0e5 +%define revision 12cbf9ea177d22bbf5cf028bcb4712b5f174ebc6 Name: cosign -Version: 2.2.0 +Version: 2.2.1 Release: 0 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 ++++++ cosign-2.2.0.tar.gz -> cosign-2.2.1.tar.gz ++++++ ++++ 6247 lines of diff (skipped) ++++++ vendor.tar.zst ++++++ Binary files /var/tmp/diff_new_pack.qqaA62/_old and /var/tmp/diff_new_pack.qqaA62/_new differ
