V2.0.0-alpha.1

🚨 Breaking Changes

• Modularization: The core workflow has been decoupled into a new standalone library, ratify-go, with a new extensible framework support implemented across all major modules: Executor, Verifier, Store, and Policy Enforcer #2231 #2235 #2237 #2238
• Key Management Changes: The Key Management Provider has been deprecated. Key configuration now resides under the verifier section. #2231
• Plugin Artifact Download Removed:Verifier plugins are no longer downloaded as artifacts #2231
• New HTTP Server & Entrypoint: A new v2 HTTP server has been introduced under the binary name ratify-gatekeeper-provider, replacing the previous ratify entrypoint.
• Helm Chart for v2: Released a new Helm chart that packages the ratify-gatekeeper-provider v2 image for streamlined deployment. #2207
• Enhanced Security Defaults: mTLS is enabled by default now. Certificate rotation is configured out of the box to strengthen security posture. #2242

🐛 Bug Fixes

• Multiple Store Config Support: Fixed a limitation in v1 to allow configuring multiple stores with different scopes. #2235
• Helmfile Compatibility: Updated Helmfile templates to use .gotmpl extension, ensuring compatibility with Helmfile v1.0.0. #2218

📄 Documentation

• New Helm Chart Docs: Added a comprehensive README.md for the new Helm chart. #2262
• v2 Development Info: Published a Ratify v2 roadmap and development notice. #2197 #2194

⚙️ CI/CD & Automation

• Automated Dev Releases: On merge to main, both the Helm chart and container image are now automatically built and published. #2288
• Updated CI Pipelines: Disabled v1 jobs and added new workflows for building and testing v2 on the main branch. #2228 #2221 #2263 #2266

🚨 Comparing v2.0.0-alpha.1 with v1.x

Notation verifier is supported in Ratify v2.0.0-alpha.1.

Some features are not yet available in this release and planned to be supported in upcoming releases. Refer to this page to track the progress: #2236

The following features in v1.x will be ported to v2.0 and future releases:

• Support for additional verifiers (e.g., Cosign, SBOM, Vulnerability Report)
• Ratify server configuration via CRDs
• Cloud provider integrations (Azure, AWS, Alibaba)
• Rego policy support

Changes:

6b583a9 chore: release v2.0.0-alpha.1
cf473a5 chore: update dev helmfile (#2289)
5e460ad ci: build and publish chart/image upon merging to main (#2288)
b82c678 chore: Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 (#2287)
cdcdbe7 chore: Bump golang from b4f875e to 68932fa (#2284)
534ed8e chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.29.14 to 1.29.15 (#2285)
f880db6 feat: watch file update on executor config (#2278)
134acce ci: add workflow_dispatch to build job (#2279)
1f8c318 chore: Bump github/codeql-action from 3.28.18 to 3.28.19 (#2275)
970cce3 chore: remove helmfile for HA (#2274)
01cfb1e chore: Bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#2268)
79fbd24 fix: update registryScope for asset verification (#2273)
f3f8ade chore: Bump github.com/go-logr/logr from 1.4.2 to 1.4.3 (#2269)
b8e958f chore: Bump alpine from a8560b3 to 8a1f59f (#2270)
e09cac5 chore: Bump golang from ef18ee7 to b4f875e (#2271)
2af0fd5 ci: Disable full validation for release-2. branch* (#2266)
b8b074b ci: update publish jobs (#2263)
5f8f04e docs: add readme to helm chart (#2262)
79a5cc0 chore: update ratify-project to notaryproject (#2255)
857ef8b chore: Bump github.com/google/go-containerregistry from 0.20.3 to 0.20.5 (#2253)
53598a4 build: update module to github.com/notaryproject/ratify/v2 (#2254)
a465386 feat!: add cache to server endpoint (#2252)
7293192 feat!: support mutation webhook (#2244)
1501658 chore: Bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.7 (#2246)
35f1b01 chore: Bump k8s.io/client-go from 0.31.2 to 0.31.9 (#2247)
f9921bf chore: Bump k8s.io/api from 0.31.2 to 0.31.9 (#2248)
9aeab6e chore: Bump github.com/open-policy-agent/opa from 1.4.0 to 1.4.2 (#2249)
d862090 chore: Bump github/codeql-action from 3.28.17 to 3.28.18 (#2250)
255f58f chore: Bump distroless/static from c0f429e to 188ddfb (#2251)
0e9ed01 chore: Bump codecov/codecov-action from 5.4.2 to 5.4.3 (#2243)
ae960eb feat!: support mTLS with gatekeeper and cert rotation (#2242)
d4603e0 chore: Bump anchore/sbom-action from 0.19.0 to 0.20.0 (#2241)
0bdbc35 feat!: Add v2 helm chart (#2207)
8775b5f feat!: add v2 http server (#2239)
31b21c3 feat!: add v2 executor (#2238)
e68907c feat!: add v2 policy enforcer (#2237)
c8f8e45 feat!: add v2 store (#2235)
1d13559 feat!: add v2 verifier (#2231)
4facf0d chore: Bump github.com/open-policy-agent/opa from 1.4.0 to 1.4.2 (#2232)
c71f82b chore: Bump golang from ec5612b to 4b1ecd8 in /httpserver (#2233)
a062dbd ci: remove labeled pull_request_target (#2234)
150f286 chore: Bump actions/setup-go from 5.4.0 to 5.5.0 (#2230)
00dd0ec ci: bump up golangci-lint version (#2229)
94973b7 chore: Bump actions/setup-go from 5.4.0 to 5.5.0 (#2220)
e319efd ci: add CIs running on main branch (#2228)
d7ecf50 chore: remove .vscode folder (#2227)
15f0165 chore: reorganize project structure (#2226)
553ee02 ci: stop running full validation on main branch (#2221)
8d01234 fix: add .gotmpl file extension for go template (#2218)
652d59f chore: Bump github.com/open-policy-agent/opa from 0.68.0 to 1.4.0 (#2219)
230b2a0 chore: Bump golang from e54daaa to ec5612b in /httpserver (#2216)
aba2d9f chore: Bump github/codeql-action from 3.28.16 to 3.28.17 (#2214)
8e266c6 chore: Bump oras-project/setup-oras from 1.2.2 to 1.2.3 (#2213)
71ab65f chore: Bump github.com/notaryproject/notation-go from 1.3.1 to 1.3.2 (#2208)
42756c3 chore: Bump github.com/aliyun/credentials-go from 1.4.5 to 1.4.6 (#2209)
62148ab chore: Bump github.com/sigstore/sigstore from 1.9.3 to 1.9.4 (#2210)
b2f2a15 chore: Bump golang from 4f3bd60 to e54daaa in /httpserver (#2211)
f89c812 chore: Bump anchore/sbom-action from 0.18.0 to 0.19.0 (#2206)
1fa388e chore: Bump github/codeql-action from 3.28.15 to 3.28.16 (#2205)
3696806 chore: Bump step-security/harden-runner from 2.11.1 to 2.12.0 (#2203)
7ca8c48 chore: Bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#2204)
611b2a8 chore: Bump google.golang.org/grpc from 1.71.0 to 1.71.1 (#2198)
52279a0 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.29.10 to 1.29.14 (#2200)
3aaa44b chore: Bump github.com/sigstore/sigstore from 1.9.1 to 1.9.3 (#2201)
4a31c54 chore: Bump github.com/alibabacloud-go/darabonba-openapi/v2 from 2.0.10 to 2.0.11 (#2202)
6b20703 docs: add v2 roadmap (#2197)
fcdd325 chore: Bump golang.org/x/net from 0.37.0 to 0.38.0 (#2196)
4a22e3b build!: init ratify v2 (#2195)
013007e docs: add v2 development notice (#2194)
2a9cbc2 chore: Bump codecov/codecov-action from 5.4.0 to 5.4.2 (#2193)
c2b600e chore: Bump golang from cb45cf7 to 4f3bd60 in /httpserver (#2185)
52c8425 chore: Bump github.com/sigstore/rekor from 1.3.9 to 1.3.10 (#2189)
f8119fb chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.66 to 1.17.67 (#2190)
21a04ac chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.65 to 1.17.66 (#2186)
c60d70b fix: fix broken pipelines after switching default branch to main (#2187)
014dd41 Merge pull request #2180 from ratify-project/dev
2978dbc chore: Bump github/codeql-action from 3.28.13 to 3.28.15 (#2183)
4ac1daa chore: Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 (#2179)
c502a59 chore: Bump step-security/harden-runner from 2.11.0 to 2.11.1 (#2177)
faad0a8 chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.62 to 1.17.65 (#2171)
89fcb70 chore: Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 (#2170)
07e32cb chore: Bump distroless/static from b35229a to c0f429e in /httpserver (#2172)
9820e8f chore: Bump goreleaser/goreleaser-action from 6.2.1 to 6.3.0 (#2169)
b9022bf Merge pull request #2167 from ratify-project/dev
f40d736 chore: update public certs for verification (#2168)
af82b23 docs: update meeting inforamtion in README (#2166)
d9e6360 chore: Bump github/codeql-action from 3.28.12 to 3.28.13 (#2164)
0f0d189 chore: Bump vscode/devcontainers/go from 5625272 to f2d2a2b in /.devcontainer (#2163)
e8d5fe5 chore: Bump golang from dd1a8cb to cb45cf7 in /httpserver (#2162)
76c5b7e chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.17.0 to 1.17.1 (#2161)
49b13a6 Merge pull request #2160 from ratify-project/dev
49b664d chore: Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#2159)
0976450 chore: Bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#2158)
1ff8787 chore: Bump actions/upload-artifact from 4.6.1 to 4.6.2 (#2156)
69a7263 chore: Bump actions/cache from 4.2.2 to 4.2.3 (#2155)
0fbef6f chore: Bump github/codeql-action from 3.28.11 to 3.28.12 (#2154)
32fe732 chore: Bump actions/setup-...

v1.4.0

✨ New Features

• feat: support certificate revocation checking using Certificate Revocation List (CRL) with cache support during Notary Project signature validation. @junczhu in #1890 , #1900 , #1941
• feat: improve the Ratify out-of-box experience by incorporating additional Helm chart parameters for configuring the Notary Project trust policy by @shahramk64 in #1982
• feat: support enabled status for kmp keys/certs by @duffney in #1874
• feat: support alibaba cloud rrsa store auth provider by @DahuK in #1909

✨ Other Enhancements

• Report more debug info in external data response by @binbin-li #1697
• Make notation verifier installation optional on ratify installation by @shahramk64 #1719
• Migrate to latest Azure container registry SDK by @shahramk64 #1829
• Refactor Azure authentication support to use azidentity by @shahramk64 #1904
• Sign Ratify release assets by @akashsinghal #1947
• Update Kubernetes support matrix by @shahramk64 #2013
• Additional env vars for ratify container via helm chart by @mannbiher in #1854
• Allow service account annotations by @mannbiher in #1907
• Remove prefix from notation verifiers trustedIdentities by @shahramk64 #2057

🔐 Security

• chore: bump up golang.org/x/crypto pkg to fix vuln by @junczhu in #1981
• fix: fix vuln in /x/net pkg by @junczhu in #1993
• fix: enforce host checking before exchanging a refresh token (#2069) by @binbin-li in #2071
• chore: add more acr endpoints (#2079) by @binbin-li in #2080
• chore: bump ristretto pkg version (#2085) by @akashsinghal in #2087

📄 Documentation

• docs: add config path arg to launch.json, update instructions by @shahramk64 in #1800
• docs: some improvement in release instructions by @junczhu in #1815
• docs: add commits doc to contributing guide by @susanshi in #1844
• docs: design proposal for tag and digest co-existing [ISSUE 1657] by @emalprokt in #1793
• docs: add CRL Design by @junczhu in #1789
• docs: Create proposal for verifying 'last-n' artifacts only. by @asafalgawi in #1797
• docs: nVersionCount support for KMP design doc by @duffney in #1831
• docs: update dev image release guidance by @akashsinghal in #1974
• docs: Fix typos in CONTRIBUTING.md by @cclauss in #2005

🎉 New Contributors

• @emalprokt made their first contribution in #1793
• @asafalgawi made their first contribution in #1797
• @JoupainMD made their first contribution in #1954
• @cclauss made their first contribution in #2005
• @DahuK made their first contribution in #2012

Full Changelog: v1.3.2...v1.4.0

v1.3.2

🔐 Security

• 84c7c48 fix: enforce host checking before exchanging a refresh token (#2069) (#2081)

Changelog

• 2d89210 chore: bump chart versions for v1.3.2 (#2083)
• 84c7c48 fix: enforce host checking before exchanging a refresh token (#2069) (#2081)

v1.2.3

🔐 Security

• 0ec0c08 fix: enforce host checking before exchanging a refresh token (#2069) (#2072)

Changelog

• 7d1ed86 chore: bump chart versions for v1.2.3 (#2082)
• 0ec0c08 fix: enforce host checking before exchanging a refresh token (#2069) (#2072)

v1.4.0-rc.1

✨ New Features

• feat: support enabled status for kmp keys/certs by @duffney in #1874
• feat: support alibaba cloud rrsa store auth provider by @DahuK in #1909
• feat: add support for crl basic functionality with built-in cache by @junczhu in #1890
• feat: implementation of KMP CRL revocation factory with cache by @junczhu in #1900
• feat: enables CRL configuration by @junczhu in #1941
• feat: add more notation trust policy attributes to values.yaml by @shahramk64 in #1982

Other Enhancements

• Report more debug info in external data response by @binbin-li #1697
• Make notation verifier installation optional on ratify installation by @shahramk64 #1719
• Migrate to latest Azure container registry SDK by @shahramk64 #1829
• Refactor Azure authentication support to use azidentity by @shahramk64 #1904
• Sign Ratify release assets by @akashsinghal #1947
• Ratify to support out-of-box experience for typical scenarios by @shahramk64 #1982
• Update Kubernetes support matrix by @shahramk64 #2013
• Additional env vars for ratify container via helm chart by @mannbiher in #1854
• Allow service account annotations by @mannbiher in #1907

🔐 Security

• chore: bump up golang.org/x/crypto pkg to fix vuln by @junczhu in #1981
• fix: fix vuln in /x/net pkg by @junczhu in #1993

📄 Documentation

• docs: add config path arg to launch.json, update instructions by @shahramk64 in #1800
• docs: some improvement in release instructions by @junczhu in #1815
• docs: add commits doc to contributing guide by @susanshi in #1844
• docs: design proposal for tag and digest co-existing [ISSUE 1657] by @emalprokt in #1793
• docs: add CRL Design by @junczhu in #1789
• docs: Create proposal for verifying 'last-n' artifacts only. by @asafalgawi in #1797
• docs: nVersionCount support for KMP design doc by @duffney in #1831
• docs: update dev image release guidance by @akashsinghal in #1974
• docs: Fix typos in CONTRIBUTING.md by @cclauss in #2005

🎉 New Contributors

• @emalprokt made their first contribution in #1793
• @asafalgawi made their first contribution in #1797
• @JoupainMD made their first contribution in #1954
• @cclauss made their first contribution in #2005
• @DahuK made their first contribution in #2012

Changelog

• 0ee96d8 Create ratify-weekly-notes-2023-Jun-2024-Jun.md
• 3bafc56 Merge branch 'dev' into clean-package
• 581be1e Merge branch 'dev' into dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
• 7e387db Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
• bd2f5ca Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
• cca0a13 Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
• 72025fb Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.4
• bb8d7f0 Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.6
• 0447079 Merge branch 'dev' into dependabot/github_actions/anchore/sbom-action-0.17.1
• e353f38 Merge branch 'dev' into dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
• 6ebd6f1 Merge branch 'dev' into dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
• bb8516e Merge branch 'dev' into dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
• 52f92d1 Merge branch 'dev' into dev
• 5b7c4e0 Merge branch 'dev' into error-log-message
• 220dfce Merge branch 'dev' into error-log-message
• 451390b Merge branch 'dev' into error-log-message
• 18f071a Merge branch 'dev' into fix-codecov
• 7e74e12 Merge branch 'dev' into ignore-experimental-test
• 9c534dc Merge branch 'dev' into isolate-metrics
• 4cf6b6c Merge branch 'dev' into isolate-metrics
• ec20d28 Merge branch 'dev' into isolate-metrics
• 50b334d Merge branch 'dev' into isolate-metrics
• 0b58daf Merge branch 'dev' into notes
• 4bbd9f1 Merge branch 'dev' into proposal_errorimprovements
• 8549d91 Merge branch 'dev' into ratify-err-doc
• 060c5a5 Merge branch 'dev' into ratify-err-doc
• 518ad3d Merge branch 'dev' into remove-autorest-adal
• f510dd9 Merge branch 'dev' into remove-autorest-adal
• 6f92077 Merge branch 'dev' into template-result
• e757310 Merge branch 'dev' into verification-response
• 34fbf9f Merge branch 'main' into dev
• 49201e9 Merge branch 'main' into staging
• f201712 Merge branch 'main' into staging
• 8c87951 Merge branch 'staging' into dependabot/github_actions/codecov/codecov-action-4.3.0
• 73ef709 Merge branch 'staging' into multi-tenancy-pr-2
• 6a93bbf Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
• 6daec5d Merge pull request #1376 from deislabs/staging
• 9ac7d5a Merge pull request #1379 from deislabs/dependabot/github_actions/codecov/codecov-action-4.3.0
• 6a5f10c Merge pull request #1388 from deislabs/staging
• 6a26a56 Merge pull request #1424 from deislabs/dev
• 194c2aa Merge pull request #1431 from akashsinghal/akashsinghal/fixCosignConfig
• f0b1e6b Merge pull request #1444 from deislabs/dev
• d78461a Merge pull request #1480 from deislabs/dev
• c92687d Merge pull request #1499 from deislabs/dev
• 61f7c60 Merge pull request #1520 from binbin-li/isolate-metrics
• 340c4db Merge pull request #1521 from susanshi/dev
• 8a6f018 Merge pull request #1532 from binbin-li/clean-package
• b6a5701 Merge pull request #1533 from ratify-project/dev
• 6443a65 Merge pull request #1539 from binbin-li/run-scorecard-on-dev
• d9d46fe Merge pull request #1542 from binbin-li/fix-vulnerability
• 5d4720f Merge pull request #1563 from ratify-project/dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
• 5e81022 Merge pull request #1581 from ratify-project/dev
• 9bf9232 Merge pull request #1585 from ratify-project/dev
• 47b3331 Merge pull request #1589 from ratify-project/dependabot/docker/httpserver/golang-b405b62
• e4c58e2 Merge pull request #1590 from ratify-project/dependabot/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
• db3b86f Merge pull request #1597 from ratify-project/dev
• 7f1ecfb Merge pull request #1608 from susanshi/notes
• 357eb51 Merge pull request #1613 from ZAFT-Armored-Keeper-of-Unity/helmfile-update-1.13.2
• db7e6ee Merge pull request #1614 from ratify-project/dev
• 61e0fed Merge pull request #1621 from ratify-project/dependabot/docker/httpserver/golang-fcae9e0
• e62cd8e Merge pull request #1622 from ratify-project/dependabot/github_actions/actions/upload-artifact-4.3.4
• 9551205 Merge pull request #1624 from binbin-li/ignore-experimental-test
• 03216af Merge pull request #1628 from ratify-project/dependabot/github_actions/actions/setup-go-5.0.2
• 11a683d Merge pull request #1631 from ratify-project/dev
• 643e98a Merge pull request #1632 from ratify-project/dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
• e7aa02a Merge pull request #1634 from ratify-project/dependabot/go_modules/github.com/sigstore/sigstore-1.8.7
• 9549d66 Merge pull request #1635 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.26
• 9c9cb05 Merge pull request #1636 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/credentials-1.17.26
• 1d6e824 Merge pull request #1637 from ratify-project/dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
• 089edf1 Merge pull request #1643 from ratify-project/dev
• dfe9d0a Merge pull request #1647 from ratify-project/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.27
• 9db35b0 Merge pull request #1651 from ratify-project/dependabot/github_actions/docker/login-action-3.3.0
• b8f0e29 Merge pull request #1656 from binbin-li/template-result
• 99d5629 Merge pull request #1661 from ratify-project/dev
• 1ecd579 Merge pull request #1662 from yizha1/proposal_errorimprovements
• 3c28fd4 Merge pull request #1665 from ratify-project/dependabot/github_actions/github/codeql-action-3.25.15
• d442fad Merge pull request #1666 from ratify-project/dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
• 90367de Merge pull request #1668 from binbin-li/ratify-err-doc
• 294a715 Merge pull request #1671 from binbin-li/verification-response
• b0d8a2d Merge pull request #1672 from ratify-project/dependabot/github_actions/golangci/golangci-lint-action-6.1.0
• bd87979 Merge pull request #1674 from ratify-project/dependabot/go_modules/github.com/docker/docker-26.1.4incompatible
• e8f8000 Merge pull request #1675 from binbin-li/error-log-message
• ba5638e Merg...

v1.3.1

Bug Fixes

• CVE-2024-8260
• 82893a5 ci: fix tagging in publish-ghcr workflow (#1884)

Changelog

• b274230 Merge pull request #1886 from binbin-li/release-1.3
• 287ba3e chore: Bump github.com/open-policy-agent/opa from 0.63.0 to 0.68.0 including fix CVE-2024-8260(#1819)
• e57c9a9 chore: release-1.3.1 charts (#1891)
• 82893a5 ci: fix tagging in publish-ghcr workflow (#1884)
• 7700de4 feat: additional env vars for ratify container via helm chart (#1854)

🎉 New Contributors

• @mannbiher made their first contribution in #1854

Full Changelog: v1.3.0...v1.3.1

v1.3.0

✨ New Features

• Support keyless verification in trust policy of Cosign verifier in #1503
• Support verifying Notary Project timestamped signature in #1538 and #1758
• Support periodic retrieval of key and certificate from Key Management Providers based on the proposal in #1727 and #1773

✨ Other Enhancements

• Improve error messages of artifact validation
  • Add more fields to verification response in #1671
  • refactor error message format in #1675
  • fill ErrorReason and Remediation during verifierReport generation in #1682
  • add timestamp and traceId to verification response in #1697
  • enhance CR status with clearer brief error message in #1734
  • refactor cosign verification error messages in #1750
• Add namespace label to metrics to enhance observability in #1520
• Ability to save errors happened during KMP/CertStore reconciliation which could be checked by verifiers during artifact validation in #1710

🔐 Security

• Generate supply chain metadata for dev assets by adding SBOM & provenance Docker build attestations in #1596
• Add image signing for dev images and add release sbom in #1629
• Add openssf best practices badge by @susanshi in #1696
• Setup scanners for Ratify releases by @susanshi in #1521

