v0.6.0

What's Changed

• feat: add vex attestor from @testifysec/[email protected] by @kriscoleman in #280
• SBOM Attestor Improvements by @jkjell in #281

Full Changelog: v0.5.2...v0.6.0

v0.5.2

fix: disable omnitrail attestor on windows (#278)

Currently omnitrail expects a POSIX filesystem, which windows does not
supply. This causes windows builds to break when compiled with the
omnitrail attestor. This PR adds a build flag to skip the omnitrail
attestor when building for windows.

Signed-off-by: Mikhail Swift <[email protected]>

v0.5.1

What's Changed

• Allow attestors to have multiple types by @jkjell in #277

Full Changelog: v0.5.0...v0.5.1

v0.5.0

What's Changed

• chore: bump actions/checkout from 4.1.5 to 4.1.6 by @dependabot in #249
• chore: bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #250
• chore: bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #251
• chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.31.1 to 1.31.3 by @dependabot in #252
• chore: bump k8s.io/apimachinery from 0.29.4 to 0.29.5 by @dependabot in #253
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.13 to 1.27.15 by @dependabot in #255
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.15 to 1.27.16 by @dependabot in #258
• chore: bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in #259
• chore: bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #263
• chore: bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @dependabot in #262
• feat: add git refs to go witness git attestor by @kriscoleman in #265
• Added issues and PR template in .github by @DarikshaAnsari in #261
• chore: bump step-security/harden-runner from 2.8.0 to 2.8.1 by @dependabot in #273
• chore: bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @dependabot in #272
• chore: bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #271
• Feat/SBOM attestor by @jkjell in #268
• Step analyze fix by @jkjell in #257
• Parallel attestors per type by @matglas in #228
• feat: adding omnitrail attestor by @fkautz in #256
• Working Dir support for SBOM attestor by @jkjell in #274
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.18 by @dependabot in #269
• Bump archivista, golang, and go-jose by @jkjell in #276

New Contributors

• @DarikshaAnsari made their first contribution in #261
• @matglas made their first contribution in #228

Full Changelog: v0.4.0...v0.5.0

v0.4.0

What's Changed

• chore: bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #175
• chore: bump actions/download-artifact from 4.1.2 to 4.1.4 by @dependabot in #176
• chore: bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @dependabot in #178
• chore: bump github.com/aws/aws-sdk-go from 1.50.27 to 1.50.30 by @dependabot in #177
• chore: bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 by @dependabot in #180
• chore: bump gopkg.in/go-jose/go-jose.v2 from 2.6.2 to 2.6.3 by @dependabot in #179
• chore: bump softprops/action-gh-release from 1 to 2 by @dependabot in #181
• chore: bump google.golang.org/grpc from 1.62.0 to 1.62.1 by @dependabot in #182
• chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.29.1 to 1.29.2 by @dependabot in #183
• chore: bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot in #186
• chore: bump github/codeql-action from 3.24.6 to 3.24.8 by @dependabot in #187
• chore: bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #188
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.8 by @dependabot in #189
• chore: bump github/codeql-action from 3.24.8 to 3.24.9 by @dependabot in #190
• chore: bump softprops/action-gh-release from 2.0.3 to 2.0.4 by @dependabot in #191
• chore: bump actions/dependency-review-action from 4.1.3 to 4.2.4 by @dependabot in #192
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.8 to 1.27.9 by @dependabot in #193
• chore: bump cloud.google.com/go/kms from 1.15.7 to 1.15.8 by @dependabot in #194
• chore: bump k8s.io/apimachinery from 0.29.2 to 0.29.3 by @dependabot in #195
• chore: bump github.com/aws/aws-sdk-go from 1.50.30 to 1.50.38 by @dependabot in #196
• chore: bump actions/dependency-review-action from 4.2.4 to 4.2.5 by @dependabot in #198
• chore: bump github.com/aws/aws-sdk-go-v2 from 1.26.0 to 1.26.1 by @dependabot in #199
• chore: bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #201
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.9 to 1.27.10 by @dependabot in #200
• unmarshal the time in the attestation collection correctly by @colek42 in #203
• chore: bump github/codeql-action from 3.24.9 to 3.25.0 by @dependabot in #211
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.10 to 1.27.11 by @dependabot in #207
• chore: bump google.golang.org/grpc from 1.62.1 to 1.62.2 by @dependabot in #206
• chore: bump github.com/sigstore/fulcio from 1.4.4 to 1.4.5 by @dependabot in #205
• chore: bump golang.org/x/net from 0.22.0 to 0.23.0 in the go_modules group by @dependabot in #212
• chore: bump k8s.io/apimachinery from 0.29.3 to 0.29.4 by @dependabot in #213
• chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.30.0 to 1.30.1 by @dependabot in #214
• chore: bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #216
• chore: bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #217
• chore: bump go.step.sm/crypto from 0.44.2 to 0.44.8 by @dependabot in #220
• chore: bump actions/download-artifact from 4.1.4 to 4.1.7 by @dependabot in #221
• chore: bump github/codeql-action from 3.25.0 to 3.25.3 by @dependabot in #222
• chore: bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #224
• chore: bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 by @dependabot in #225
• chore: bump google.golang.org/api from 0.176.0 to 0.176.1 by @dependabot in #226
• chore: bump step-security/harden-runner from 2.7.0 to 2.7.1 by @dependabot in #232
• chore: bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in #233
• chore: bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #234
• chore: bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 by @dependabot in #235
• chore: bump cloud.google.com/go/kms from 1.15.8 to 1.15.9 by @dependabot in #236
• Improve Verify Error Responses by @ChaosInTheCRD in #210
• verification attestor by @mikhailswift in #55
• Link & SLSA attestor by @jkjell in #149
• JSON Schemas for attestors with generation scripts by @ChaosInTheCRD in #197
• Allow certificate inspection on policy signature verification (including fulcio extensions) by @ChaosInTheCRD in #246
• chore: bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 by @dependabot in #237
• chore: bump github/codeql-action from 3.25.3 to 3.25.5 by @dependabot in #238
• chore: bump actions/checkout from 4.1.2 to 4.1.5 by @dependabot in #239
• chore: bump softprops/action-gh-release from 2.0.4 to 2.0.5 by @dependabot in #240
• chore: bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #241
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.11 to 1.27.13 by @dependabot in #242
• chore: bump google.golang.org/protobuf from 1.34.0 to 1.34.1 by @dependabot in #244
• chore: bump github.com/in-toto/attestation from 1.0.1 to 1.0.2 by @dependabot in #245
• chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.31.0 to 1.31.1 by @dependabot in #243
• BUG: verifyX509Time should return the verifier even if the verify fails (we want to get information about it later) by @ChaosInTheCRD in #247
• Fix releaser permissions by @ChaosInTheCRD in #248

Full Changelog: v0.3.1...v0.4.0

v0.3.1

What's Changed

• Add Tom as an official maintainer by @jkjell in #156
• chore: bump testifysec/witness-run-action from 0.1.3 to 0.1.5 by @dependabot in #166
• chore: bump actions/dependency-review-action from 4.0.0 to 4.1.1 by @dependabot in #165
• chore: bump fossas/fossa-action from 1.3.1 to 1.3.3 by @dependabot in #164
• chore: bump actions/download-artifact from 4.1.1 to 4.1.2 by @dependabot in #163
• chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.20.4 to 1.20.12 by @dependabot in #157
• chore: bump cloud.google.com/go/kms from 1.15.2 to 1.15.7 by @dependabot in #158
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.45 by @dependabot in #160
• chore: bump k8s.io/apimachinery from 0.26.13 to 0.26.14 by @dependabot in #161
• chore: bump github/codeql-action from 3.24.0 to 3.24.3 by @dependabot in #162
• chore: bump github/codeql-action from 3.24.3 to 3.24.5 by @dependabot in #169
• chore: bump actions/dependency-review-action from 4.1.1 to 4.1.3 by @dependabot in #170
• chore: bump google.golang.org/grpc from 1.61.0 to 1.61.1 by @dependabot in #171
• fix: reset verifier each iteration while loading pub keys from policy by @mikhailswift in #173
• #168 support all fulcio cert extensions by @jkjell in #174

Full Changelog: v0.3.0...v0.3.1

v0.3.0

What's Changed

• Improved the search to be concurrent by @naveensrinivasan in #62
• Adding policy intermediates option to verify function by @ChaosInTheCRD in #138
• refactor: move gitoid code to cyrptoutil, use digestvalue everywhere by @mikhailswift in #139
• chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #142
• chore: bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #143
• Adding job to auto cut releases by @ChaosInTheCRD in #141
• fixing error in github actions workflow by @ChaosInTheCRD in #147
• RunAttestors refactor by @ChaosInTheCRD in #131
• Adding workaround due to failing workflows by @ChaosInTheCRD in #145
• Checking policy signature against cert constraints by @ChaosInTheCRD in #144
• [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #148
• chore: bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #150
• chore: bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in #155
• chore: bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #154
• chore: bump step-security/harden-runner from 2.6.1 to 2.7.0 by @dependabot in #152
• chore: bump actions/checkout from 3.6.0 to 4.1.1 by @dependabot in #151
• fix: vault warnings are an array, not a string by @mikhailswift in #153
• KMS Support by @ChaosInTheCRD in #120

Full Changelog: v0.2.2...v0.3.0

v0.2.3

What's Changed

• Improved the search to be concurrent by @naveensrinivasan in #62
• Adding policy intermediates option to verify function by @ChaosInTheCRD in #138
• refactor: move gitoid code to cyrptoutil, use digestvalue everywhere by @mikhailswift in #139
• chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #142
• chore: bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #143
• Adding job to auto cut releases by @ChaosInTheCRD in #141

Full Changelog: v0.2.2...v0.2.3

v0.2.2

⚠️ Warning ⚠️

go modules have been renamed from github.com/testifysec/go-witness => github.com/in-toto/go-witness

What's Changed

• Adding support for supplying POM on Maven Attestor by @ChaosInTheCRD in #129
• Adding support for using timestamp authority and CA certificates for verifying policy by @ChaosInTheCRD in #124
• Included Tests for memory.go LoadEnvelope and Search by @neilnaveen in #59
• Included tests for GitHub attestations by @naveensrinivasan in #61
• chore: bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 by @dependabot in #133
• chore: bump k8s.io/apimachinery from 0.26.12 to 0.26.13 by @dependabot in #134
• chore: bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #135
• chore: bump github/codeql-action from 3.23.0 to 3.23.1 by @dependabot in #136
• chore: bump actions/dependency-review-action from 3.1.5 to 4.0.0 by @dependabot in #137
• Moving the timestamper interfaces to the timestamp directory by @ChaosInTheCRD in #132

New Contributors

• @neilnaveen made their first contribution in #59

Full Changelog: v0.2.1...v0.2.2

v0.2.1

⚠️ Warning ⚠️

go modules have been renamed from github.com/testifysec/go-witness => github.com/in-toto/go-witness

What's Changed

• Create SECURITY.md by @jkjell in #107
• chore: bump github/codeql-action from 2.22.9 to 3.22.11 by @dependabot in #110
• chore: bump actions/download-artifact from 3.0.2 to 4.0.0 by @dependabot in #112
• chore: bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #111
• chore: bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #115
• chore: bump github.com/go-git/go-git/v5 from 5.5.2 to 5.11.0 by @dependabot in #119
• chore: bump github/codeql-action from 3.22.11 to 3.22.12 by @dependabot in #118
• chore: bump actions/download-artifact from 4.0.0 to 4.1.0 by @dependabot in #117
• chore: bump k8s.io/apimachinery from 0.26.11 to 0.26.12 by @dependabot in #116
• Update SECURITY-INSIGHTS.yml with additional information by @jkjell in #108
• chore: bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @dependabot in #121
• chore: bump actions/dependency-review-action from 3.1.4 to 3.1.5 by @dependabot in #123
• chore: bump github/codeql-action from 3.22.12 to 3.23.0 by @dependabot in #122
• fix: added oidc redirect url option for fulcio by @pkwiatkowski1 in #76
• chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #126
• chore: bump actions/download-artifact from 4.1.0 to 4.1.1 by @dependabot in #127
• Adding function to add a single attestor by @ChaosInTheCRD in #128

New Contributors

• @pkwiatkowski1 made their first contribution in #76

Full Changelog: v0.2.0...v0.2.1