v0.6.1

🎉 v0.6.1 🎉

-Docs @ v0.6.1
-Examples @ v0.6.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.1/release.yaml

Verify the Release

The Rekor UUID for this release is a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a

Obtain the attestation:

rekor-cli get --uuid a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.1/release.yaml 
REKOR_UUID=a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.6.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Fixes

• Fix bug in uploading signatures to OCI (#298)

Thanks

Thanks to these contributors who contributed to v0.6.1!

• ❤️ @priyawadhwa

Extra shout-out for awesome release notes:

• 😍 @priyawadhwa

v0.6.0

🎉 v0.6.0 🎉

Note: This release has a known bug uploading signatures and attestations to OCI. A point release with a fix should be out soon!

-Docs @ v0.6.0
-Examples @ v0.6.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.0/release.yaml

Changes

Features

• Capture step information inrecipe.arguments for in-toto/slsa Provenance (#272)
• Upgrade slsa-provenance format to v0.2 (#291)
• Add new signing and storage features (#245)

Deprecation Notices

• 🚨 - Deprecate the tekton-provenance predicate format (#292)

This feature will be removed in v0.8.0. To switch to the in-toto format which is now the preferred format, please run:

 kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

Fixes

• fix: look for materials/git metadata in taskrun results too (#263)
• Fix bug uploading slsa-provenance attestations to oci (#255)

Docs

• 📖 Add front matter to docs (#285)

• docs: generate keypair using k8s://foo/bar (#257)
• fix link to intoto docs (#256)

Thanks

Thanks to these contributors who contributed to v0.6.0!

• ❤️ @adityasaky
• ❤️ @afrittoli
• ❤️ @bobcallaway
• ❤️ @csullivannet
• ❤️ @loosebazooka
• ❤️ @mtcolman
• ❤️ @priyawadhwa
• ❤️ @pxp928
• ❤️ @rgreinho
• ❤️ @sbose78

Extra shout-out for awesome release notes:

• 😍 @adityasaky
• 😍 @afrittoli
• 😍 @bobcallaway
• 😍 @csullivannet
• 😍 @loosebazooka
• 😍 @mtcolman
• 😍 @priyawadhwa
• 😍 @pxp928
• 😍 @rgreinho
• 😍 @sbose78

Tekton Chains v0.5.0

🎉 v0.5.0 🎉

-Docs @ v0.5.0
-Examples @ v0.5.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.5.0/release.yaml

Fixes

• Fix _type field in in-toto provenance generation (#235)
• Fix bug in transparency log uploads (#233)
• Fix another bug in materials and add integration test (#230)
• Check task status params to create materials for provenance (#229)
• Fix bug in storing attestations in OCI registry (#227)
• fix incorrect cd (#223)
• Fix some bugs in uploading attestations (#220)

Misc

• Simplify looking up the RekorAnnotation, add Unit Test for HandleRetry failure (#232)
• Bump in-toto dependency. (#226)
• Bump most dependencies (outside of the k8s codegen and client-go). (#222)
• Switch the linter from golint to revive. (#219)

• 🔨 Bump Pipeline, Knative, K8s deps (#218)

Docs

• Add tutorial for generating signed provenance (#238)
• Add minor chains tutorial enhancements (#228)

Verify the Release

The Rekor UUID for this release is 3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f

Obtain the attestation:

rekor-cli get --uuid 3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.5.0/release.yaml 
REKOR_UUID=3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.5.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify -key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation -key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Thanks

Thanks to these contributors who contributed to v0.5.0!

• ❤️ @danielhelfand
• ❤️ @dlorenc
• ❤️ @lukehinds
• ❤️ @mattmoor
• ❤️ @priyawadhwa
• ❤️ @vaikas

Extra shout-out for awesome release notes:

• 😍 @danielhelfand
• 😍 @dlorenc
• 😍 @lukehinds
• 😍 @mattmoor
• 😍 @priyawadhwa
• 😍 @vaikas

Tekton Chains v0.4.0

🎉 Chains v0.4.0 🎉

-Docs @ v0.4.0
-Examples @ v0.4.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.4.0/release.yaml

Changes

Features

• Add KeyID (public key fingerprint) to signature (#209)
• Add support for uploading attestations to OCI registries (#208)
• Add chains finalizer to taskruns. (#185)
• Explicitly pass in URL for provenance materials (#177)
• Add manual option for uploads to transparency log (#175)

