v1.0.0-alpha.1

Notable updates since v0.1.4-alpha.1

• AWS irsa basic auth provider support
• Renamed store/policy/verifier to fix configuration file inconsistencies
• Artifact Spec RC1 Support

Changelog

• 24f687b Adding E2E test on PR (#197)
• c7447ea Adding meeting series #1 and #2 (#234)
• 0d7f470 Adding pull request template (#203)
• 78ec479 Artifact Spec RC1 Support (#232)
• f47c754 Fix Configuration File Inconsistencies (#235)
• eca0f81 Fix Go Dependency Errors (#246)
• e9eecce Fix dependencies (#213)
• 00bb7e7 Fix for Issue 207 - spec SA by name (#208)
• 58e25b7 Issue 218 aws irsa basic auth provider (#224)
• c0f52bd Prepare for v1.0.0alpha1 release (#243)
• c5c814f Update go releaser template to use go mod tidy 1.17 compat (#247)
• 0bd2d8c add design docs (#237)
• 013be6f chore: bump github.com/Azure/azure-sdk-for-go (#200)
• 7a12d8a chore: bump github.com/Azure/azure-sdk-for-go (#214)
• a55a9b4 chore: bump github.com/Azure/azure-sdk-for-go (#226)
• ffc9457 chore: bump github.com/docker/cli (#199)
• 903f2c1 chore: bump github.com/docker/cli (#217)
• 7c0eb34 chore: bump goreleaser/goreleaser-action from 2 to 3 (#202)
• 3d7b7b5 chore: bump k8s.io/api from 0.22.9 to 0.22.10 (#205)
• c803db3 chore: bump k8s.io/api from 0.24.1 to 0.24.2 (#222)
• 219e4a3 chore: bump k8s.io/client-go from 0.22.9 to 0.22.10 (#204)
• d246241 chore: bump k8s.io/client-go from 0.24.1 to 0.24.2 (#220)
• b3106ab consolidating meeting series into single invite (#239)
• 9d56bbe fix auth provider name (#209)
• ebe28bd manually removing vulnerable packages from go.sum (#238)
• 123200b refine ratify-verify-azure-cmd.md and update the installation links (#240)
• 0f35055 update cosign to 1.9.0 (#219)
• a87389c updating docs to reflect new policy config (#228)
• cfb385d updating packages to address security fix (#236)
• b19c691 upgrade opa and constraint version to fix vulnerability (#210)

v0.1.4-alpha.1

Notable updates since v0.1.3-alpha.1

This release contains a fix for the helm charts so service accounts are handled correctly

Changelog

• 91cae2d Adding a note about meeting cancellation communication (#185)
• d11013d Configure dependabot for ratify (#179)
• bedf07b Create Service Account for Azure Workload ID in Helm chart (#180)
• a4cca38 Replace hard-coded URL with helm vars (#184)
• a8ff41c Review policy (#172)
• 86cccd3 Update Policy Provider (#159)
• 9948301 Updated Get Started instructions with published chart (#170)
• 2212d76 chore: bump actions/checkout from 2 to 3 (#182)
• 8f08d85 chore: bump actions/setup-go from 1 to 3 (#181)
• 6b2599d chore: bump docker/login-action from 1 to 2 (#186)
• e555296 preparing for 0.1.4 release (#198)

What's Changed

• Updated Get Started instructions with published chart by @susanshi in #170
• Update Policy Provider by @akashsinghal in #159
• Review policy by @susanshi in #172
• Configure dependabot for ratify by @susanshi in #179
• Create Service Account for Azure Workload ID in Helm chart by @lee0c in #180
• Update hardcoded URL in provider.yaml to allow flexibility with regard to namespace by @lee0c in #184
• chore: bump actions/checkout from 2 to 3 by @dependabot in #182
• chore: bump actions/setup-go from 1 to 3 by @dependabot in #181
• Adding a note about meeting cancellation communication by @susanshi in #185
• chore: bump docker/login-action from 1 to 2 by @dependabot in #186
• preparing chart for 0.1.4 release by @susanshi in #198

