diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml index 2717df5e0..e0b7c971e 100644 --- a/.github/workflows/depsreview.yml +++ b/.github/workflows/depsreview.yml @@ -25,4 +25,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@97790d29c7fb370b5e1edbec513501e78789337d # v1 + uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # v2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 26dcc6d49..3089eb4da 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -86,7 +86,7 @@ jobs: uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3 if: failure() with: - name: Docker Compose logs + name: E2E Docker Compose logs path: /tmp/docker-compose.log sharding-e2e: @@ -110,7 +110,7 @@ jobs: uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3 if: failure() with: - name: Docker Compose logs + name: Sharding E2E Docker Compose logs path: /tmp/docker-compose.log issue-872-e2e: diff --git a/CHANGELOG.md b/CHANGELOG.md index ce1e6e16e..9037f7e77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,25 +1,44 @@ +# v0.8.1 + +## Bug Fixes + +* Allow an expired certificate chain to be uploaded and verified (https://github.com/sigstore/rekor/pull/873) +* Fix indexing bug for intoto attestations (https://github.com/sigstore/rekor/pull/870) + +## Others + +* Bump actions/dependency-review-action from 1.0.2 to 2 (https://github.com/sigstore/rekor/pull/871) +* Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (https://github.com/sigstore/rekor/pull/868) +* add changelog for v0.8.0 (https://github.com/sigstore/rekor/pull/866) + +## Contributors + +* Carlos Tadeu Panato Junior (@cpanato) +* Hayden Blauzvern (@haydentherapper) +* Priya Wadhwa (@priyawadhwa) + # v0.8.0 ## Enhancements -* Print total tree size, including inactive shards in `rekor-cli loginfo` (#864) -* Allow retrieving entryIDs or UUIDs via `/api/v1/log/entries/retrieve` endpoint (#859) -* Improve error message when using ED25519 with HashedRekord type (#862) +* Print total tree size, including inactive shards in `rekor-cli loginfo` (https://github.com/sigstore/rekor/pull/864) +* Allow retrieving entryIDs or UUIDs via `/api/v1/log/entries/retrieve` endpoint (https://github.com/sigstore/rekor/pull/859) +* Improve error message when using ED25519 with HashedRekord type (https://github.com/sigstore/rekor/pull/862) ## Others -* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#844) -* Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (#863) -* update go.mod to go1.17 (#861) -* update cross-builder image to use go1.17.11 and dockerfile base image (#860) -* Bump github/codeql-action from 2.1.11 to 2.1.12 (#858) -* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (#857) -* Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (#852) -* Bump github.com/secure-systems-lab/go-securesystemslib (#853) -* Configure rekor server in e2e tests via env variable (#850) -* Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (#848) -* Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (#847) -* Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (#846) +* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (https://github.com/sigstore/rekor/pull/844) +* Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (https://github.com/sigstore/rekor/pull/863) +* update go.mod to go1.17 (https://github.com/sigstore/rekor/pull/861) +* update cross-builder image to use go1.17.11 and dockerfile base image (https://github.com/sigstore/rekor/pull/860) +* Bump github/codeql-action from 2.1.11 to 2.1.12 (https://github.com/sigstore/rekor/pull/858) +* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (https://github.com/sigstore/rekor/pull/857) +* Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (https://github.com/sigstore/rekor/pull/852) +* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/853) +* Configure rekor server in e2e tests via env variable (https://github.com/sigstore/rekor/pull/850) +* Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (https://github.com/sigstore/rekor/pull/848) +* Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (https://github.com/sigstore/rekor/pull/847) +* Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (https://github.com/sigstore/rekor/pull/846) ## Contributors @@ -35,51 +54,51 @@ If you are relying on the timestamping authority to issue signed timestamps, cre ## Enhancements -* Remove timestamping authority (#813) -* Limit the number of certificates parsed in a chain (#823) -* Retrieve shard tree length if it isn't provided in the config (#810) -* Don't try to index on hash for intoto obj if one isn't available (#800) -* intoto: add index on materials digest of slsa provenance (#793) -* remove URL fetch of keys/artifacts server-side (#735) +* Remove timestamping authority (https://github.com/sigstore/rekor/pull/813) +* Limit the number of certificates parsed in a chain (https://github.com/sigstore/rekor/pull/823) +* Retrieve shard tree length if it isn't provided in the config (https://github.com/sigstore/rekor/pull/810) +* Don't try to index on hash for intoto obj if one isn't available (https://github.com/sigstore/rekor/pull/800) +* intoto: add index on materials digest of slsa provenance (https://github.com/sigstore/rekor/pull/793) +* remove URL fetch of keys/artifacts server-side (https://github.com/sigstore/rekor/pull/735) ## Others -* all: remove dependency on deprecated github.com/pkg/errors (#834) -* Add back owners for rfc3161 package type (#833) -* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (#832) -* Bump github/codeql-action from 2.1.10 to 2.1.11 (#829) -* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (#830) -* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#828) -* Bump actions/dependency-review-action (#825) -* Bump actions/github-script from 6.0.0 to 6.1.0 (#826) -* Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (#827) -* update go to 1.17.10 in the dockerfile (#819) -* Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (#818) -* Bump github.com/google/trillian from 1.4.0 to 1.4.1 (#817) -* Bump actions/setup-go from 3.0.0 to 3.1.0 (#822) -* Bump github/codeql-action (#821) -* update release builder images to use go 1.17.10 and cosign image to 1.18.0 (#820) -* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#815) -* Bump github/codeql-action from 2.1.9 to 2.1.10 (#816) -* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#811) -* Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (#802) -* Move trillian/merkly to transparency-dev (#807) -* Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (#803) -* chore(deps): Included dependency review (#788) -* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (#799) -* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#794) -* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (#795) -* Bump github/codeql-action from 2.1.8 to 2.1.9 (#796) -* Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#791) -* Bump google-github-actions/auth from 0.7.0 to 0.7.1 (#790) -* Bump actions/checkout from 3.0.1 to 3.0.2 (#786) -* Bump codecov/codecov-action from 3.0.0 to 3.1.0 (#785) -* Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (#782) -* Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (#781) -* Bump anchore/sbom-action from 0.10.0 to 0.11.0 (#779) -* Bump actions/checkout from 3.0.0 to 3.0.1 (#778) -* Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (#777) -* Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (#776) +* all: remove dependency on deprecated github.com/pkg/errors (https://github.com/sigstore/rekor/pull/834) +* Add back owners for rfc3161 package type (https://github.com/sigstore/rekor/pull/833) +* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (https://github.com/sigstore/rekor/pull/832) +* Bump github/codeql-action from 2.1.10 to 2.1.11 (https://github.com/sigstore/rekor/pull/829) +* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (https://github.com/sigstore/rekor/pull/830) +* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (https://github.com/sigstore/rekor/pull/828) +* Bump actions/dependency-review-action (https://github.com/sigstore/rekor/pull/825) +* Bump actions/github-script from 6.0.0 to 6.1.0 (https://github.com/sigstore/rekor/pull/826) +* Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (https://github.com/sigstore/rekor/pull/827) +* update go to 1.17.10 in the dockerfile (https://github.com/sigstore/rekor/pull/819) +* Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (https://github.com/sigstore/rekor/pull/818) +* Bump github.com/google/trillian from 1.4.0 to 1.4.1 (https://github.com/sigstore/rekor/pull/817) +* Bump actions/setup-go from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/822) +* Bump github/codeql-action (https://github.com/sigstore/rekor/pull/821) +* update release builder images to use go 1.17.10 and cosign image to 1.18.0 (https://github.com/sigstore/rekor/pull/820) +* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (https://github.com/sigstore/rekor/pull/815) +* Bump github/codeql-action from 2.1.9 to 2.1.10 (https://github.com/sigstore/rekor/pull/816) +* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (https://github.com/sigstore/rekor/pull/811) +* Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (https://github.com/sigstore/rekor/pull/802) +* Move trillian/merkly to transparency-dev (https://github.com/sigstore/rekor/pull/807) +* Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (https://github.com/sigstore/rekor/pull/803) +* chore(deps): Included dependency review (https://github.com/sigstore/rekor/pull/788) +* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (https://github.com/sigstore/rekor/pull/799) +* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (https://github.com/sigstore/rekor/pull/794) +* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (https://github.com/sigstore/rekor/pull/795) +* Bump github/codeql-action from 2.1.8 to 2.1.9 (https://github.com/sigstore/rekor/pull/796) +* Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (https://github.com/sigstore/rekor/pull/791) +* Bump google-github-actions/auth from 0.7.0 to 0.7.1 (https://github.com/sigstore/rekor/pull/790) +* Bump actions/checkout from 3.0.1 to 3.0.2 (https://github.com/sigstore/rekor/pull/786) +* Bump codecov/codecov-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/785) +* Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (https://github.com/sigstore/rekor/pull/782) +* Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (https://github.com/sigstore/rekor/pull/781) +* Bump anchore/sbom-action from 0.10.0 to 0.11.0 (https://github.com/sigstore/rekor/pull/779) +* Bump actions/checkout from 3.0.0 to 3.0.1 (https://github.com/sigstore/rekor/pull/778) +* Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (https://github.com/sigstore/rekor/pull/777) +* Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (https://github.com/sigstore/rekor/pull/776) ## Contributors @@ -98,109 +117,109 @@ Notice: The server side remote fetching of resources will be removed in the next ## Enhancements -* Create EntryID for new artifacts and return EntryID to user (#623) -* Add search through inactive shards for GET by UUID (#750) -* Add in configmap to release for sharding config (#766) -* set p.Block after parsing; other cleanup (#759) -* Add index to hashed intoto envelope (#761) -* Add the SHA256 digest of the intoto payload into the rekor entry (#764) -* Add support for providing certificate chain for X509 signature types (#747) -* Specify public key for inactive shards in shard config (#746) -* Use active tree on server startup (#727) -* Require tlog_id when inactive shard config file is passed in (#739) -* Replace `trillian_log_server.log_id_ranges` flag with a config file (#742) -* Update loginfo API endpoint to return information about inactive shards (#738) -* Refactor rekor-cli loginfo (#734) -* Get log proofs by Tree ID (#733) -* Return virtual index when creating and getting a log entry (#725) -* Clearer logging for createAndInitTree (#724) -* Change TreeID to be of type `string` instead of `int64` (#712) -* Switch to using the swag library for pointer manipulation. (#719) -* Make the loginfo command a bit more future/backwards proof. (#718) -* Use logRangesFlag in API, route reads based on TreeID (#671) -* Set rekor-cli User-Agent header on requests (#684) -* create namespace for rekor config in yaml. (#680) -* add securityContext to deployment. (#678) -* Move k8s objects out of the default namespace (#674) +* Create EntryID for new artifacts and return EntryID to user (https://github.com/sigstore/rekor/pull/623) +* Add search through inactive shards for GET by UUID (https://github.com/sigstore/rekor/pull/750) +* Add in configmap to release for sharding config (https://github.com/sigstore/rekor/pull/766) +* set p.Block after parsing; other cleanup (https://github.com/sigstore/rekor/pull/759) +* Add index to hashed intoto envelope (https://github.com/sigstore/rekor/pull/761) +* Add the SHA256 digest of the intoto payload into the rekor entry (https://github.com/sigstore/rekor/pull/764) +* Add support for providing certificate chain for X509 signature types (https://github.com/sigstore/rekor/pull/747) +* Specify public key for inactive shards in shard config (https://github.com/sigstore/rekor/pull/746) +* Use active tree on server startup (https://github.com/sigstore/rekor/pull/727) +* Require tlog_id when inactive shard config file is passed in (https://github.com/sigstore/rekor/pull/739) +* Replace `trillian_log_server.log_id_ranges` flag with a config file (https://github.com/sigstore/rekor/pull/742) +* Update loginfo API endpoint to return information about inactive shards (https://github.com/sigstore/rekor/pull/738) +* Refactor rekor-cli loginfo (https://github.com/sigstore/rekor/pull/734) +* Get log proofs by Tree ID (https://github.com/sigstore/rekor/pull/733) +* Return virtual index when creating and getting a log entry (https://github.com/sigstore/rekor/pull/725) +* Clearer logging for createAndInitTree (https://github.com/sigstore/rekor/pull/724) +* Change TreeID to be of type `string` instead of `int64` (https://github.com/sigstore/rekor/pull/712) +* Switch to using the swag library for pointer manipulation. (https://github.com/sigstore/rekor/pull/719) +* Make the loginfo command a bit more future/backwards proof. (https://github.com/sigstore/rekor/pull/718) +* Use logRangesFlag in API, route reads based on TreeID (https://github.com/sigstore/rekor/pull/671) +* Set rekor-cli User-Agent header on requests (https://github.com/sigstore/rekor/pull/684) +* create namespace for rekor config in yaml. (https://github.com/sigstore/rekor/pull/680) +* add securityContext to deployment. (https://github.com/sigstore/rekor/pull/678) +* Move k8s objects out of the default namespace (https://github.com/sigstore/rekor/pull/674) ## Bug Fixes -* Fix search without sha prefix (#767) -* Fix link in types README (#765) -* fix typo in filename (#758) -* fix build date format for version command (#745) -* fix merge conflict (#720) +* Fix search without sha prefix (https://github.com/sigstore/rekor/pull/767) +* Fix link in types README (https://github.com/sigstore/rekor/pull/765) +* fix typo in filename (https://github.com/sigstore/rekor/pull/758) +* fix build date format for version command (https://github.com/sigstore/rekor/pull/745) +* fix merge conflict (https://github.com/sigstore/rekor/pull/720) ## Documentation -* Add documentation about Alpine type (#697) -* update security process link (#685) -* Add intoto type documentation (#679) -* Add docs about API stabilitly and deprecation policy (#661) +* Add documentation about Alpine type (https://github.com/sigstore/rekor/pull/697) +* update security process link (https://github.com/sigstore/rekor/pull/685) +* Add intoto type documentation (https://github.com/sigstore/rekor/pull/679) +* Add docs about API stabilitly and deprecation policy (https://github.com/sigstore/rekor/pull/661) ## Others -* Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (#768) -* Bump anchore/sbom-action from 0.9.0 to 0.10.0 (#763) -* Bump github/codeql-action from 2.1.7 to 2.1.8 (#762) -* Update release jobs and trillian images (#756) -* Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (#757) -* Bump anchore/sbom-action from 0.8.0 to 0.9.0 (#754) -* Bump codecov/codecov-action from 2.1.0 to 3 (#753) -* Bump github/codeql-action from 2.1.6 to 2.1.7 (#752) -* Bump google-github-actions/auth from 0.6.0 to 0.7.0 (#751) -* Bump github/codeql-action from 1.1.5 to 2.1.6 (#748) -* Bump anchore/sbom-action from 0.7.0 to 0.8.0 (#743) -* Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (#744) -* Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (#740) -* Bump github/codeql-action from 1.1.4 to 1.1.5 (#736) -* Use reusuable release workflow in sigstore/sigstore (#729) -* Fix copy/paste mistake in repo name. (#730) -* Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (#728) -* Bump golang from `ca70980` to `c7c9458` (#722) -* Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (#723) -* Add sharding e2e test to Github Actions (#714) -* Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (#717) -* Bump github/codeql-action from 1.1.3 to 1.1.4 (#716) -* Add trillian container to existing release. (#715) -* Bump golang from `0168c35` to `ca70980` (#707) -* Mirror signed release images from GCR to GHCR as part of release (#701) -* Bump anchore/sbom-action from 0.6.0 to 0.7.0 (#709) -* Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (#710) -* Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (#708) -* Generate release yaml artifact. (#702) -* Bump actions/upload-artifact from 2.3.1 to 3 (#704) -* Go update to 1.17.8 and cosign to 1.6.0 (#705) -* Consistent parenthesis use in Makefile (#700) -* add code coverage to pull request. (#676) -* Bump actions/checkout from 2.4.0 to 3 (#698) -* Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (#696) -* Bump actions/setup-go from 2.2.0 to 3.0.0 (#694) -* Bump github.com/secure-systems-lab/go-securesystemslib (#695) -* Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (#693) -* Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (#692) -* Bump golangci/golangci-lint-action from 2.5.2 to 3 (#691) -* Bump github/codeql-action from 1.1.2 to 1.1.3 (#690) -* Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (#689) -* explicitly set permissions for github actions (#687) -* Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (#686) -* Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (#683) -* Bump github/codeql-action from 1.1.0 to 1.1.2 (#682) -* Bump actions/github-script from 5.1.0 to 6 (#669) -* Bump github/codeql-action from 1.0.32 to 1.1.0 (#668) -* update cross-build and dockerfile to use go 1.17.7 (#666) -* Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (#664) -* Bump actions/setup-go from 2.1.5 to 2.2.0 (#663) -* Bump golang from `301609e` to `fff998d` (#662) -* use upstream k8s version lib (#657) -* Bump github/codeql-action from 1.0.31 to 1.0.32 (#659) -* Bump go.uber.org/zap from 1.20.0 to 1.21.0 (#660) -* Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (#656) -* Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (#655) -* Update the warning text for the GA release. (#654) -* attempting to fix codeowners file (#653) -* update release job (#651) -* Bump google-github-actions/auth from 0.5.0 to 0.6.0 (#652) +* Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (https://github.com/sigstore/rekor/pull/768) +* Bump anchore/sbom-action from 0.9.0 to 0.10.0 (https://github.com/sigstore/rekor/pull/763) +* Bump github/codeql-action from 2.1.7 to 2.1.8 (https://github.com/sigstore/rekor/pull/762) +* Update release jobs and trillian images (https://github.com/sigstore/rekor/pull/756) +* Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (https://github.com/sigstore/rekor/pull/757) +* Bump anchore/sbom-action from 0.8.0 to 0.9.0 (https://github.com/sigstore/rekor/pull/754) +* Bump codecov/codecov-action from 2.1.0 to 3 (https://github.com/sigstore/rekor/pull/753) +* Bump github/codeql-action from 2.1.6 to 2.1.7 (https://github.com/sigstore/rekor/pull/752) +* Bump google-github-actions/auth from 0.6.0 to 0.7.0 (https://github.com/sigstore/rekor/pull/751) +* Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/rekor/pull/748) +* Bump anchore/sbom-action from 0.7.0 to 0.8.0 (https://github.com/sigstore/rekor/pull/743) +* Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/rekor/pull/744) +* Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/rekor/pull/740) +* Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/rekor/pull/736) +* Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/rekor/pull/729) +* Fix copy/paste mistake in repo name. (https://github.com/sigstore/rekor/pull/730) +* Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/rekor/pull/728) +* Bump golang from `ca70980` to `c7c9458` (https://github.com/sigstore/rekor/pull/722) +* Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/rekor/pull/723) +* Add sharding e2e test to Github Actions (https://github.com/sigstore/rekor/pull/714) +* Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (https://github.com/sigstore/rekor/pull/717) +* Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/rekor/pull/716) +* Add trillian container to existing release. (https://github.com/sigstore/rekor/pull/715) +* Bump golang from `0168c35` to `ca70980` (https://github.com/sigstore/rekor/pull/707) +* Mirror signed release images from GCR to GHCR as part of release (https://github.com/sigstore/rekor/pull/701) +* Bump anchore/sbom-action from 0.6.0 to 0.7.0 (https://github.com/sigstore/rekor/pull/709) +* Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/rekor/pull/710) +* Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/rekor/pull/708) +* Generate release yaml artifact. (https://github.com/sigstore/rekor/pull/702) +* Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/rekor/pull/704) +* Go update to 1.17.8 and cosign to 1.6.0 (https://github.com/sigstore/rekor/pull/705) +* Consistent parenthesis use in Makefile (https://github.com/sigstore/rekor/pull/700) +* add code coverage to pull request. (https://github.com/sigstore/rekor/pull/676) +* Bump actions/checkout from 2.4.0 to 3 (https://github.com/sigstore/rekor/pull/698) +* Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (https://github.com/sigstore/rekor/pull/696) +* Bump actions/setup-go from 2.2.0 to 3.0.0 (https://github.com/sigstore/rekor/pull/694) +* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/695) +* Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/693) +* Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (https://github.com/sigstore/rekor/pull/692) +* Bump golangci/golangci-lint-action from 2.5.2 to 3 (https://github.com/sigstore/rekor/pull/691) +* Bump github/codeql-action from 1.1.2 to 1.1.3 (https://github.com/sigstore/rekor/pull/690) +* Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (https://github.com/sigstore/rekor/pull/689) +* explicitly set permissions for github actions (https://github.com/sigstore/rekor/pull/687) +* Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (https://github.com/sigstore/rekor/pull/686) +* Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (https://github.com/sigstore/rekor/pull/683) +* Bump github/codeql-action from 1.1.0 to 1.1.2 (https://github.com/sigstore/rekor/pull/682) +* Bump actions/github-script from 5.1.0 to 6 (https://github.com/sigstore/rekor/pull/669) +* Bump github/codeql-action from 1.0.32 to 1.1.0 (https://github.com/sigstore/rekor/pull/668) +* update cross-build and dockerfile to use go 1.17.7 (https://github.com/sigstore/rekor/pull/666) +* Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (https://github.com/sigstore/rekor/pull/664) +* Bump actions/setup-go from 2.1.5 to 2.2.0 (https://github.com/sigstore/rekor/pull/663) +* Bump golang from `301609e` to `fff998d` (https://github.com/sigstore/rekor/pull/662) +* use upstream k8s version lib (https://github.com/sigstore/rekor/pull/657) +* Bump github/codeql-action from 1.0.31 to 1.0.32 (https://github.com/sigstore/rekor/pull/659) +* Bump go.uber.org/zap from 1.20.0 to 1.21.0 (https://github.com/sigstore/rekor/pull/660) +* Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (https://github.com/sigstore/rekor/pull/656) +* Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (https://github.com/sigstore/rekor/pull/655) +* Update the warning text for the GA release. (https://github.com/sigstore/rekor/pull/654) +* attempting to fix codeowners file (https://github.com/sigstore/rekor/pull/653) +* update release job (https://github.com/sigstore/rekor/pull/651) +* Bump google-github-actions/auth from 0.5.0 to 0.6.0 (https://github.com/sigstore/rekor/pull/652) ## Contributors diff --git a/pkg/pki/x509/testutils/cert_test_utils.go b/pkg/pki/x509/testutils/cert_test_utils.go index 827505c21..ec0167eaf 100644 --- a/pkg/pki/x509/testutils/cert_test_utils.go +++ b/pkg/pki/x509/testutils/cert_test_utils.go @@ -67,7 +67,7 @@ func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) { CommonName: "sigstore", Organization: []string{"sigstore.dev"}, }, - NotBefore: time.Now().Add(-5 * time.Minute), + NotBefore: time.Now().Add(-10 * time.Minute), NotAfter: time.Now().Add(5 * time.Hour), KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, BasicConstraintsValid: true, @@ -94,7 +94,7 @@ func GenerateSubordinateCa(rootTemplate *x509.Certificate, rootPriv crypto.Signe CommonName: "sigstore-sub", Organization: []string{"sigstore.dev"}, }, - NotBefore: time.Now().Add(-2 * time.Minute), + NotBefore: time.Now().Add(-9 * time.Minute), NotAfter: time.Now().Add(2 * time.Hour), KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}, @@ -144,3 +144,33 @@ func GenerateLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Ce return cert, priv, nil } + +func GenerateExpiredLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Certificate, parentPriv crypto.Signer) (*x509.Certificate, *ecdsa.PrivateKey, error) { + certTemplate := &x509.Certificate{ + SerialNumber: big.NewInt(1), + EmailAddresses: []string{subject}, + NotBefore: time.Now().Add(-5 * time.Minute), + NotAfter: time.Now().Add(-2 * time.Minute), + KeyUsage: x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}, + IsCA: false, + ExtraExtensions: []pkix.Extension{{ + // OID for OIDC Issuer extension + Id: asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}, + Critical: false, + Value: []byte(oidcIssuer), + }}, + } + + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, nil, err + } + + cert, err := createCertificate(certTemplate, parentTemplate, &priv.PublicKey, parentPriv) + if err != nil { + return nil, nil, err + } + + return cert, priv, nil +} diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go index 0cc3ab665..49fa1c544 100644 --- a/pkg/pki/x509/x509.go +++ b/pkg/pki/x509/x509.go @@ -211,6 +211,8 @@ func verifyCertChain(certChain []*x509.Certificate) error { Intermediates: subPool, // Allow any key usage KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + // Expired certificates can be uploaded and should be verifiable + CurrentTime: certChain[0].NotBefore, }); err != nil { return err } diff --git a/pkg/pki/x509/x509_test.go b/pkg/pki/x509/x509_test.go index ceeb68000..aa0805477 100644 --- a/pkg/pki/x509/x509_test.go +++ b/pkg/pki/x509/x509_test.go @@ -250,6 +250,18 @@ func TestPublicKeyWithCertChain(t *testing.T) { t.Fatalf("unexpected error verifying signature, %v", err) } + // Verify works with expired certificate + leafCert, leafKey, _ = testutils.GenerateExpiredLeafCert("subject@example.com", "oidc-issuer", subCert, subKey) + pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, subCert, rootCert}) + pub, _ = NewPublicKey(bytes.NewReader(pemCertChain)) + signer, _ = signature.LoadSigner(leafKey, crypto.SHA256) + sigBytes, _ = signer.SignMessage(bytes.NewReader(data)) + s, _ = NewSignature(bytes.NewReader(sigBytes)) + err = s.Verify(bytes.NewReader(data), pub) + if err != nil { + t.Fatalf("unexpected error verifying signature with expired cert: %v", err) + } + // Verify error with invalid chain pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert}) pub, _ = NewPublicKey(bytes.NewReader(pemCertChain)) diff --git a/tests/sharding-e2e-test.sh b/tests/sharding-e2e-test.sh index dc1164d29..bcdb3c375 100755 --- a/tests/sharding-e2e-test.sh +++ b/tests/sharding-e2e-test.sh @@ -81,6 +81,21 @@ function waitForRekorServer () { echo } +function collectLogsOnFailure () { + if [[ "$1" -ne "0" ]]; then + echo "failure detected, collecting docker-compose logs" + docker-compose logs --no-color > /tmp/docker-compose.log + exit $1 + elif docker-compose logs --no-color | grep -q "panic: runtime error:" ; then + # if we're here, we found a panic + echo "failing due to panics detected in logs" + docker-compose logs --no-color > /tmp/docker-compose.log + exit 1 + fi + exit 0 +} +trap "collectLogsOnFailure $?" EXIT + echo "Waiting for rekor server to come up..." waitForRekorServer @@ -231,11 +246,11 @@ echo "Testing /api/v1/log/entries/retrieve endpoint..." UUID1=$($REKOR_CLI get --log-index 0 --rekor_server http://localhost:3000 --format json | jq -r .UUID) UUID2=$($REKOR_CLI get --log-index 3 --rekor_server http://localhost:3000 --format json | jq -r .UUID) -HEX_INITIAL_TREE_ID=$(printf "%x" $INITIAL_TREE_ID | awk '{printf "%016s", $0}') -HEX_INITIAL_SHARD_ID=$(printf "%x" $SHARD_TREE_ID | awk '{printf "%016s", $0}') +HEX_INITIAL_TREE_ID=$(printf "%x" $INITIAL_TREE_ID | awk '{ for(c = 0; c < 16 ; c++) s = s"0"; s = s$1; print substr(s, 1 + length(s) - 16);}') +HEX_INITIAL_SHARD_ID=$(printf "%x" $SHARD_TREE_ID | awk '{ for(c = 0; c < 16 ; c++) s = s"0"; s = s$1; print substr(s, 1 + length(s) - 16);}') -ENTRY_ID_1=$HEX_INITIAL_TREE_ID$UUID1 -ENTRY_ID_2=$HEX_INITIAL_SHARD_ID$UUID2 +ENTRY_ID_1=$(echo -n "$HEX_INITIAL_TREE_ID$UUID1" | xargs echo -n) +ENTRY_ID_2=$(echo -n "$HEX_INITIAL_SHARD_ID$UUID2" | xargs echo -n) # -f makes sure we exit on failure NUM_ELEMENTS=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Content-Type: application/json" -H "Accept: application/json" -d "{ \"entryUUIDs\": [\"$ENTRY_ID_1\", \"$ENTRY_ID_2\"]}" | jq '. | length')