v1.3.0

✨ New Features

• Support keyless verification in trust policy of Cosign verifier in #1503
• Support verifying Notary Project timestamped signature in #1538 and #1758
• Support periodic retrieval of key and certificate from Key Management Providers based on the proposal in #1727 and #1773

✨ Other Enhancements

• Improve error messages of artifact validation
  • Add more fields to verification response in #1671
  • refactor error message format in #1675
  • fill ErrorReason and Remediation during verifierReport generation in #1682
  • add timestamp and traceId to verification response in #1697
  • enhance CR status with clearer brief error message in #1734
  • refactor cosign verification error messages in #1750
• Add namespace label to metrics to enhance observability in #1520
• Ability to save errors happened during KMP/CertStore reconciliation which could be checked by verifiers during artifact validation in #1710

🔐 Security

• Generate supply chain metadata for dev assets by adding SBOM & provenance Docker build attestations in #1596
• Add image signing for dev images and add release sbom in #1629
• Add openssf best practices badge by @susanshi in #1696
• Setup scanners for Ratify releases by @susanshi in #1521

📄 Documentation

• chore: refresh roadmap after v1.2.0 release by @yizha1 in #1541
• doc: update README code of conduct by @susanshi in #1553
• doc: Update SECURITY.md by @susanshi in #1555
• doc: add a proposal for periodic retrieval by @yizha1 in #1510
• doc: update minor release branching strategy by @susanshi in #1456
• doc: meeting notes ratify-weekly-notes-2023-Jun-2024-Jun.md by @susanshi in #1608
• doc: remove CLA section from CONTRIBUTING by @akashsinghal in #1626
• doc: design doc for KMP periodic retrieval by @duffney in #1583
• doc: add proposal for producing supply chain metadata for all ratify assets by @akashsinghal in #1641
• doc: Archive ratify error handling scenario doc by @binbin-li in #1668
• doc: proposal for error message improvements by @yizha1 in #1662
• doc: update the contributing guide for a successful cli debugging by @shahramk64 in #1718
• doc: update contributing guide for enhancement by @susanshi in #1715

🐛 🩹 Bug Fixes

• fix: remove Update az cli step in aks test by @binbin-li in #1502
• fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version by @akashsinghal in #1505
• fix: run full validation for release branch by @susanshi in #1512
• fix: fix vulnerabilities by @binbin-li in #1542
• fix: enable automated pr to main by @susanshi in #1582
• fix: validate plugin version for ratify cli by @susanshi in #1604
• fix: warning message is printed to stdout by CLI by @susanshi in #1650
• fix: pass CODECOV_TOKEN to reusable workflow by @binbin-li in #1676
• fix: remove duplicate $ by @binbin-li in #1677
• fix: fix typo in notation verifier by @junczhu in #1678
• fix: bump-up docker dependency by @junczhu in #1679
• fix: Enforce validation on notation signature blob number by @binbin-li in #1726
• fix: remove nonexistent KMP from verifier sample by @binbin-li in #1753
• fix: remove critical cache failure in oras GetBlobContent by @binbin-li in #1740
• fix: make notation verifier installation optional on ratify installation by @shahramk64 in #1719
• fix: remove unused trust store from sample verifier config by @binbin-li in #1790
• fix: showing verifier config parse detail in err log by @junczhu in #1791
• fix: missing status update in KMP controller by @duffney in #1761

🎉 New Contributors

• @shahramk64 made their first contribution in #1718

Changes since v1.2.2

• 0ee96d8 Create ratify-weekly-notes-2023-Jun-2024-Jun.md
• 3bafc56 Merge branch 'dev' into clean-package
• 581be1e Merge branch 'dev' into dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
• 7e387db Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
• bd2f5ca Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
• cca0a13 Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
• 72025fb Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.4
• bb8d7f0 Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.6
• 0447079 Merge branch 'dev' into dependabot/github_actions/anchore/sbom-action-0.17.1
• e353f38 Merge branch 'dev' into dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
• 6ebd6f1 Merge branch 'dev' into dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
• bb8516e Merge branch 'dev' into dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
• 52f92d1 Merge branch 'dev' into dev
• 451390b Merge branch 'dev' into error-log-message
• 220dfce Merge branch 'dev' into error-log-message
• 5b7c4e0 Merge branch 'dev' into error-log-message
• 18f071a Merge branch 'dev' into fix-codecov
• 7e74e12 Merge branch 'dev' into ignore-experimental-test
• 4cf6b6c Merge branch 'dev' into isolate-metrics
• ec20d28 Merge branch 'dev' into isolate-metrics
• 9c534dc Merge branch 'dev' into isolate-metrics
• 50b334d Merge branch 'dev' into isolate-metrics
• 0b58daf Merge branch 'dev' into notes
• 4bbd9f1 Merge branch 'dev' into proposal_errorimprovements
• 8549d91 Merge branch 'dev' into ratify-err-doc
• 060c5a5 Merge branch 'dev' into ratify-err-doc
• f510dd9 Merge branch 'dev' into remove-autorest-adal
• 518ad3d Merge branch 'dev' into remove-autorest-adal
• 6f92077 Merge branch 'dev' into template-result
• e757310 Merge branch 'dev' into verification-response
• 34fbf9f Merge branch 'main' into dev
• 49201e9 Merge branch 'main' into staging
• f201712 Merge branch 'main' into staging
• 8c87951 Merge branch 'staging' into dependabot/github_actions/codecov/codecov-action-4.3.0
• 73ef709 Merge branch 'staging' into multi-tenancy-pr-2
• 6a93bbf Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
• 6daec5d Merge pull request #1376 from deislabs/staging
• 9ac7d5a Merge pull request #1379 from deislabs/dependabot/github_actions/codecov/codecov-action-4.3.0
• 6a5f10c Merge pull request #1388 from deislabs/staging
• 6a26a56 Merge pull request #1424 from deislabs/dev
• 194c2aa Merge pull request #1431 from akashsinghal/akashsinghal/fixCosignConfig
• f0b1e6b Merge pull request #1444 from deislabs/dev
• d78461a Merge pull request #1480 from deislabs/dev
• c92687d Merge pull request #1499 from deislabs/dev
• 61f7c60 Merge pull request #1520 from binbin-li/isolate-metrics
• 340c4db Merge pull request #1521 from susanshi/dev
• 8a6f018 Merge pull request #1532 from binbin-li/clean-package
• b6a5701 Merge pull request #1533 from ratify-project/dev
• 6443a65 Merge pull request #1539 from binbin-li/run-scorecard-on-dev
• d9d46fe Merge pull request #1542 from binbin-li/fix-vulnerability
• 5d4720f Merge pull request #1563 from ratify-project/dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
• 5e81022 Merge pull request #1581 from ratify-project/dev
• 9bf9232 Merge pull request #1585 from ratify-project/dev
• 47b3331 Merge pull request #1589 from ratify-project/dependabot/docker/httpserver/golang-b405b62
• e4c58e2 Merge pull request #1590 from ratify-project/dependabot/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
• db3b86f Merge pull request #1597 from ratify-project/dev
• 7f1ecfb Merge pull request #1608 from susanshi/notes
• 357eb51 Merge pull request #1613 from ZAFT-Armored-Keeper-of-Unity/helmfile-update-1.13.2
• db7e6ee Merge p...

v1.2.2

Bug Fixes

• CVE-2024-41110

Changelog

• 32273d4 chore: Release 1.2.2 vuln bump-up (#1698)
• 0f2a6ad chore: release 1.2.2 helm chart update (#1700)

v1.2.1

Bug Fixes

• CVE-2024-35255
• CVE-2024-6104

Changelog

• ca750c7 Merge pull request #1609 from ZAFT-Armored-Keeper-of-Unity/release-1.2.1
• ac7c142 Merge pull request #1611 from ZAFT-Armored-Keeper-of-Unity/ratify-1.13.2
• ca7c358 chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
• 2dfab79 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.18 (#1557)
• 1472bfa chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.18 to 1.27.21 (#1586)
• 1f59f71 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.21 to 1.27.23 (#1602)
• e21a23c chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.21 to 1.17.22 (#1594)
• c28d56b chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.22 to 1.17.23 (#1600)
• a9b89b5 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.3 to 1.28.5 (#1558)
• bac0633 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.5 to 1.28.6 (#1587)
• 9ec06c4 chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 CVE GO-2024-2947 (#1595)
• 2b19603 chore: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#1577)
• 1afc81e chore: Bump k8s.io/client-go from 0.28.10 to 0.28.11 (#1573)
• ca3f41b chore: cherry pick vuln scanner to release 1.2 (#1564)
• ceffa17 chore: prepare release 1.2.1 charts update 2
• 8e173a4 chore: prepare release 1.2.1 charts update 3
• 975ac96 chore: update deislabs.github.io to ratify-project.github.io (#1566)
• bf8e96d chore: update helm charts
• bf227cf chore:add no-lint config
• 78c3fbc ci: switch region from eastus to westus2 (#1591)
• 19f55c4 fix go.mod

v1.2.0

🚨 Deprecations

• CertificateStore is deprecated in favor of KeyManagementProvider. Please migrate to KeyManagementProvider by following guide here. Support will be removed in Ratify v2.0.0
• Certain helm values have been deprecated in favor of new ones. (Note: deprecated values will continue to be supported)
  • .Values.notationCert is deprecated. Use .Values.notationCerts[*] to provide a list certificates to configure with notation verifier
  • .Values.akvCertConfig.* section has been deprecated. Use the equivalent .Values.azurekeyvault.* section for configuring keys + certificates from Azure Key Vault

✨ New Features

• Cosign Verifier enhancements:

  • feat: move cosign to be a built in verifier by @akashsinghal in #1343
  • feat: add key support to key management provider including akv integration by @akashsinghal in #1333
  • feat: add cosign trust policies by @akashsinghal in #1381

• Kubernetes multi-tenancy support:

  • feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
  • feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
  • feat: add cache isolation by @binbin-li in #1213
  • feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382

• CRD improvements:

  • feat: add version to CRD spec by @susanshi in #1215
  • feat: validate plugin name on CR create by @susanshi in #1265
  • feat: add key management provider resource by @akashsinghal in #1293
  • feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422

📄 Documentation

• docs: add roadmap by @yizha1 in #1344
• docs: updated docs with the latest verifier report format by @junczhu in #1236
• docs: add multi-tenancy support discussions by @binbin-li in #1175
• docs: Update log format in doc by @junczhu in #1240
• docs: update COC and add adopters.md by @FeynmanZhou in #1360
• fix: updated community meeting time to UTC by @susanshi in #1364
• build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
• docs: cosign upgrade design document by @akashsinghal in #1246
• docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399

🎉 New Contributors

• @duffney made their first contribution in #1254
• @mannbiher made their first contribution in #1418

🐛 🩹 Bug Fixes

• fix: surface plugin error in exec.go by @susanshi in #1228
• fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
• fix: update constraint templates to work with new type field by @akashsinghal in #1217
• fix: improve vuln report verifier report messages by @akashsinghal in #1238
• fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
• fix: add missing CRD conversion methods by @binbin-li in #1289
• fix: fix unit tests that fail in local environment by @binbin-li in #1292
• fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
• fix: update azure tenantId casing by @akashsinghal in #1385
• fix: rename staging to dev branch by @susanshi in #1401
• fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
• fix: add top-level read permission by @binbin-li in #1419
• fix: add akv keys check on cosign-verifier by @binbin-li in #1427
• fix: handle empty trust policies by @akashsinghal in #1431
• fix: fix missing separator in helm template by @binbin-li in #1463
• fix: check label value on pull_request_target by @binbin-li in #1471
• fix: DecodeCertificates cert length check by @susanshi in #1470
• fix: update cosign chart and remove extra logs by @akashsinghal in #1475

Changes since v1.2.0-rc.1

• 63c7bb2 Merge pull request #1519 from deislabs/cherry-pick-for-1.2.0
• 35aad7f chore: ignore CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 (#1498)
• dbc2d74 chore: ignore CVE-2023-42366 (#1494)
• da2cdca chore: prepare for release 1.2 (#1524)
• 7e00bb2 ci: switch azure ci test to use rbac for key vault access (#1523)
• 1e79038 fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version (#1505)
• c6f9483 fix: full validation should run on release branch (#1511)
• 510dd58 go mod tidy

v1.2.0-rc.1

🚨 Deprecations

• CertificateStore is deprecated in favor of KeyManagementProvider. Please migrate to KeyManagementProvider by following guide here. Support will be removed in Ratify v2.0.0

✨ New Features

• Cosign Verifier enhancements:

  • feat: move cosign to be a built in verifier by @akashsinghal in #1343
  • feat: add key support to key management provider by @akashsinghal in #1333
  • feat: add cosign trust policies by @akashsinghal in #1381

• Kubernetes multi-tenancy support:

  • feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
  • feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
  • feat: add cache isolation by @binbin-li in #1213
  • feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382

• CRD improvements:

  • feat: add version to CRD spec by @susanshi in #1215
  • feat: validate plugin name on CR create by @susanshi in #1265
  • feat: add key management provider resource by @akashsinghal in #1293
  • feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422

📄 Documentation

• docs: add roadmap by @yizha1 in #1344
• docs: updated docs with the latest verifier report format by @junczhu in #1236
• docs: add multi-tenancy support discussions by @binbin-li in #1175
• docs: Update log format in doc by @junczhu in #1240
• docs: update COC and add adopters.md by @FeynmanZhou in #1360
• fix: updated community meeting time to UTC by @susanshi in #1364
• build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
• docs: cosign upgrade design document by @akashsinghal in #1246
• docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399

🎉 New Contributors

• @duffney made their first contribution in #1254
• @mannbiher made their first contribution in #1418

🐛 🩹 Bug Fixes

• fix: surface plugin error in exec.go by @susanshi in #1228
• fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
• fix: update constraint templates to work with new type field by @akashsinghal in #1217
• fix: improve vuln report verifier report messages by @akashsinghal in #1238
• fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
• fix: add missing CRD conversion methods by @binbin-li in #1289
• fix: fix unit tests that fail in local environment by @binbin-li in #1292
• fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
• fix: update azure tenantId casing by @akashsinghal in #1385
• fix: rename staging to dev branch by @susanshi in #1401
• fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
• fix: add top-level read permission by @binbin-li in #1419
• fix: add akv keys check on cosign-verifier by @binbin-li in #1427
• fix: handle empty trust policies by @akashsinghal in #1431
• fix: fix missing separator in helm template by @binbin-li in #1463
• fix: check label value on pull_request_target by @binbin-li in #1471
• fix: DecodeCertificates cert length check by @susanshi in #1470
• fix: update cosign chart and remove extra logs by @akashsinghal in #1475

What's Changed

• fix: bump dev helmfile ratify chart versions by @akashsinghal in #1216
• feat: add namespace to external data request key by @binbin-li in #1201
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.9 to 1.16.12 by @dependabot in #1224
• chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.9.1 by @dependabot in #1225
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.25.11 to 1.25.12 by @dependabot in #1226
• build: bump up upload-artifact action to v4.0.0 by @binbin-li in #1227
• chore: Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #1229
• feat: add version to CRD spec by @susanshi in #1215
• fix: surface plugin error in exec.go by @susanshi in #1228
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.12 to 1.16.13 by @dependabot in #1235
• chore: Bump k8s.io/client-go from 0.28.4 to 0.28.5 by @dependabot in #1232
• chore: Bump apache/skywalking-eyes from ee81ff786927ea6ffa48b1e29c48e5289f4753aa to ed436a5593c63a25f394ea29da61b0ac3731a9fe by @dependabot in #1231
• feat: add cache isolation by @binbin-li in #1213
• chore: update codecov config by @junczhu in #1237
• docs: updated docs with the latest verifier report format by @junczhu in #1236
• fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
• docs: add multi-tenancy support discussions by @binbin-li in #1175
• fix: differentiate aks logs from e2e log by @susanshi in #1243
• ci: add cache cleanup post merge by @akashsinghal in #1242
• docs: Update log format in doc by @junczhu in #1240
• ci: switch to fail-fast from continue-on-error by @binbin-li in #1245
• ci: add dev helm chart publishing workflow by @akashsinghal in #1209
• fix: update constraint templates to work with new type field by @akashsinghal in #1217
• fix: improve vuln report verifier report messages by @akashsinghal in #1238
• feat: improve plugin config dependency by @junczhu in #1223
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.13 to 1.16.14 by @dependabot in #1250
• chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.0 to 1.2.1 by @dependabot in #1252
• chore: Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 by @dependabot in #1253
• chore: Bump azure/login from 1.5.1 to 1.6.0 by @dependabot in #1255
• chore: rename func for readability by @junczhu in #1257
• chore: Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #1261
• chore: Bump azure/login from 1.6.0 to 1.6.1 by @dependabot in #1266
• chore: Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #1270
• chore: Bump k8s.io/client-go from 0.28.5 to 0.28.6 by @dependabot in #1273
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.14 to 1.16.16 by @dependabot in #1275
• chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1.0-rc6 by @dependabot in #1271
• chore: Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #1279
• chore: Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #1281
• chore: Bump github.com/docker/cli from 24.0.7+incompatible to 24.0.8+inco...

v1.1.1

Changelog

• 7bccea3 chore: patch release 1.1 (#1430)
• 986b5b8 chore: v1.1.1 chart changes (#1432)

Bug Fixes

• GHSA-9763-4f94-gfch
• CVE-2023-45288
• CVE-2024-29903
• CVE-2024-24557
• CVE-2024-24786
• CVE-2024-28180
• CVE-2023-48795

v1.1.0

💥 🚨 CRD BREAKING CHANGES 🚨 💥

• Certificate Store is a namespaced CR. We have made a fix in this release so that Certificate Store CR can be uniquely referenced by Verifier CR. Please follow migration steps here

✨ New Features

• Enables SBOM verifier improvements:
  • Add deny license and deny package properties to the existing SBOM verifier
  • Add SBOM verifier to Helm chart
• Introduce new Vulnerability report verifier for Sarif reports generated by Trivy and Grype
  • Enforces report content to match Sarif schema
  • Enforces a MaximumAge duration (ex: '24h')
  • Enforces against existence of disallowedSeverity levels (ex: 'critical')
  • Enforces against existence of denylistCVEs (ex: CVE-2021-44228 log4shell)
  • Introduce a passthrough flag which will bypass all checks and append sarif content in verifier report
  • Adds vulnerability report verifier to Helm chart
  • For documentation on how to use refer to the docs
• Introduce a verifier name and a verifier type (specName) to the existing VerifierConfig and VerifierPlugin. This enables support for multiple verifiers of the same verifier type. You can find more info here.
• Introduce new –debug flag to Ratify CLI that sets the logger level to DEBUG.
• Introduce support for notation-go logs with trace-id support

📄 Documentation

Note: We’ve moved most of our feature documentation to the Ratify Website.

• docs: add design docs by @akashsinghal in #1136
• docs: add design docs by @binbin-li in #1143
• docs: update notation tsg doc link by @binbin-li in #1152
• docs: move cosign doc to website by @akashsinghal in #1168
• docs: add vulnerability report verifier design doc by @akashsinghal in #1208

🧪 Tests

• Added new E2E CLI test for SBOM verifier
• Added unit tests and E2E tests for vulnerability report verifier
• Add more unit tests to increase the test coverage for authProvider.

CLI

• Verifier Scenarios
  • Notation
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
  • Vulnerability Report
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
  • Vulnerability Report
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertificateProvider CRD Status
• TLS Certificate
  • TLS Certificate Watcher
  • TLS Certificate Rotation
• High Availability Tests
  • 2 Replicas, Redis + Dapr, Notation
• Quick Start helmfile.yaml test

🐛 🩹 Bug Fixes

• fix: update auth cache miss error handling by @akashsinghal in #1105
• fix: rename error for verifier plugins to be more generic by @akashsinghal in #1129
• fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource by @susanshi in #1134
• fix: allow multiple notationCert in default chart by @susanshi in #1151
• fix: add certificates to chart value by @susanshi in #1172
• fix: remove trailing hyphen in notation template by @akashsinghal in #1197

🎉 New Contributors

• @bspaans made their first contribution in #1130
• @Two-Hearts made their first contribution in #1188

📝 Changelog

• chore: bump helmfile versions to match v1.0 chart released by @akashsinghal in #1101
• docs: remove non production notice by @akashsinghal in #1102
• docs: add helm chart readme by @akashsinghal in #1099
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.42 to 1.18.44 by @dependabot in #1112
• chore: Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #1116
• chore: downgrade some logging from info to debug by @akashsinghal in #1111
• chore: bump chart versions in dev helmfiles by @akashsinghal in #1108
• chore: Bump github.com/docker/distribution from 2.8.2+incompatible to 2.8.3+incompatible by @dependabot in #1115
• fix: update auth cache miss error handling by @akashsinghal in #1105
• chore: Bump golang.org/x/net from 0.14.0 to 0.17.0 by @dependabot in #1118
• ci: add retry to cosign keyless test by @akashsinghal in #1109
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.42 to 1.13.43 by @dependabot in #1128
• chore: Bump google.golang.org/grpc from 1.56.2 to 1.56.3 by @dependabot in #1125
• chore: Bump github.com/sigstore/sigstore from 1.7.3 to 1.7.4 by @dependabot in #1127
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.44 to 1.18.45 by @dependabot in #1124
• chore: Add ability to configure affinity and tolerations to Helm chart by @bspaans in #1130
• chore: Bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #1132
• fix: rename error for verifier plugins to be more generic by @akashsinghal in #1129
• feat: support notation-go logs by @binbin-li in #1135
• chore: Bump k8s.io/api from 0.27.6 to 0.27.7 by @dependabot in #1139
• chore: Bump k8s.io/client-go from 0.27.6 to 0.27.7 by @dependabot in #1137
• docs: add design docs by @akashsinghal in #1136
• chore: Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #1141
• docs: add design docs by @binbin-li in #1143
• chore: upgrade devcontainer config by @junczhu in #1144
• fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource by @susanshi in #1134
• chore: Bump github.com/docker/cli from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in #1153
• chore: Bump oras.land/oras-go/v2 from 2.3.0 to 2.3.1 by @dependabot in #1155
• chore: Bump github.com/notaryproject/notation-core-go from 1.0.0 to 1.0.1 by @dependabot in #1157
• chore: Bump github.com/sigstore/sigstore from 1.7.4 to 1.7.5 by @dependabot in #1156
• chore: Bump sigs.k8s.io/controller-runtime from 0.15.2 to 0.15.3 by @dependabot in #1154
• chore: Bump github.com/docker/docker from 24.0.0+incompatible to 24.0.7+incompatible by @dependabot in #1158
• docs: update notation tsg doc link by @binbin-li in #1152
• chore: add chart icon by @binbin-li in #1161
• chore: Bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in #1163
• chore: Bump github.com/notaryproject/notation-go from 1.0.0 to 1.0.1 by @dependabot in #1162
• docs: move cosign doc to website by @akashsinghal in #1168
• fix: allow multiple notationCert in default chart by @susanshi in #1151
• chore: wrap notation-go error by @binbin-li in #1169
• chore: Bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.1 by @dependabot in #1171
• fix: add certificates to chart value by @susanshi in #1172
• test: Authprovider test improvement by @junczhu in #1170
• chore: Bump k8s.io/api from 0.28.3 to 0.28.4 by @dependabot in #1179
• chore: Bump k8s.io/client-go from 0.28.3 to 0.28.4 by @dependabot in #1178
• chore: Bump azure/login from 1.4.7 to 1.5.0 by @dependabot in #1184
• chore: Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #1185
• build: add lic...

v1.0.0

Ratify v1

Ratify is a verification engine available as a binary executable and on Kubernetes that enables customers to author policies to verify security artifact metadata, such as image signatures and SBOMs, and allows deployment of only those that comply with these policies. This is the first stable release v1.0.0🎉.

Important

Experimental features are only intended for testing in a development environment and should not be used in production. Please adhere to the specified feature and performance limits for production workloads. More information can be found in the ratify documentation.

Key Features

• Ratify as a CLI binary for verifying artifacts stored in a registry
• Out-of-box support in published helm chart for running Ratify as an External Data Provider for Gatekeeper admission controller
• Native Kubernetes support for managing and running Ratify as a scalable & reliable service
  • Verifier, Store, Certificate Store, and Policy CRDs for simple Ratify configuration
  • TLS certificate management and rotation for mTLS service-to-service communication
  • Standardized logging and prometheus metrics support + Grafana dashboard.
• Extensible plugin model to support new verifier and referrer store plugins
  • 1st party support for Notation verifier and registry interaction via ORAS referrer store.
  • External verifiers such as Cosign, SBOM, SPDX, Licensechecker, etc.
• Built-in policy evaluation engine support using embedded OPA engine or config-based policies.
• Built-in certificate stores makes interacting with Key Management Systems (KMS) simple.

Experimental Features

• Ratify in High Availability (HA) mode using a distributed cache (dapr + redis)

✨ What's Changed since v1.0.0-rc8

• Add end-to-end test for init containers and ephemeral container mutation/verification. See #1086
• Update Policy CRD to contain a type instead of metadata for determing policy provider. See #1079

💥 🚨 BREAKING CHANGES 🚨 💥

• Policy CRD now REQUIRES crd's metadata.name to be ratify-policy. spec.type must be rego-policy or config-policy ONLY.
  • See #1079 for more information

📄 Documentation

• docs: create ratify-weekly-notes-2023-Jan-2023-Jul.md by @susanshi in #1081
• docs: redirect to website by @susanshi in #1087

🧪 Tests

CLI

• Verifier Scenarios
  • Notation
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertificateProvider CRD Status
• TLS Certificate
  • TLS Certificate Watcher
  • TLS Certificate Rotation
• High Availability Tests
  • 2 Replicas, Redis + Dapr, Notation
• Quick Start helmfile.yaml test

🐛 🩹 Bug Fixes

• fix: update helmfile.yaml for rc8 by @susanshi in #1069
• fix: update e2e resource for initContainers and ephemeralContainers by @junczhu in #1088
• fix: update errors doc reference links by @akashsinghal in #1098

📝 Changelog

• fix: update helmfile.yaml for rc8 by @susanshi in #1069
• chore: Bump github.com/docker/cli from 24.0.0+incompatible to 24.0.6+incompatible by @dependabot in #1070
• chore: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #1077
• chore: Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1063
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.39 by @dependabot in #1073
• chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.7.2 by @dependabot in #1071
• chore: Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #1080
• docs: create ratify-weekly-notes-2023-Jan-2023-Jul.md by @susanshi in #1081
• chore: update local build doc by @junczhu in #1075
• chore: Bump k8s.io/client-go from 0.27.5 to 0.27.6 by @dependabot in #1085
• test: add constraint template e2e test for initContainers and ephemeralContainers by @junczhu in #1086
• chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #1082
• fix: update e2e resource for initContainers and ephemeralContainers by @junczhu in #1088
• feat: add type to policy CRD by @binbin-li in #1079
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.39 to 1.18.42 by @dependabot in #1094
• chore: Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #1092
• docs: redirect to website by @susanshi in #1087
• fix: update errors doc reference links by @akashsinghal in #1098
• chore: prepare for v1.0.0 release by @akashsinghal in #1097

Full Changelog: v1.0.0-rc.8...v1.0.0

v1.0.0-rc.8

✨ New Features

• User agent header by Ratify now includes OS/Arch and version.
• Introducing new health probe.
  • Add liveness probes to deployment files
  • Allows probe port to be configured
• Updated oras-go to v2.3.0 and GK 3.13 support

📄 Documentation

• docs: fix broken link and add link check by @susanshi in #1016
• docs: add badge linking to pkg.go.dev by @binbin-li in #1056
• doc: update document about install ratify on azure policy enabled aks cluster by @fseldow and @susanshi in #1041

🧪 Tests

• Added new automated test for quick start test.

CLI

• Verifier Scenarios
  • Notation
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status
• TLS Certificate
  • TLS Certificate Watcher
  • TLS Certificate Rotation
• High Availability Tests
  • 2 Replicas, Redis + Dapr, Notation

🐛 🩹 Bug Fixes

• fix: fix cert watcher by @binbin-li in #1054
• fix: fix azure test by @binbin-li in #1065

📝 Changelog

• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.34 to 1.13.35 by @dependabot in #1037
• chore: Bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.15.2 by @dependabot in #1034
• chore: Bump k8s.io/apimachinery from 0.27.4 to 0.27.5 by @dependabot in #1035
• chore: Bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in #1036
• chore: Bump k8s.io/client-go from 0.27.4 to 0.27.5 by @dependabot in #1033
• chore: update terraform AKV permissions by @duffney in #1024
• release: retract v1.1.0-alpha.1 by @binbin-li in #1038
• docs: fix broken link and add link check by @susanshi in #1016
• chore: Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1043
• build: add dev helmfiles by @akashsinghal in #1018
• feat: add version and OS/Arch to user-agent header by @binbin-li in #1044
• chore: bump to GK 3.13 by @akashsinghal in #1019
• feat: Add automated test for quick start test by @susanshi in #1045
• feat: upgrade oras-go v2.3.0 by @junczhu in #1050
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.35 to 1.18.38 by @dependabot in #1053
• chore: Bump github.com/sigstore/sigstore from 1.7.2 to 1.7.3 by @dependabot in #1051
• chore: Bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #1055
• docs: add badge linking to pkg.go.dev by @binbin-li in #1056
• fix: fix cert watcher by @binbin-li in #1054
• chore: Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 by @dependabot in #1059
• doc: update document about install ratify on azure policy enabled aks cluster by @fseldow in #1041
• feat: add health Probe by @susanshi in #1058
• feat: update chart for rc8 by @susanshi in #1064
• fix: fix azure test by @binbin-li in #1065

Full Changelog: v1.0.0-rc.7...v1.0.0-rc.8

v1.0.0-rc.7

✨ New Features

• Introducing OPA engine integration to support Rego Policy
  • Embeds OPA engine in Ratify so that service can make verifications using the OPA engine for Rego Policies.
  • Adds support for multiple verifiers against the same artifact.
  • Users can still provide a configuration Policy which is the default option.
  • Introduces new Policy controller and CRD that allows switching between configuration policy and Rego Policy at runtime
  • More information here
• Introducing support to enable High Availability (HA) for Ratify
  • Unifies all existing in-memory caches through a new cache interface that allows registering and specifying new cache providers
  • Implements Ristretto as the default cache provider
  • Implements support for Dapr cache provider
  • More info here
• Introducing integration with Helmfile Tool
  • Simplifies helm install for upgrade scenarios to HA support
  • Simplifies helm install for quick start experience
• Introducing Terraform configs for Azure
  • Adds Terraform configs to simplify the deployment of Azure Resources for Ratify
• Enable optional image mutation in Helm chart
  • Allows image mutation to be optional in helm chart since there might be scenarios where OPA Gatekeeper constraints are based on image tags.
• Introduce graceful shutdown for http server
  • Adds support for ‘Shutdown’ command to be invoked on SIGTERM signal or interrupt OS command
  • Adds channel to wait on shutdown process to complete (6 second context timeout)
• Introducing improved error handling
  • Refactor most errors to a custom error struct
  • Introduce error codes for faster searching
  • Adds stacks to improve debuggability
  • Adds a configurable internal logger utility that initializes the logger for Ratify and configures the context with a trace-id from requests
  • More info here
• Introducing new Ratify arm64 & arm/v7 images
• Introducing new Ratify Logo
  • We are improving the project branding. Check out the new Ratify Logo here

💥 🚨 BREAKING CHANGES 🚨 💥

• Notation signature verifier name now registered using name notation instead of notaryv2
  • More information here
• logLevel helm chart value now found at logger.level
  • More information here
• TLS certs are NOT auto generated by Ratify chart. It's recommended to set featureFlags.RATIFY_CERT_ROTATION to true.
• PKCS12 certs with Azure Key Vault setup is NOT supported
  • More details here
  • Workaround here

📄 Documentation

• docs: add examples for using AWS Signer by @byronchien in #875
• docs: update community meeting to weekly wed by @susanshi in #896
• docs: redesign docs structure to improve navigation by @duffney in #897
• docs: add notaryv2 upgrade doc by @binbin-li in #999
• docs: fix the link for terraform installation by @yizha1 in #1014

🧪 Tests

CLI

• Verifier Scenarios
  • Notation
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status
• TLS Certificate
  • TLS Certificate Watcher
  • TLS Certificate Rotation
• High Availability Tests
  • 2 Replicas, Redis + Dapr, Notation

🐛 🩹 Bug Fixes

• fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
• fix: new sample images should be signed by notation rc7 by @susanshi in #905
• fix: update quick start to ghcr image by @susanshi in #906
• fix: update notary.crt to reflect latest sample by @susanshi in #909
• fix: publish ratify image with plugin by @susanshi in #916
• fix: downgrade goreleaser to last stable version by @susanshi in #922
• fix: upgrade notation rc3->rc7 by @junczhu in #923
• fix: fix Policy CRD by @binbin-li in #962
• fix: change name of notation cert file in helmfile by @akashsinghal in #975
• fix: update links in ratify configuration doc by @susanshi in #985
• fix: Updating akv cert provider to use getSecret by @susanshi in #957
• fix: adding experimental to dynamic plugin flag by @susanshi in #980
• fix: fix broken Azure tests by @binbin-li in #1009
• fix: display cert store status by @susanshi in #1021

🎉 New Contributors

• @duffney made their first contribution in #884
• @junczhu made their first contribution in #923
• @yizha1 made their first contribution in #926
• @mannbiher made their first contribution in #944

📝 Changelog

• docs: add examples for using AWS Signer by @byronchien in #875
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 by @dependabot in #895
• chore: bump k8s.io/api from 0.26.5 to 0.26.6 by @dependabot in #894
• fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
• docs: update community meeting to weekly wed by @susanshi in #896
• feat: add Terraform configs for Azure by @duffney in #884
• build: upgrade go lint by @akashsinghal in #892
• chore: add ratify logo by @FeynmanZhou in #898
• chore: bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #903
• chore: bump k8s.io/client-go from 0.26.1 to 0.26.6 by @dependabot in #902
• chore: bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.6 by @dependabot in #904
• chore: create publish-sample.yml by @susanshi in #900
• chore: add logo to README by @akashsinghal in #899
• fix: new sample images should be signed by notation rc7 by @susanshi in #905
• fix: update quick start to ghcr image by @susanshi in #906
• fix: update notary.crt to reflect latest sample by @susanshi in #909
• fix: publish ratify image with plugin by @susanshi in #916
• chore: update chart for v1.0.0-rc.6 by @susanshi in #921
• fix: downgrade goreleaser to last stable version by @susanshi in #922
• fix: upgrade notation rc3->rc7 by @junczhu in #923
• build: use latest sbom-tool by @binbin-li in #917
• docs: redesign docs structure to improve navigation by @duffney in #897
• chore: bump google.golang.org/grpc from 1.55.0 to 1.55.1 by @dependabot in #925
• chore: add triage label to issue template by @yizha1 in #926
• feat: add opa engine and support Rego policy by @binbin-li in #798
• ci: delete oci artifact tests by @akashsinghal in #928
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.28 by @dependabot in #934
• chore: upgrade to image spec rc4 and oras-go 2.2.1 by @akashsinghal in #931
• feat: add policy crd and controller by @binbin-li in #933
• feat: unify caches, add ristretto and Dapr cache providers by @akashsinghal in #901
• chore: bump k8s.io/api from 0.26.6 to 0.26.7 by @dependabot in #947
• chore: bump k8s.io/client-go from 0.26.6 to 0.26.7 by @dependabot in #946
• chore: bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 by @dependabo...