New Contributors

• @lee0c made their first contribution in #180

Full Changelog: v0.1.3-alpha1...v0.1.4-alpha.1

v0.1.3-alpha1

Notable updates since v0.1.2-alpha.1

• Upgrade ORAS to v2 bringing significant performance improvements
• Adding support for loading notary verification certificates from directories
• Improve authentication cache with expiry and eviction logic on error

Changelog

• 6d60c97 Add Auth Cache Eviction (#156)
• f992403 Add ORAS Authentication Provider Documentation (#142)
• 5885a27 Adding Auth Provider Templates to Chart (#154)
• da63859 Bug fix and improvement to loading notary verification certs (#150)
• 9096f0e CSI Driver template update for work load id (#158)
• 4262f5c Update sample configs with multiple cert (#163)
• ed76d14 Update validating webhook timeout to 7 seconds (#160)
• a3eabda Upgrade ORAS to v2 (#148)
• 3bea243 Use ORAS FetchReference (#162)
• f6d3179 add 12 hour expiry for k8 secret (#151)
• f743688 add isSuccess to all empty verify result reports to fix isSuccess not showing up (#157)
• 0e7d258 add publish helm chart action on release (#166)
• bee2c37 bump golang to 1.17 (#149)
• d915510 bumping go to 1.17 (#169)

v0.1.2-alpha.1

Notable updates since v0.1.1-alpha.1

• Add Authentication Support to private registry using Azure workload identity and k8 secrets
• Add licensechecker plugin and docs
• Updated sigstore/cosign version from 1.1.0 to 1.5.2, this contains a breaking change which means cosign plugin will only be able to validate signatures generated from cosign version > 1.3

Changelog

• 1f0b7d4 Add Authentication Provider Support (#123)
• 237e38a Add Azure Workload Identity Auth Provider (#129)
• 90c7bbd Add K8 Secret Auth Provider (#137)
• f40c0d9 Add licensechecker plugin and docs (#118)
• 1854ff5 Add support for authenticating registries with Docker config (#106)
• 54e9dde Added NOTICES file (#75)
• 737540a Added helm charts and make targets to deploy ratify in k8s (#86) (#87)
• 5f5cb9b Added resolving tag to digest in the store interface (#77)
• 819dcea Added support to create docker config secret from command line (#107)
• fe766c5 Bump github.com/docker/distribution (#136)
• 9953abc Bump github.com/sigstore/cosign from 1.1.0 to 1.5.2 (#140)
• a57f4b9 Cleanup old deployment files (#95)
• ee5d9d8 Draft of EKS walkthrough (#110)
• 165ccb9 Fix broken link in README (#96)
• 6307103 Fix for cosign verifier (#115)
• c27b19c Fix issue with oras local cache path (#130)
• 1a2d3d7 Prepare chart for v0.1.1-alpha.1 release (#103) (#108)
• c0a5df2 README: Update Gatekeeper external provider link (#109)
• cb76cf8 Remove useHttp flag (#113)
• f33ca40 Support notary verification certification load from directory (#141)
• 2628973 Support private registry in oras (#102)
• efe40f7 Update Provider handler as per the Gatekeeper external data provider spec (#83)
• acb82ee Update artifacts with mediaType as per v1.0.0-draft.1.1 (#97)
• f04f5e6 Update readme with community meeting information (#128)
• 79875e7 Update to use k8s in readme (#98)
• 240121e Updates to deployment helm chart to support Certificate from Azure Key vault (#112)
• fea5121 Upgrade the versions of oras-go and OCI image spec (#89)
• 6edd4ce [Bugfix] Updating default timeout (#116)
• 65a2965 adding weekly notes link to readme (#117)
• dd2ab5a minor fix: update the license in readme (#80)
• 4ff60fa update dockerfile (#119)

v0.1.1-alpha.1

This release includes bug fixes and new features.

