Release v1.3.0 · ratify-project/ratify

✨ New Features

Support keyless verification in trust policy of Cosign verifier in #1503
Support verifying Notary Project timestamped signature in #1538 and #1758
Support periodic retrieval of key and certificate from Key Management Providers based on the proposal in #1727 and #1773

✨ Other Enhancements

Improve error messages of artifact validation
- Add more fields to verification response in #1671
- refactor error message format in #1675
- fill ErrorReason and Remediation during verifierReport generation in #1682
- add timestamp and traceId to verification response in #1697
- enhance CR status with clearer brief error message in #1734
- refactor cosign verification error messages in #1750
Add namespace label to metrics to enhance observability in #1520
Ability to save errors happened during KMP/CertStore reconciliation which could be checked by verifiers during artifact validation in #1710

🔐 Security

Generate supply chain metadata for dev assets by adding SBOM & provenance Docker build attestations in #1596
Add image signing for dev images and add release sbom in #1629
Add openssf best practices badge by @susanshi in #1696
Setup scanners for Ratify releases by @susanshi in #1521

📄 Documentation

chore: refresh roadmap after v1.2.0 release by @yizha1 in #1541
doc: update README code of conduct by @susanshi in #1553
doc: Update SECURITY.md by @susanshi in #1555
doc: add a proposal for periodic retrieval by @yizha1 in #1510
doc: update minor release branching strategy by @susanshi in #1456
doc: meeting notes ratify-weekly-notes-2023-Jun-2024-Jun.md by @susanshi in #1608
doc: remove CLA section from CONTRIBUTING by @akashsinghal in #1626
doc: design doc for KMP periodic retrieval by @duffney in #1583
doc: add proposal for producing supply chain metadata for all ratify assets by @akashsinghal in #1641
doc: Archive ratify error handling scenario doc by @binbin-li in #1668
doc: proposal for error message improvements by @yizha1 in #1662
doc: update the contributing guide for a successful cli debugging by @shahramk64 in #1718
doc: update contributing guide for enhancement by @susanshi in #1715

🐛 🩹 Bug Fixes

fix: remove Update az cli step in aks test by @binbin-li in #1502
fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version by @akashsinghal in #1505
fix: run full validation for release branch by @susanshi in #1512
fix: fix vulnerabilities by @binbin-li in #1542
fix: enable automated pr to main by @susanshi in #1582
fix: validate plugin version for ratify cli by @susanshi in #1604
fix: warning message is printed to stdout by CLI by @susanshi in #1650
fix: pass CODECOV_TOKEN to reusable workflow by @binbin-li in #1676
fix: remove duplicate $ by @binbin-li in #1677
fix: fix typo in notation verifier by @junczhu in #1678
fix: bump-up docker dependency by @junczhu in #1679
fix: Enforce validation on notation signature blob number by @binbin-li in #1726
fix: remove nonexistent KMP from verifier sample by @binbin-li in #1753
fix: remove critical cache failure in oras GetBlobContent by @binbin-li in #1740
fix: make notation verifier installation optional on ratify installation by @shahramk64 in #1719
fix: remove unused trust store from sample verifier config by @binbin-li in #1790
fix: showing verifier config parse detail in err log by @junczhu in #1791
fix: missing status update in KMP controller by @duffney in #1761

