Skip to content

Releases: tektoncd/chains

Tekton Chains release v0.15.0

21 Feb 15:25
9950cb5
Compare
Choose a tag to compare

-Docs @ v0.15.0
-Examples @ v0.15.

Highlights

  • πŸŽ‰ Sigstore keyless mode promoted out of experimental
  • πŸŽ‰ in-toto provenance format now rebranded to slsa/v1 (in-toto remains as an alias).

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.15.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.15.0/release.yaml
REKOR_UUID=24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.15.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Backwards incompatible changes

  • 5fab3e2 Remove tekton as a provenance format (#685) - This was deprecated as of v0.9.0. This completes its removal.
  • 1b47418 Unexport intoto/taskrun funcs. (#668) - This should have no impact unless you were calling chains libraries directly.

Features

  • 82c213c Add labels and annotations to attestation (#692)
  • 05232aa Slsa Branding of Chains Provenance Format (#687)
  • 759d570 Updating provenance branding from intotoite to slsa (#684)
  • b4e5b53 Allow passing in of sha1 digests through StructuredResults (#676)
  • 28a6c69 Issue 642: predicate.materials needs to record more information in PipelineRun (#658)
  • af6c5b4 Promote Sigstore features out of experimental. (#652)
  • 1d48332 Issue 642: predicate.materials needs to record more information (#649)

Fixes

  • 3d0e739 Do not initialize Rekor client if transparency is not enabled (#693)
  • 1b142b5 Fix to prevent adding empty structs into materials. (#678)

Misc

  • 8dc461d Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#701)
  • 08ba781 Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#702)
  • 0a06881 Bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.0 (#696)
  • 49eaca0 Bump google.golang.org/grpc from 1.52.1 to 1.52.3 (#691)
  • b43d824 Bump gocloud.dev/pubsub/kafkapubsub from 0.27.0 to 0.28.0 (#674)
  • d339ef2 Bump google.golang.org/grpc from 1.52.0 to 1.52.1 (#690)
  • f3022d0 Bump github.com/tektoncd/pipeline from 0.43.2 to 0.44.0 (#689)
  • 5cc2a87 Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 (#688)
  • 3ab8dfa Bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 (#686)
  • e075201 Bump github.com/hashicorp/vault/sdk from 0.6.2 to 0.7.0 (#679)
  • a497bbe Run GHA workflows on release branches. (#651)
  • 6a00ef9 Bump github.com/spiffe/go-spiffe/v2 from 2.1.1 to 2.1.2 (#672)
  • 6a167b6 Bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1 (#682)
  • 13f37a2 Bump github.com/google/addlicense from 1.1.0 to 1.1.1 (#681)
  • 6e0f82b Bump gocloud.dev/docstore/mongodocstore from 0.27.0 to 0.28.0 (#673)
  • aecd3d9 Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#670)
  • 61e7faa Bump github.com/tektoncd/pipeline from 0.43.1 to 0.43.2 (#669)
  • bf183c0 Bump github.com/tektoncd/pipeline from 0.43.0 to 0.43.1 (#667)
  • 19a50fb Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#666)
  • 8bbbe55 Cleanup golangci-lint and added additional linters. (#661)
  • 5028b17 Cleanup: use idiomatic Go. (#662)
  • 26fdcbf Cleanup: replaced deprecated ioutil package use. (#660)
  • 7015e14 Update tektoncd/pipeline to 0.43.0 (#659)
  • 9843497 Bump github.com/hashicorp/vault/sdk from 0.6.1 to 0.6.2 (#656)
  • b5efd58 Bump cloud.google.com/go/compute/metadata from 0.2.2 to 0.2.3 (#647)
  • 19b5339 Bump github.com/hashicorp/go-plugin from 1.4.7 to 1.4.8 (#641)

Docs

Thanks

Thanks to these contributors who contributed to v0.15.0!

Tekton Chains release v0.13.1

20 Dec 18:55
de8ce91
Compare
Choose a tag to compare

-Docs @ v0.13.1
-Examples @ v0.13.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.1/release.yaml
REKOR_UUID=24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.13.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • Update go.mod (#650)

Docs

Thanks

Thanks to these contributors who contributed to v0.13.1!