Notable updates since v0.1.0-alpha.1

• Tag to digest support for image resolution
• Helm chart for deploying Ratify to Kubernetes clusters
• Support for authenticating to private registries

Changelog

• 1854ff5 Add support for authenticating registries with Docker config (#106)
• 54e9dde Added NOTICES file (#75)
• 737540a Added helm charts and make targets to deploy ratify in k8s (#86) (#87)
• 5f5cb9b Added resolving tag to digest in the store interface (#77)
• 819dcea Added support to create docker config secret from command line (#107)
• a57f4b9 Cleanup old deployment files (#95)
• 165ccb9 Fix broken link in README (#96)
• b589318 Prepare chart for v0.1.1-alpha.1 release (#103)
• 2628973 Support private registry in oras (#102)
• efe40f7 Update Provider handler as per the Gatekeeper external data provider spec (#83)
• acb82ee Update artifacts with mediaType as per v1.0.0-draft.1.1 (#97)
• 79875e7 Update to use k8s in readme (#98)
• fea5121 Upgrade the versions of oras-go and OCI image spec (#89)
• dd2ab5a minor fix: update the license in readme (#80)

v0.1.0-alpha.1

Initial Alpha Release

This is an alpha release of Ratify. It includes the initial feature set and scaffolding to allow contributors to integrate additional referrer stores and verifiers.

Features

• Support for running from CLI and as a web service
• Support for registries supporting the oras artifact spec
• Support for verifying notation signatures
• Support for verifying cosign signatures
• Support for artifact discovery
• Plugin architecture for integration of additional referrer stores and verifiers.
• Support for "any" or "all" policy on validation checks

Commits

f931af6 Add ORAS and notaryv2 as built-in providers into the framework. (#20)
3e89635 Add Security Reporting Instructions (#41)
ca9fb31 Add an example policy for referrers not found case (#37)
7285b5c Add contribution guidelines (#23)
834a718 Add cosign verifier with ability to discover cosign tag based artifacts in the ociregistry store
2cd1cf6 Add deployment files and other changes to support enabling Hora in OPA Gatekeeper.
ae28fbc Add initial design docs (#29)
4eefe37 Add quick start tutorial with latest steps for creating supply chain graph (#72)
8bc2cdc Add trademark notice (#39)
b3c988a Added PHONY targets (#62)
b840e4a Added artifact hierarchy
6d3d6ce Added comments to all exported members (#73)
2afbf86 Added copyright header (#64)
5aff12f Added makefile with build and install commands
fa0bafb Added section about nested verifiers and config
f53a538 Added subject response
c02a978 Added tests to common, utils, store and verifier packages (#63)
6aa75ff Added tests to executor core package (#66)
15f9ece Added version command (#69)
d75d877 Adding code of conduct info
b2ecbb3 Addressed PR feedback and added README.md
3eb5c1a Consider artifact verification policy per artifact type (#26)
8b2d50d Demo script for discovering & verifying supply chain content using Hora (#42)
8d3bc92 Fix branch in README (#60)
218241d Fix go test to walk the source (#58)
a523cba Fix make install location
d8f3566 Fixed markdown linting errors and links (#71)
85d92d8 Fixed markdown linting rules and added warnings (#25)
3eb753a Hora prototype with verify and referrer commands
73884ac Initial commit
8a0a3d0 Merge pull request #1 from deislabs/codeofconduct
ccb214e Merge pull request #12 from sajayantony/dev
f3d2e73 Merge pull request #15 from mnltejaswini/cosign
438749e Merge pull request #19 from mnltejaswini/k8s
5b7510d Merge remote-tracking branch 'origin/docs' into dev
4c9ff75 Oras go integration (#50)
e24f04f Pass the referrer store config to plugin so that they can query the store directly
467ea25 Ratify (#53)
29c9cf4 Release action (#34)
4d21ee7 Show the full reference
e53c31a Trimmed goreleaser and fixed version (#70)
ce33a4c Update import paths (#22)
8a75765 Update license to Apache (#49)
6db56bb Update notary v2 to use notation-go-lib (#38)
9c34bf7 Updated README.md with details of components
98562df Updated package location to deislabs
a1f6614 Updating setup steps (#33)
52d28b7 add git commit id as a docker image label (#68)
8a2f9ee add license statement to readme
666ddf6 build and publish a docker image (#67)
fda00bf run basic verifications on PR to main (#51)
6eab22e specify versioning and release procedures for hora project (#27)