🎉 New Contributors

@shahramk64 made their first contribution in #1718

Changes since v1.2.2

0ee96d8 Create ratify-weekly-notes-2023-Jun-2024-Jun.md
3bafc56 Merge branch 'dev' into clean-package
581be1e Merge branch 'dev' into dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
7e387db Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
bd2f5ca Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
cca0a13 Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
72025fb Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.4
bb8d7f0 Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.6
0447079 Merge branch 'dev' into dependabot/github_actions/anchore/sbom-action-0.17.1
e353f38 Merge branch 'dev' into dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
6ebd6f1 Merge branch 'dev' into dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
bb8516e Merge branch 'dev' into dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
52f92d1 Merge branch 'dev' into dev
451390b Merge branch 'dev' into error-log-message
220dfce Merge branch 'dev' into error-log-message
5b7c4e0 Merge branch 'dev' into error-log-message
18f071a Merge branch 'dev' into fix-codecov
7e74e12 Merge branch 'dev' into ignore-experimental-test
4cf6b6c Merge branch 'dev' into isolate-metrics
ec20d28 Merge branch 'dev' into isolate-metrics
9c534dc Merge branch 'dev' into isolate-metrics
50b334d Merge branch 'dev' into isolate-metrics
0b58daf Merge branch 'dev' into notes
4bbd9f1 Merge branch 'dev' into proposal_errorimprovements
8549d91 Merge branch 'dev' into ratify-err-doc
060c5a5 Merge branch 'dev' into ratify-err-doc
f510dd9 Merge branch 'dev' into remove-autorest-adal
518ad3d Merge branch 'dev' into remove-autorest-adal
6f92077 Merge branch 'dev' into template-result
e757310 Merge branch 'dev' into verification-response
34fbf9f Merge branch 'main' into dev
49201e9 Merge branch 'main' into staging
f201712 Merge branch 'main' into staging
8c87951 Merge branch 'staging' into dependabot/github_actions/codecov/codecov-action-4.3.0
73ef709 Merge branch 'staging' into multi-tenancy-pr-2
6a93bbf Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
6daec5d Merge pull request #1376 from deislabs/staging
9ac7d5a Merge pull request #1379 from deislabs/dependabot/github_actions/codecov/codecov-action-4.3.0
6a5f10c Merge pull request #1388 from deislabs/staging
6a26a56 Merge pull request #1424 from deislabs/dev
194c2aa Merge pull request #1431 from akashsinghal/akashsinghal/fixCosignConfig
f0b1e6b Merge pull request #1444 from deislabs/dev
d78461a Merge pull request #1480 from deislabs/dev
c92687d Merge pull request #1499 from deislabs/dev
61f7c60 Merge pull request #1520 from binbin-li/isolate-metrics
340c4db Merge pull request #1521 from susanshi/dev
8a6f018 Merge pull request #1532 from binbin-li/clean-package
b6a5701 Merge pull request #1533 from ratify-project/dev
6443a65 Merge pull request #1539 from binbin-li/run-scorecard-on-dev
d9d46fe Merge pull request #1542 from binbin-li/fix-vulnerability
5d4720f Merge pull request #1563 from ratify-project/dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
5e81022 Merge pull request #1581 from ratify-project/dev
9bf9232 Merge pull request #1585 from ratify-project/dev
47b3331 Merge pull request #1589 from ratify-project/dependabot/docker/httpserver/golang-b405b62
e4c58e2 Merge pull request #1590 from ratify-project/dependabot/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
db3b86f Merge pull request #1597 from ratify-project/dev
7f1ecfb Merge pull request #1608 from susanshi/notes
357eb51 Merge pull request #1613 from ZAFT-Armored-Keeper-of-Unity/helmfile-update-1.13.2
db7e6ee Merge pull request #1614 from ratify-project/dev
61e0fed Merge pull request #1621 from ratify-project/dependabot/docker/httpserver/golang-fcae9e0
e62cd8e Merge pull request #1622 from ratify-project/dependabot/github_actions/actions/upload-artifact-4.3.4
9551205 Merge pull request #1624 from binbin-li/ignore-experimental-test
03216af Merge pull request #1628 from ratify-project/dependabot/github_actions/actions/setup-go-5.0.2
11a683d Merge pull request #1631 from ratify-project/dev
643e98a Merge pull request #1632 from ratify-project/dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
e7aa02a Merge pull request #1634 from ratify-project/dependabot/go_modules/github.com/sigstore/sigstore-1.8.7
9549d66 Merge pull request #1635 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.26
9c9cb05 Merge pull request #1636 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/credentials-1.17.26
1d6e824 Merge pull request #1637 from ratify-project/dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
089edf1 Merge pull request #1643 from ratify-project/dev
dfe9d0a Merge pull request #1647 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.27
9db35b0 Merge pull request #1651 from ratify-project/dependabot/github_actions/docker/login-action-3.3.0
b8f0e29 Merge pull request #1656 from binbin-li/template-result
99d5629 Merge pull request #1661 from ratify-project/dev
1ecd579 Merge pull request #1662 from yizha1/proposal_errorimprovements
3c28fd4 Merge pull request #1665 from ratify-project/dependabot/github_actions/github/codeql-action-3.25.15
d442fad Merge pull request #1666 from ratify-project/dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
90367de Merge pull request #1668 from binbin-li/ratify-err-doc
294a715 Merge pull request #1671 from binbin-li/verification-response
b0d8a2d Merge pull request #1672 from ratify-project/dependabot/github_actions/golangci/golangci-lint-action-6.1.0
bd87979 Merge pull request #1674 from ratify-project/dependabot/go_modules/github.com/docker/docker-26.1.4incompatible
e8f8000 Merge pull request #1675 from binbin-li/error-log-message
ba5638e Merge pull request #1676 from binbin-li/fix-codecov
b652e00 Merge pull request #1677 from binbin-li/fix-codecov
98c8513 Merge pull request #1683 from ratify-project/dev
e222c72 Merge pull request #1684 from ratify-project/dependabot/github_actions/actions/upload-artifact-4.3.5
56ffab4 Merge pull request #1688 from binbin-li/remove-autorest-adal
300401c Merge pull request #1689 from ratify-project/dependabot/github_actions/step-security/harden-runner-2.9.1
c83f3f8 Merge pull request #1691 from ratify-project/dependabot/github_actions/actions/upload-artifact-4.3.6
e6f031b Merge pull request #1692 from ratify-project/dependabot/github_actions/github/codeql-action-3.26.0
8a8192d Merge pull request #1695 from ratify-project/dependabot/github_actions/sigstore/cosign-installer-3.6.0
5dfa65d Merge pull request #1701 from ratify-project/dev
e1cf41e Merge pull request #1703 from ratify-project/dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
f78f69d Merge pull request #1704 from ratify-project/dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
956109c Merge pull request #1705 from ratify-project/dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
6ba1c32 Merge pull request #1706 from ratify-project/dependabot/docker/httpserver/golang-2bd56f0
c098e93 Merge pull request #1708 from ratify-project/dependabot/github_actions/github/codeql-action-3.26.1
2b270c3 Merge pull request #1709 from ratify-project/dependabot/github_actions/anchore/sbom-action-0.17.1
1ddf2f9 Merge pull request #1714 from ratify-project/dependabot/github_actions/github/codeql-action-3.26.2
9923d7f Merge pull request #1716 from ratify-project/dev
2ece97d Merge pull request #1743 from ratify-project/dev
603cb58 Merge pull request #1767 from ratify-project/dev
98dd1d9 Merge pull request #1780 from ratify-project/dev
0cdd2fb Merge pull request #1804 from ratify-project/dev
1d5e1c0 Revert "chore: Bump actions/checkout from 4.1.1 to 4.1.2" (#1372)
9862c66 Update go.mod
a000acb add crd build step
034f5ec build: Add codecov token (#1373)
e033cb2 build: add SBOM & provenance docker build attestations (#1596)
17f829a build: add image signing for dev images and add release sbom (#1629)
60c9b85 build: add workflow for publishing cosign sample image (#1640)
fe31326 build: bump up upload-artifact action to v4.0.0 (#1227)
f006b88 build: fix unpinned images (#1420)
9f9f551 build: ignore CVE-2022-48174 (#1421)
9c11f81 build: update Bridge to Kubernetes debugging steps (#1384)
04b8cb8 build: update deployment template azure workload identity annotation (#1320)
7657a3f chore: update CRD and related code to enable type field (#1779)
95c1dcb chore: Bump actions/checkout from 4.1.1 to 4.1.2 (#1332)
c01a617 chore: Bump actions/checkout from 4.1.1 to 4.1.2 (#1365)
927b63c chore: Bump actions/checkout from 4.1.1 to 4.1.2 (#1368)
a73348e chore: Bump actions/checkout from 4.1.2 to 4.1.3 (#1411)
6b30ace chore: Bump actions/checkout from 4.1.2 to 4.1.6 (#1530)
9336c7f chore: Bump actions/checkout from 4.1.3 to 4.1.4 (#1414)
0df413b chore: Bump actions/checkout from 4.1.4 to 4.1.5 (#1447)
daba3f0 chore: Bump actions/checkout from 4.1.5 to 4.1.6 (#1485)
ac02e7a chore: Bump actions/checkout from 4.1.6 to 4.1.7 (#1569)
ebdf969 chore: Bump actions/setup-go from 5.0.0 to 5.0.1 (#1438)
7a2d7c6 chore: Bump actions/setup-go from 5.0.0 to 5.0.1 (#1528)
5d992c3 chore: Bump actions/setup-go from 5.0.1 to 5.0.2
4c61abd chore: Bump actions/upload-artifact from 4.0.0 to 4.1.0 (#1261)
132c53c chore: Bump actions/upload-artifact from 4.1.0 to 4.2.0 (#1270)
620ef14 chore: Bump actions/upload-artifact from 4.2.0 to 4.3.0 (#1279)
c6d62fb chore: Bump actions/upload-artifact from 4.3.0 to 4.3.1 (#1303)
56be5bb chore: Bump actions/upload-artifact from 4.3.1 to 4.3.2 (#1410)
6beff39 chore: Bump actions/upload-artifact from 4.3.2 to 4.3.3 (#1412)
94457a7 chore: Bump actions/upload-artifact from 4.3.3 to 4.3.4
3bb4224 chore: Bump actions/upload-artifact from 4.3.4 to 4.3.5
46280e0 chore: Bump actions/upload-artifact from 4.3.5 to 4.3.6
2b1c461 chore: Bump actions/upload-artifact from 4.3.6 to 4.4.0 (#1771)
f6743d0 chore: Bump alpine from 0a4eaa0 to beefdbd (#1786)
27ca126 chore: Bump alpine from 77726ef to b89d9c9
14624cc chore: Bump alpine from b89d9c9 to 0a4eaa0
5d3da87 chore: Bump alpine from c5b1261 to 77726ef (#1517)
60a21cd chore: Bump anchore/sbom-action from 0.17.0 to 0.17.1
c8c9c0e chore: Bump anchore/sbom-action from 0.17.1 to 0.17.2 (#1737)
affa5e5 chore: Bump apache/skywalking-eyes from 6753eaeab2d30d8b777f33637bf48794f70888d0 to cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 (#1370)
9609143 chore: Bump apache/skywalking-eyes from 97538682f556b56cc7422ece660d8d7e6c4fb013 to 6753eaeab2d30d8b777f33637bf48794f70888d0 (#1362)
8fc65fd chore: Bump apache/skywalking-eyes from e6d1ce46901c759d9d9f84f8bcb97ad028cd5f88 to 97538682f556b56cc7422ece660d8d7e6c4fb013 (#1355)
bad77bd chore: Bump apache/skywalking-eyes from ed436a5593c63a25f394ea29da61b0ac3731a9fe to 6753eaeab2d30d8b777f33637bf48794f70888d0 (#1366)
404da73 chore: Bump apache/skywalking-eyes from ed436a5593c63a25f394ea29da61b0ac3731a9fe to e6d1ce46901c759d9d9f84f8bcb97ad028cd5f88 (#1348)
5f33fd8 chore: Bump apache/skywalking-eyes from ee81ff786927ea6ffa48b1e29c48e5289f4753aa to ed436a5593c63a25f394ea29da61b0ac3731a9fe (#1231)
64d8c0b chore: Bump azure/login from 1.5.1 to 1.6.0 (#1255)
c75c5b4 chore: Bump azure/login from 1.6.0 to 1.6.1 (#1266)
585fb83 chore: Bump azure/login from 1.6.1 to 2.0.0 (#1330)
cc7d780 chore: Bump azure/login from 2.0.0 to 2.1.0 (#1400)
bc771ca chore: Bump azure/login from 2.1.0 to 2.1.1 (#1507)
ccba7c8 chore: Bump codecov/codecov-action from 3.1.4 to 3.1.5 (#1281)
2f47715 chore: Bump codecov/codecov-action from 3.1.5 to 3.1.6 (#1288)
74cf3b2 chore: Bump codecov/codecov-action from 3.1.6 to 4.0.0 (#1291)
3c94dd4 chore: Bump codecov/codecov-action from 4.0.0 to 4.0.1 (#1298)
0b0e292 chore: Bump codecov/codecov-action from 4.0.1 to 4.0.2 (#1316)
b2365ac chore: Bump codecov/codecov-action from 4.0.2 to 4.1.0 (#1317)
75976cc chore: Bump codecov/codecov-action from 4.1.0 to 4.1.1 (#1354)
36162f0 chore: Bump codecov/codecov-action from 4.1.1 to 4.2.0 (#1363)
d1acec0 chore: Bump codecov/codecov-action from 4.2.0 to 4.3.0
6163b7e chore: Bump codecov/codecov-action from 4.3.0 to 4.3.1 (#1433)
8d0a262 chore: Bump codecov/codecov-action from 4.3.1 to 4.4.0 (#1477)
0a9640b chore: Bump codecov/codecov-action from 4.4.0 to 4.4.1 (#1496)
4594acb chore: Bump codecov/codecov-action from 4.4.1 to 4.5.0 (#1571)
ab77d70 chore: Bump distroless/static from 8dd8d3c to 42d15c6 in /httpserver (#1787)
d8f86fb chore: Bump distroless/static from e9ac71e to 8dd8d3c in /httpserver (#1620)
1f50ed8 chore: Bump docker/login-action from 3.0.0 to 3.1.0 (#1335)
ab324ad chore: Bump docker/login-action from 3.1.0 to 3.2.0 (#1522)
07f3f79 chore: Bump docker/login-action from 3.2.0 to 3.3.0
ff0a3ec chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.11.0 to 1.11.1 (#1407)
68a1d58 chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.9.1 (#1225)
7e783db chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.1 to 1.9.2 (#1306)
ce317dc chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
03bde0e chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.1 to 1.5.2 (#1392)
68af47a chore: Bump github.com/Azure/go-autorest/autorest/adal from 0.9.23 to 0.9.24 (#1534)
e527936 chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.0 to 1.2.1 (#1252)
fa14b0e chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.1 to 1.2.2 (#1315)
f5089fc chore: Bump github.com/aws/aws-sdk-go-v2 from 1.26.0 to 1.26.1 (#1394)
7d3a605 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.25.11 to 1.25.12 (#1226)
04621a5 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.11 to 1.27.13 (#1467)
4800d40 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.13 to 1.27.15 (#1492)
48ac21f chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.15 to 1.27.16 (#1513)
25df783 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.18 (#1557)
374d187 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.18 to 1.27.21 (#1586)
54e92a4 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.21 to 1.27.23 (#1602)
c4dc680 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.23 to 1.27.24 (#1618)
ee5bad7 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.24 to 1.27.26
5e9f3a4 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.26 to 1.27.27