Extra shout-out for awesome release notes:

Tekton Chains release v0.14.0

20 Dec 16:46
7897fa4
Compare
Choose a tag to compare

-Docs @ v0.14.0
-Examples @ v0.14.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.14.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Generalize format loading. (#603)
  • Record invocation.configSource section in slsa provenance (#554)

Fixes

  • Convert times to UTC (#631)
  • test/test_utils: Use kind instead of full GVK for tkn commands. (#648)

Misc

  • Add lcarva, chuangw6 to global approvers. (#619)
  • Added GHA to run go vet and go fmt checks. (#644)
  • Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#643)
  • Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#639)
  • Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 (#638)
  • Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.7 (#637)
  • Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 (#635)
  • Bump cloud.google.com/go/compute/metadata from 0.2.1 to 0.2.2 (#634)
  • Bump go.uber.org/zap from 1.23.0 to 1.24.0 (#633)
  • Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 (#628)
  • Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#627)
  • Bump github.com/tektoncd/pipeline from 0.41.0 to 0.42.0 (#626)
  • Bump github.com/google/addlicense from 1.0.0 to 1.1.0 (#624)
  • Bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 (#623)
  • Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#622)
  • Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 (#621)
  • Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#620)
  • Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#618)
  • Bump github.com/sigstore/cosign from 1.12.1 to 1.13.1 (#617)
  • Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 (#616)
  • Bump scaffolding release, use newer pipelines. (#614)
  • Bump github.com/tektoncd/pipeline from 0.40.1 to 0.41.0 (#606)
  • Bump gocloud.dev, knative.dev/pkg, k8s.io dependencies. (#605)
  • Bump gocloud.dev/docstore/mongodocstore from 0.26.0 to 0.27.0 (#584)
  • Bump gocloud.dev/pubsub/kafkapubsub from 0.26.0 to 0.27.0 (#583)

Docs

  • Add spiffe-csi driver support to authentication part (#604)
  • Update README.md (#611)

Thanks

Thanks to these contributors who contributed to v0.14.0!

Extra shout-out for awesome release notes:

Tekton Chains release v0.13.0

08 Nov 15:56
516e492
Compare
Choose a tag to compare

-Docs @ v0.13.0
-Examples @ v0.13.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml
REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# Verify images in manifest (tekton.pub can be found in the chains repo)
cosign manifest verify release.yaml --key=tekton.pub

Changes

Features

  • 🎁 Added support for PipelineRun attestations (#436, #568, #573, #564, #598, #599, #601) πŸŽ‰ πŸŽ‰ πŸŽ‰
  • 🎁 Allow reading the pull secret from the podTemplate (#579)
  • 🎁 Add feature to extract structured signable targets and store them in subjects and materials in intoto provenance (#491)

Fixes

  • πŸ› Stop reconciliation on unrecoverable error (#607)

Misc

  • 🧹 Removed usage of Tekton Pipelines v1alpha for everything but PipelineResources (#538)
  • 🧹 Removed tekton-provenance storage option (#590) (This was already partially deprecated in v0.8.0, this removed lagging config options).

Docs

  • πŸ“– getting rid of 'pipelien' (#526)
  • πŸ“– Add the OpenSSF badge to the main README (#580)
  • πŸ“– fix: pubusub to pubsub in storage backend support of experimental features (#582)

Thanks

Thanks to these contributors who contributed to v0.13.0!

Extra shout-out for awesome release notes:

v0.12.0

31 Aug 19:33
Compare
Choose a tag to compare

πŸŽ‰ v0.12.0 πŸŽ‰

-Docs @ v0.12.0
-Examples @ v0.12.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf

Obtain the attestation:

REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml
REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.12.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ Grafeas storage for non-image artifacts (#531)
    Support other artifact types for grafeas backend storage i.e. maven
  • ✨ Make grafeas notehint configurable and change the BuildType field #495
    Add storage.grafeas.notehint field in configmap that allows the note hint field in the grafeas attestation note to be customizable.

Fixes

  • Fix param value ordering in materials #527
  • Fix for issue #515, This PR ensures only those signers which are specified as signers for any artifact are initialized. #519
  • Fix the default value for builder.id in the config doc (#498)

Misc

  • Bump to use scaffolding v0.4.3. (#518)
  • Pin to scaffolding v0.4.2, test with k8s 1.22, 1.23, and 1.24. (#513)
  • Pinning sigstore/scaffolding/actions/setup version (#512)
  • Use industry standard names for payloadType field (#509)
  • Fix typo in v0.3.0-build-chains-taskrun.yaml. (#505)

Docs

  • πŸ“– Add pull_request_template.md. (#511)
  • πŸ“– Clarify documentation for (#510)
  • Add more supported GCP KMS key ref formats in config doc (#506)

Thanks

Thanks to these contributors who contributed to v0.12.0!

v0.11.0

26 Jul 18:25
Compare
Choose a tag to compare

πŸŽ‰ v0.11.0 πŸŽ‰

-Docs @ v0.11.0
-Examples @ v0.11.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9

Obtain the attestation:

REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml
REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.11.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Add Intoto Signable Target support in Chains using strings in results. (#465)

Misc

  • Switch to Grafeas v1 API in grafeas storage (#453)

Thanks

Thanks to these contributors who contributed to v0.11.0!