Backwards incompatible changes

Fixes

• 🐛 Drop GCS storage backend from unit testing. (#215)

• Fix GIT_URL in release Pipeline (#216)
• Fix TestGCSStorage test (#214)
• Try to sign a TaskRun a maximum of 3 times (#207)
• Only upload to the tlog once! (#202)
• Doc-removed gen x509 Keypair ,fixed cosign gen (#200)
• add missing recipe_uri in JSON (#182)

Misc

• 🔨 Pull in the latest tektoncd/pipeline codegen (and knative/pkg) (#201 )

• Implemented license header check (#189)
• Bump github.com/tektoncd/pipeline from 0.25.0 to 0.26.0 (#186)
• Configure release to include materials section in provenance (#176)

Docs

• Removed the link to broken README.md within test (#197)

Thanks

Thanks to these contributors who contributed to v0.4.0!

• ❤️ @codysoyland
• ❤️ @dependabot[bot]
• ❤️ @developer-guy
• ❤️ @dlorenc
• ❤️ @mattmoor
• ❤️ @naveensrinivasan
• ❤️ @priyawadhwa

Extra shout-out for awesome release notes:

• 😍 @codysoyland
• 😍 @dependabot[bot]
• 😍 @developer-guy
• 😍 @dlorenc
• 😍 @mattmoor
• 😍 @naveensrinivasan
• 😍 @priyawadhwa

)

v0.3.0

🎉 Chains v0.3.0 🎉

Docs @ v0.3.0
Examples @ v0.3.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.3.0/release.yaml

Changes

Features

• Add IMAGES results type, to be used for releases (#153)
• Add support for uploading certs to rekor (#148)
• Fulcio signing in Chains (#147)
• Bump sigstore deps to pick up AWS KMS support. (#142)
• Add support for hinting multiple images as results (#129)
• Container native provenance predicate (#128)
• Support AWS DynamoDB in docdb package (#125)
• Transparency log uploads in chains! (#121)
• Support the ITE-5 signing spec (#109)

Deprecation Notices

• Remove PGP signing! (#144)

Fixes

• Fix docdb behavior on retries (#126)
• Fix format directive. (#160)
• Fix auth bug for pushing images in release pipeline (#170)
• Store cert/chain when wrapping payloads (#169)
• Don't require prefix when image hinting (#134)

Misc

• Change the ServiceAccount identity used for OCI storage backend. (#163)
• Update in-toto to pick up the new SSL/DSSE spec. (#127)

Docs

• Add some details to the roadmap (#136)

Thanks

Thanks to these contributors who contributed to v0.3.0!

• ❤️ @bobcatfish
• ❤️ @dlorenc
• ❤️ @mattmoor
• ❤️ @priyawadhwa
• ❤️ @trevrosen

Extra shout-out for awesome release notes:

• 😍 @bobcatfish
• 😍 @dlorenc
• 😍 @mattmoor
• 😍 @priyawadhwa
• 😍 @trevrosen

Tekton Chains release v0.2.0 "Tekton Chains"

🎉 v0.2.0 Release 🎉

-Docs @ v0.2.0
-Examples @ v0.2.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.2.0/release.yaml

Features

• in-toto attestations (ITE-6) as a formatter. (#89)

Docs

• Add kaniko Task and TaskRun example (#94)
• Add authentication doc (#93)

Thanks

Thanks to these contributors who contributed to v0.2.0!

• ❤️ @dlorenc
• ❤️ @kommendorkapten
• ❤️ @lukehinds
• ❤️ @priyawadhwa

Extra shout-out for awesome release notes:

• 😍 @dlorenc
• 😍 @kommendorkapten
• 😍 @lukehinds
• 😍 @priyawadhwa

v0.1.0

Tekton Chains v0.1.0 Release

This is the first release of tekton chains! Note, this is not a production ready release, rather just a release to make sure our release process is working as expected 😄

Stay tuned for the v0.2.0 release, which should have a bunch of a cool new features!

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.1.0/release.yaml

Thank you to our contributors!

• Dan Lorenc
• Ivan Font
• Christie Wilson
• Luke Hinds
• sbwsg@
• Priya Wadhwa