a5f6f59 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.27 to 1.27.28 (#1720)
c62c142 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.28 to 1.27.30 (#1747)
64d5f33 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.30 to 1.27.31 (#1769)
23f6ac8 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.31 to 1.27.33 (#1781)
7c75d59 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.9 to 1.27.11 (#1390)
f9720b1 chore: Bump github.com/aws/aws-sdk-go-v2/credentials
120aeca chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.12 to 1.16.13 (#1235)
e30ab5d chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.13 to 1.16.14 (#1250)
1fe27db chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.14 to 1.16.16 (#1275)
dbf29f1 chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.9 to 1.16.12 (#1224)
025b3d2 chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.15 to 1.17.16 (#1515)
aeceddc chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.21 to 1.17.22 (#1594)
8af013d chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.22 to 1.17.23 (#1600)
3829c79 chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.23 to 1.17.24 (#1617)
6f78679 chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.26 to 1.17.27 (#1646)
6c2fb71 chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.28 to 1.17.29 (#1746)
62c00fb chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.9 to 1.17.11 (#1393)
539408f chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.2 to 1.28.3 (#1514)
c143844 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.3 to 1.28.5 (#1558)
45430c7 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.5 to 1.28.6 (#1587)
49fc07a chore: Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 (#1253)
acab8ce chore: Bump github.com/docker/cli from 24.0.7+incompatible to 24.0.8+incompatible (#1282)
2ad4fab chore: Bump github.com/docker/cli from 24.0.8+incompatible to 24.0.9+incompatible (#1302)
f9569e4 chore: Bump github.com/docker/cli from 27.1.1+incompatible to 27.1.2+incompatible (#1745)
3578e05 chore: Bump github.com/docker/docker
384cb0c chore: Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible (#1345)
46d8dfb chore: Bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 (#1329)
dfc7c33 chore: Bump github.com/go-logr/logr from 1.4.1 to 1.4.2 (#1516)
9069134 chore: Bump github.com/golang/protobuf from 1.5.3 to 1.5.4 (#1331)
a023d20 chore: Bump github.com/google/go-containerregistry from 0.19.0 to 0.19.1 (#1338)
91b9889 chore: Bump github.com/google/go-containerregistry from 0.19.1 to 0.19.2 (#1575)
a63adcc chore: Bump github.com/google/go-containerregistry from 0.20.0 to 0.20.1 (#1648)
341c545 chore: Bump github.com/google/go-containerregistry from 0.20.1 to 0.20.2
cf7a111 chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (#1592)
4f58573 chore: Bump github.com/notaryproject/notation-core-go from 1.0.1 to 1.0.2 (#1283)
16dac32 chore: Bump github.com/notaryproject/notation-core-go from 1.0.2 to 1.0.3 (#1536)
1a8f598 chore: Bump github.com/notaryproject/notation-go from 1.2.0 to 1.2.1 (#1784)
eb8b658 chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1.0-rc6 (#1271)
9acbfe3 chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 (#1312)
983e3c2 chore: Bump github.com/owenrumney/go-sarif/v2 from 2.3.0 to 2.3.1 (#1349)
34eeced chore: Bump github.com/owenrumney/go-sarif/v2 from 2.3.1 to 2.3.2 (#1619)
444d8cc chore: Bump github.com/owenrumney/go-sarif/v2 from 2.3.2 to 2.3.3
7d294d6 chore: Bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3 (#1301)
a1a739f chore: Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 (#1383)
a29d629 chore: Bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#1325)
e58f337 chore: Bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 (#1357)
99b7444 chore: Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 (#1535)
48c8015 chore: Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 (#1599)
e0c8da6 chore: Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7
c2f5c3a chore: Bump github.com/sigstore/sigstore from 1.8.7 to 1.8.8
2534b33 chore: Bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 (#1782)
9b27e94 chore: Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#1403)
bcd0f39 chore: Bump github.com/spdx/tools-golang from 0.5.4 to 0.5.5 (#1601)
80ffa1f chore: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#1577)
acfdf81 chore: Bump github/codeql-action from 2.13.4 to 3.25.5 (#1487)
d862e04 chore: Bump github/codeql-action from 3.25.10 to 3.25.11 (#1598)
48a1565 chore: Bump github/codeql-action from 3.25.11 to 3.25.12 (#1638)
5b0f3e1 chore: Bump github/codeql-action from 3.25.12 to 3.25.13 (#1649)
f5694f7 chore: Bump github/codeql-action from 3.25.13 to 3.25.14 (#1659)
537c823 chore: Bump github/codeql-action from 3.25.14 to 3.25.15