Extra shout-out for awesome release notes:

v0.10.0

28 Jun 22:19
7894a22
Compare
Choose a tag to compare

πŸŽ‰ v0.10.0πŸŽ‰

-Docs @ v0.10.0
-Examples @ v0.10.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7

Obtain the attestation:

REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml
REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.10.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Add s390x arch support to chains (#463)
  • Add ppc64le arch support to chains (#461)
  • Allow TaskRun payloads other than IMAGE_URL (#444)
  • add mongodb service support (#390)

Fixes

  • Fix error msg in case no image produced (#464)
  • Fix default params in attestation invocation (#449)
  • Change SCC from anyuid to nonroot (#432)

Misc

  • Disable unit test for grafeas backend creation (#446)

Docs

Thanks

Thanks to these contributors who contributed to v0.10.0!

Extra shout-out for awesome release notes:

v0.9.0

05 May 17:14
Compare
Choose a tag to compare

πŸŽ‰ v0.9.0 πŸŽ‰

-Docs @ v0.9.0
-Examples @ v0.9.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml

Attestation

The Rekor UUID for this release is b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89

Obtain the attestation:

REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml
REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.9.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Specify provider and oidc issuer when requesting fulcio cert (#440)
  • Add support for Grafeas storage backend (#389)
  • Add support for PubSub storage backend (#386)
  • Adding Spire OIDC for Vault authentication (#369)

Deprecation Notices

tekton-provenance format has officially been removed in this release
Please switch to the in-toto format by running:

kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
  • Remove tekton-provenance format (#439)

In current release:

Fixes

  • Fix flaky grafeas unit test (#427)

Misc

  • Fix nightly builds (#422)
  • Use sigstore/scaffolding github actions now that it's out there. (#409)
  • Revert default fulcio URL to fulcio.sigstore.dev (#388)

Docs

  • Add docs for secrets based on existing credentials (#430)
  • Add godoc documentation (#414)
  • Add community tutorial subsection (#379)
  • Fix default fulcio addr in docs (#365)

Thanks

Thanks to these contributors who contributed to v0.9.0!

Extra shout-out for awesome release notes:

v0.8.0

04 Feb 23:09
Compare
Choose a tag to compare

πŸŽ‰ v0.8.0 πŸŽ‰

-Docs @ v0.8.0
-Examples @ v0.8.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml

Verify the Release

The Rekor UUID for this release is 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735

Obtain the attestation:

rekor-cli get --uuid 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735 --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml 
REKOR_UUID=03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.8.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Features

  • Add chains-info ConfigMap with version info (#338)

Deprecation Notices

  • This release marks a new default value for signers.x509.fulcio.address. The default value was previously https://fulcio.sigstore.dev, and it is now https://v1.fulcio.sigstore.dev to match the default in cosign. The old value can still be set by running:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"signers.x509.fulcio.address": "https://fulcio.sigstore.dev"}}'

Fixes

  • Bump go-containerregistry and k8schain to pick up new cred helpers (#364)
  • Pass in authentication when getting remote image (#361)
  • Change default Fulcio URL to match cosign's (#360)
  • Add securityContext to controller pod (#346)

Misc

  • Remove un-used options from artifacts.oci.format and artifacts.oci.storage (#334)

Docs

  • Fix namespace typo (#357)

Thanks

Thanks to these contributors who contributed to v0.8.0!

Extra shout-out for awesome release notes:

v0.7.0

19 Jan 18:42
Compare
Choose a tag to compare

πŸŽ‰ v0.7.0 πŸŽ‰

-Docs @ v0.7.0
-Examples @ v0.7.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml

Verify the Release

The Rekor UUID for this release is 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef

Obtain the attestation:

rekor-cli get --uuid 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml 
REKOR_UUID=95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.7.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Features

  • Add support for all of cosign's ambient credentials. (#319)
  • Allow IMAGES result to be separated by newlines (#315)
  • added multi-backend support (#302)
  • Implement missing features to OCI backend (#284)

Deprecation Notices

  • 🚨 - Deprecate the tekton-provenance predicate format (#292)

This feature will be removed in v0.8.0. To switch to the in-toto format which is now the preferred format, please run:

 kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

Fixes

  • Make builder id for SLSA provenance valid URI (#331)
  • Make SLSA provenance v0.2 invocation.parameters compliant with spec (#307)
  • Fix bugs in provenance implementation for materials.digest (#310)
  • Fix bug in uploading signatures to OCI (#298)

Docs

  • Fix in-toto chains docs typos (#337)
  • Add installation instructions for OpenShift (#335)
  • Use cosign flags with 2 hyphens (#327)

Thanks

Thanks to these contributors who contributed to v0.7.0!

Extra shout-out for awesome release notes: