v2.11.0

This release allows a user to get/set arbitrary metadata stored directly in an object descriptor. Previously, metadata could only be utilized for a limited set of data types (DataCryptoMessage, DataPartition, DataSignature, DataSBOM.)

Specifically, the following APIs have been added:

• func OptMetadata: set metadata when creating an object Descriptor with func NewDescriptorInput.
• func (Descriptor) GetMetadata: get metadata from a Descriptor.

What's Changed

• build(deps): bump github.com/sigstore/sigstore from 1.5.2 to 1.6.0 by @dependabot in #267
• feat: custom metadata support by @tri-adam in #268
• fix: set descriptor timestamp(s) in SetPrimPart by @tri-adam in #272

Full Changelog: v2.10.0...v2.11.0

v2.10.0

This release adds , which allows a context.Context to be used for cancellation of sign/verify operations.

Specifically, the following APIs have been added:

• func OptSignWithContext: supply a context.Context when calling NewSigner
• func OptVerifyWithContext: supply a context.Context when calling NewVerifier

What's Changed

• fix: add nolint to silence go-errorlint by @tri-adam in #264
• build(deps): bump github.com/sigstore/sigstore from 1.5.1 to 1.5.2 by @dependabot in #263
• Expose Context in Sign/Verify by @tri-adam in #259

Full Changelog: v2.9.2...v2.10.0

v2.9.2

What's Changed

• build(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.4.0 to 0.5.0 by @dependabot in #257
• build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #260
• deps: bump github.com/ProtonMail/go-crypto by @tri-adam in #261

Full Changelog: v2.9.1...v2.9.2

v2.9.1

What's Changed

• test: move gen_sifs.go to images dir by @tri-adam in #248
• test: add testing against Go 1.20 RC by @tri-adam in #250
• build(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 by @dependabot in #252
• build(deps): bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1 by @dependabot in #253
• Bump Go Version by @tri-adam in #254
• ci: bump golangci-lint to v1.51 by @tri-adam in #255
• Refactor Test Key Corpus by @tri-adam in #256

Full Changelog: v2.9.0...v2.9.1

v2.9.0

This release adds support for digital signature data objects in Dead Simple Signing Envelope (DSSE) format. This adds support for digital signatures that use non-PGP key material sources.

Specifically, the following APIs have been added:

• func OptSignWithSigner: use a signature.Signer as key material when calling NewSigner.
• func OptVerifyWithVerifier: use one or more signature.Verifier as key material when calling NewVerifier.
• func (VerifyResult) Keys: get the public key(s) used to verify a signature.

What's Changed

• Rename PGP test files by @tri-adam in #243
• DSSE support by @tri-adam in #228
• build(deps): bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 by @dependabot in #246
• Expose non-PGP digital signature support by @tri-adam in #245
• chore: bump node version by @tri-adam in #247

Full Changelog: v2.8.3...v2.9.0

v2.8.3

What's Changed

• SBOM support for siftool by @tri-adam in #238
• build(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in #240
• Handle signature descriptors without fingerprints by @tri-adam in #241
• Bump github.com/ProtonMail/go-crypto by @tri-adam in #242

Full Changelog: v2.8.2...v2.8.3

v2.8.2

What's Changed

• Refactor groupSigner by @tri-adam in #231
• ci: run govulncheck during build-and-test workflow by @tri-adam in #232
• Bump golangci-lint to v1.50 by @tri-adam in #233
• build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in #235
• Refactor verifyTask by @tri-adam in #236
• Bump github.com/ProtonMail/go-crypto by @tri-adam in #237

Full Changelog: v2.8.1...v2.8.2

v2.8.1

This security patch release addresses an issue with previous versions of the github.com/sylabs/sif/v2/pkg/integrity package, which did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. Users are encouraged to upgrade. More information is available in GHSA-m5m3-46gj-wch8.

Full Changelog: v2.8.0...v2.8.1

v2.8.0

This release adds support for embedded Software Bills of Materials (SBOM) within SIF images.

What's Changed

• Bump golangci-lint to v1.49 by @tri-adam in #226
• SBOM support by @tri-adam in #227
• ci: remove rowserrcheck linter by @tri-adam in #229

Full Changelog: v2.7.2...v2.8.0

v2.7.2

What's Changed

• Bump golangci-lint by @tri-adam in #217
• build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #219
• Go 1.19 Support by @tri-adam in #220
• Make Default Alignment System-Independent by @tri-adam in #222
• Bump Linter to 1.48 by @tri-adam in #223
• Bump github.com/ProtonMail/go-crypto dependency by @tri-adam in #224
• Bump Node to v18 by @tri-adam in #225

Full Changelog: v2.7.1...v2.7.2