f347f6a chore: Bump github/codeql-action from 3.25.15 to 3.26.0
d048744 chore: Bump github/codeql-action from 3.25.5 to 3.25.6 (#1495)
2b4ce39 chore: Bump github/codeql-action from 3.25.6 to 3.25.7 (#1537)
8637605 chore: Bump github/codeql-action from 3.25.7 to 3.25.8 (#1545)
2a58116 chore: Bump github/codeql-action from 3.25.8 to 3.25.9 (#1568)
3fc2f79 chore: Bump github/codeql-action from 3.25.9 to 3.25.10 (#1570)
9804ad7 chore: Bump github/codeql-action from 3.26.0 to 3.26.1
486a308 chore: Bump github/codeql-action from 3.26.1 to 3.26.2
d0c04e4 chore: Bump github/codeql-action from 3.26.2 to 3.26.3 (#1728)
d83a7de chore: Bump github/codeql-action from 3.26.3 to 3.26.4 (#1736)
5199eae chore: Bump github/codeql-action from 3.26.4 to 3.26.5 (#1748)
b2e5bfa chore: Bump github/codeql-action from 3.26.5 to 3.26.6 (#1763)
59d2f8c chore: Bump golang from 16438a8 to a8edec5 in /httpserver (#1547)
2b08e26 chore: Bump golang from 2bd56f0 to 367bb52 in /httpserver (#1725)
1581bcd chore: Bump golang from 2eb85b8 to b405b62 in /httpserver
a73822c chore: Bump golang from 367bb52 to 192683d in /httpserver (#1788)
e062893 chore: Bump golang from 392d2b6 to 16438a8 in /httpserver (#1488)
0bbd60e chore: Bump golang from 829eff9 to 86a3c48 in /httpserver (#1667)
730c48b chore: Bump golang from 86a3c48 to 2bd56f0 in /httpserver
c9f2c0a chore: Bump golang from a66eda6 to fcae9e0 in /httpserver
1058c83 chore: Bump golang from a8edec5 to 2eb85b8 in /httpserver (#1572)
3c0ccac chore: Bump golang from d83472f to 392d2b6 in /httpserver (#1469)
fbeb67e chore: Bump golang from fcae9e0 to 829eff9 in /httpserver (#1639)
6105b50 chore: Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#1229)
7c3e2aa chore: Bump golang/govulncheck-action from 1.0.2 to 1.0.3 (#1543)
c0cd911 chore: Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#1307)
c5f252d chore: Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#1415)
0ac4223 chore: Bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 (#1426)
6dfa8e8 chore: Bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 (#1440)
479934d chore: Bump golangci/golangci-lint-action from 5.3.0 to 6.0.0 (#1446)
6273c67 chore: Bump golangci/golangci-lint-action from 6.0.0 to 6.0.1 (#1457)
8f2f716 chore: Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0
fde60d2 chore: Bump google.golang.org/grpc from 1.61.0 to 1.61.1 (#1313)
8cd7c7a chore: Bump google.golang.org/grpc from 1.61.1 to 1.61.2 (#1367)
bce6b4c chore: Bump google.golang.org/grpc from 1.62.1 to 1.62.2 (#1391)
b7fa5e1 chore: Bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#1615)
6cf38fd chore: Bump google.golang.org/protobuf from 1.34.1 to 1.34.2 (#1616)
8e23b06 chore: Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#1328)
55529e8 chore: Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 (#1466)
ffdad0f chore: Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#1544)
4122be7 chore: Bump k8s.io/api from 0.28.11 to 0.28.12 (#1644)
d548d9a chore: Bump k8s.io/api from 0.28.8 to 0.28.9 (#1404)
9aea86d chore: Bump k8s.io/api from 0.28.9 to 0.28.10 (#1493)
7ecab2b chore: Bump k8s.io/apimachinery from 0.28.8 to 0.28.9 (#1405)
205e6a9 chore: Bump k8s.io/client-go from 0.28.10 to 0.28.11 (#1573)
2188f95 chore: Bump k8s.io/client-go from 0.28.11 to 0.28.12 (#1663)
4e02c39 chore: Bump k8s.io/client-go from 0.28.12 to 0.28.13 (#1722)
4a97b2c chore: Bump k8s.io/client-go from 0.28.4 to 0.28.5 (#1232)
d20bd3d chore: Bump k8s.io/client-go from 0.28.5 to 0.28.6 (#1273)
ffa3cef chore: Bump k8s.io/client-go from 0.28.6 to 0.28.7 (#1309)
0bf7079 chore: Bump k8s.io/client-go from 0.28.7 to 0.28.8 (#1339)
e74a421 chore: Bump k8s.io/client-go from 0.28.8 to 0.28.9 (#1406)
e0889f8 chore: Bump k8s.io/client-go from 0.28.9 to 0.28.10 (#1491)
0897822 chore: Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#1462)
7ffb697 chore: Bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#1664)
742ccc0 chore: Bump sigstore/cosign-installer from 3.5.0 to 3.6.0
630a2bd chore: Bump step-security/harden-runner from 2.10.0 to 2.10.1 (#1796)
fe662a4 chore: Bump step-security/harden-runner from 2.7.0 to 2.8.0 (#1529)
aca9883 chore: Bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1561)
7e6f99f chore: Bump step-security/harden-runner from 2.8.1 to 2.9.0 (#1642)
aedb222 chore: Bump step-security/harden-runner from 2.9.0 to 2.9.1
acf60d1 chore: Bump step-security/harden-runner from 2.9.1 to 2.10.0 (#1794)
fb5692e chore: Bump vscode/devcontainers/go from 8cb4ef6 to fdc107c in /.devcontainer (#1744)
84333ac chore: Bump vscode/devcontainers/go from c23be6b to 0ea3913 in /.devcontainer (#1465)
dca6b77 chore: Bump vscode/devcontainers/go in /.devcontainer
2389aa6 chore: Bump vscode/devcontainers/go in /.devcontainer
ab8d001 chore: Refactor error messages for Notation signature verification (#1730)
7519519 chore: add codecov badge (#1777)
f548082 chore: add description for notation.enabled in the helm charts readme… (#1778)
f2ed26e chore: add the governance doc link to readme.md (#1713)
810c93e chore: address comments
2e832ff chore: automated PR to main 2024-09-13 (#1798)
449cdf3 chore: bump CRD controller + conversion gen binaries to be compatible (#1627)
7c34a1a chore: bump oras go to 2.5.0 (#1389)
c348a7d chore: bump ratify version for 1.1.1 patch release (#1434)
4b04c08 chore: bump support GK version matrix to include v3.17.0 (#1795)
368c676 chore: bump support matrix to include GK 3.16.0 (#1504)
2be797d chore: bump to go 1.21 (#1276)
89b0a9c chore: fix linting issues (#1606)
b3ea827 chore: ignore CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 (#1498)
09ce389 chore: ignore CVE-2023-42366 (#1494)
6010b4f chore: ignore pb.go files under experimental
3ccccdb chore: prepare helm chart changes for release-1.3 (#1801)
e911c59 chore: prepare release 1.2.1 charts update (#1610)
4fc08ce chore: prepare release 1.2.1 charts update 2 (#1612)
efa4295 chore: prepare release 1.2.1 helmfile update
d3f77fe chore: refresh roadmap after v1.2.0 release (#1541)
4a5fee5 chore: remodule ratify package (#1552)
9eccff6 chore: remove unused code path
51c5402 chore: rename WithLinkToDoc to WithRemediation
af2240b chore: rename func for readability (#1257)
fc3ddbb chore: rephrase failure result in constraint template
be3adc1 chore: stop printing out error stack trace (#1711)
a89d00d chore: update a flag in makefile (#1584)
f204e9d chore: update aks version (#1768)
4e539d9 chore: update cert value in sample CRs (#1479)
2998078 chore: update codecov config (#1237)
6487002 chore: update default templates (#1776)
a3424b1 chore: update deislabs.github.io to ratify-project.github.io (#1548)
12e39b9 chore: update dev helmfile and publishing workflow (#1551)
b7644b7 chore: update dev helmfiles to clean up namespaced resources (#1476)
7208f98 chore: update err-msg with notation (#1775)
b7cab88 chore: update error messages for cosign validation (#1792)
365d843 chore: update helm charts (#1702)
d1e810b chore: update local dev charts to the latest version (#1749)
b9446ef chore: update ratify charts to 1.2 (#1526)
92ce84f chore: update scorecards action (#1687)
9865b7c chore: update the image tag of dev container (#1347)
4288940 chore: update to support GK 3.15 & remove support for GK 3.12 (#1318)
0a1198a chore: upgrade to go 1.22 (#1605)
8c89dab chore: use semantic version for go install pkg (#1448)
7e034c2 ci: add cache cleanup post merge (#1242)
5333fe9 ci: add dev helm chart publishing workflow (#1209)
3f68a54 ci: add job to delete dev packages manually
bf4eade ci: bump k8s versions (#1417)
f536f68 ci: harden github actions (#1579)
69b10eb ci: improve azure test resiliency (#1546)
7af6e8e ci: run scorecard on pr to dev/main
1bac149 ci: set patch coverage target to 80% (#1527)
3f66411 ci: switch azure ci test to use rbac for key vault access (#1523)
efe84cf ci: switch region from eastus to westus2 (#1591)
c2c51b6 ci: switch to fail-fast from continue-on-error (#1245)
c963bed ci: update and cleanup CI tools used (#1326)
3639957 ci: update azure SP federated credentials (#1442)
6eab122 ci: update license check exclusion version (#1351)
6179759 crd image
a7178d4 doc: Update SECURITY.md (#1555)
2000c11 doc: proposal for error message improvements
e57886c doc: update README code of conduct (#1553)
2d3a8e0 doc: update minor release branching strategy (#1456)
314d46e fail critical
d7990c7 fail on high
64c2315 fail on med
4a44d3a feat: Add refreshInterval to the helm chart Values (#1773)
f495934 feat: KMP periodic retrieval with k8s requeue (#1727)
ae4385b feat: Support more trust store types (#1538)
4b07a26 feat: add GetNamespace utils method for context [multi-tenancy PR 1] (#1356)
43b8090 feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] (#1422)
1f21940 feat: add NamespacedPolicy CRD [multi-tenancy PR 7] (#1402)
9ab83c8 feat: add NamespacedStore CRD [multi-tenancy PR 8] (#1413)
e13af40 feat: add NamespacedVerifier CRD [multi-tenancy PR 11] (#1428)
7958056 feat: add PolicyManager interface to wrap operations on namespaced policies [multi-tenancy PR 3] (#1359)
003fe00 feat: add ReferrerStoreManager interface to wrap operations on namespaced stores [multi-tenancy PR 4] (#1380)
759f299 feat: add cache isolation (#1213)
3e656b1 feat: add certStoreManager interface to wrap operations on namespaced certStores [multi-tenancy PR 5] (#1382)
3d40b97 feat: add compatibility check in KMP while fetching certs/keys [multi-tenancy PR 6] (#1395)
2061199 feat: add context to getExecutor method
70389cf feat: add cosign keyless support to trust policy (#1503)
482ac34 feat: add cosign trust policies (#1381)
71df5dd feat: add debug logs to k8s secret and docker config auth providers (#1319)
b0dfc90 feat: add key management provider resource (#1293)
2894b51 feat: add key support to key management provider (#1333)
9d60789 feat: add namespace label to metrics
ec92e2a feat: add namespace to external data request key (#1201)
23092c6 feat: add open ssf best practices badge (#1696)
3e04cb5 feat: add timestamp and traceId to verification response (#1697)
8b17053 feat: add verifierName, verifierType and errorReason fields to verifierReport
e716f54 feat: add verifiers interface to wrap up operations on namespaced verifiers
49f63e1 feat: add version to CRD spec (#1215)
e7655fe feat: enhance CR status with clearer brief error message (#1734)
0b6aa67 feat: fill ErrorReason and Remediation during verifierReport generation (#1682)
2eacdaf feat: handle stderr and stdout messages from plugins (#1258)
018cde4 feat: improve plugin config dependency (#1223)
dd1b883 feat: move cosign to be a built in verifier (#1343)
1742f2f feat: refactor certStore and KMP to support multi-tenancy [multi-tenancy PR 10] (#1423)
4d4d00c feat: refactor cosign verification error messages (#1750)
af1a0d8 feat: refactor error message format
2b11902 feat: run full validation on staging (#1361)
9b96175 feat: save reconcile error for KMP/CertStore (#1710)
0cae6c7 feat: timestamping feature (#1758)
7abfc7f feat: validate plugin name on CR create (#1265)
68c93a6 fix: DecodeCertificates cert length check (#1470)
9afbbf9 fix: Enforce validation on notation signature blob number (#1726)
b6db2ee fix: SBOM verifier license match support for deprecated license (#1230)
9da6842 fix: Set IdleTimeout for http.Server (#1418)
a884308 fix: add akv keys check on cosign-verifier (#1427)
aafd330 fix: add check for disabled keys from azure key vault (#1474)
5225247 fix: add missing CRD conversion methods (#1289)
ea5604a fix: add top-level read permission (#1419)
d64c713 fix: bump dev helmfile ratify chart versions (#1216)
1e32c70 fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version (#1505)
b12b038 fix: bump-up docker dependency (#1679)
30ee980 fix: check label value on pull_request_target (#1471)
0975882 fix: differentiate aks logs from e2e log (#1243)
82626ee fix: dynamic plugin should support pulling image with digest (#1280)
ad69840 fix: enable automated pr to main (#1582)
3872e05 fix: enable workflow for staging (#1369)
5781305 fix: fix AKS test by switching to cluster-wide KMP (#1455)
2ee5904 fix: fix missing separator in helm template (#1463)
05a8cbe fix: fix typo in notation verifier (#1678)
45c0f81 fix: fix unit tests that fail in local environment (#1292)
2fa97fb fix: fix vulnerabilities
2d9b93a fix: handle empty trust policies
b2bf323 fix: improve vuln report verifier report messages (#1238)
6474b4d fix: make notation verifier installation optional on ratify installation (#1719)
b32db85 fix: missing status update in KMP controller (#1761)
9d5acaf fix: pass CODECOV_TOKEN to reusable workflow
f07f1ca fix: remove Update az cli step in aks test (#1502)
269d176 fix: remove critical cache failure in oras GetBlobContent (#1740)
f0cdcfe fix: remove duplicate $
8632ea5 fix: remove nonexistent KMP from verifier sample (#1753)
d89400e fix: remove unused trust store from sample verifier config (#1790)
4fed7a0 fix: rename staging to dev branch (#1401)
cb3bb9b fix: run full validation for release branch (#1512)
5381e0c fix: showing verifier config parse detail in err log (#1791)
be8b182 fix: surface plugin error in exec.go (#1228)
f063058 fix: update ReferrerNotFound error to be more accurate (#1408)
8acd52b fix: update azure tenantId casing (#1385)
23b143d fix: update constraint templates to work with new type field (#1217)
8834734 fix: update cosign chart and remove extra logs (#1475)
8acc7f2 fix: update hard coded test registry reference (#1336)
c1ba70e fix: updated community meeting time to UTC (#1364)
b2535b9 fix: validate plugin version for ratify cli (#1604)
7294999 fix: warning message is printed to stdout by CLI (#1650)
1f37d04 load into kind
84cb90c refactor: refactor verifiers to support namespaced
a01b605 remove --skipdir flag
088154d revert: "chore: automated PR to main 2024-09-13" (#1802)
a8691a4 run scan-vulns.yaml on schedule (#1562)
d214d5b scanner
9dc9e82 update
70ba627 update
1d12f7f update
4ae4332 update
1401080 update per comments
a494009 update per comments
1bd347c update unit test

Full Changelog: v1.2.2...v1.3.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.3.0

✨ New Features

✨ Other Enhancements

🔐 Security

📄 Documentation

🐛 🩹 Bug Fixes

🎉 New Contributors

Changes since v1.2.2

Contributors