📄 Documentation

• chore: refresh roadmap after v1.2.0 release by @yizha1 in #1541
• doc: update README code of conduct by @susanshi in #1553
• doc: Update SECURITY.md by @susanshi in #1555
• doc: add a proposal for periodic retrieval by @yizha1 in #1510
• doc: update minor release branching strategy by @susanshi in #1456
• doc: meeting notes ratify-weekly-notes-2023-Jun-2024-Jun.md by @susanshi in #1608
• doc: remove CLA section from CONTRIBUTING by @akashsinghal in #1626
• doc: design doc for KMP periodic retrieval by @duffney in #1583
• doc: add proposal for producing supply chain metadata for all ratify assets by @akashsinghal in #1641
• doc: Archive ratify error handling scenario doc by @binbin-li in #1668
• doc: proposal for error message improvements by @yizha1 in #1662
• doc: update the contributing guide for a successful cli debugging by @shahramk64 in #1718
• doc: update contributing guide for enhancement by @susanshi in #1715

🐛 🩹 Bug Fixes

• fix: remove Update az cli step in aks test by @binbin-li in #1502
• fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version by @akashsinghal in #1505
• fix: run full validation for release branch by @susanshi in #1512
• fix: fix vulnerabilities by @binbin-li in #1542
• fix: enable automated pr to main by @susanshi in #1582
• fix: validate plugin version for ratify cli by @susanshi in #1604
• fix: warning message is printed to stdout by CLI by @susanshi in #1650
• fix: pass CODECOV_TOKEN to reusable workflow by @binbin-li in #1676
• fix: remove duplicate $ by @binbin-li in #1677
• fix: fix typo in notation verifier by @junczhu in #1678
• fix: bump-up docker dependency by @junczhu in #1679
• fix: Enforce validation on notation signature blob number by @binbin-li in #1726
• fix: remove nonexistent KMP from verifier sample by @binbin-li in #1753
• fix: remove critical cache failure in oras GetBlobContent by @binbin-li in #1740
• fix: make notation verifier installation optional on ratify installation by @shahramk64 in #1719
• fix: remove unused trust store from sample verifier config by @binbin-li in #1790
• fix: showing verifier config parse detail in err log by @junczhu in #1791
• fix: missing status update in KMP controller by @duffney in #1761

🎉 New Contributors

• @shahramk64 made their first contribution in #1718

Changes since v1.2.2

• 0ee96d8 Create ratify-weekly-notes-2023-Jun-2024-Jun.md
• 3bafc56 Merge branch 'dev' into clean-package
• 581be1e Merge branch 'dev' into dependabot/docker/alpine-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
• 7e387db Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-8cb4ef6
• bd2f5ca Merge branch 'dev' into dependabot/docker/dot-devcontainer/vscode/devcontainers/go-dca0f2c
• cca0a13 Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
• 72025fb Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.4
• bb8d7f0 Merge branch 'dev' into dependabot/github_actions/actions/upload-artifact-4.3.6
• 0447079 Merge branch 'dev' into dependabot/github_actions/anchore/sbom-action-0.17.1
• e353f38 Merge branch 'dev' into dependabot/go_modules/github.com/google/go-containerregistry-0.20.2
• 6ebd6f1 Merge branch 'dev' into dependabot/go_modules/github.com/owenrumney/go-sarif/v2-2.3.3
• bb8516e Merge branch 'dev' into dependabot/go_modules/github.com/sigstore/sigstore-1.8.8
• 52f92d1 Merge branch 'dev' into dev
• 451390b Merge branch 'dev' into error-log-message
• 220dfce Merge branch 'dev' into error-log-message
• 5b7c4e0 Merge branch 'dev' into error-log-message
• 18f071a Merge branch 'dev' into fix-codecov
• 7e74e12 Merge branch 'dev' into ignore-experimental-test
• 4cf6b6c Merge branch 'dev' into isolate-metrics
• ec20d28 Merge branch 'dev' into isolate-metrics
• 9c534dc Merge branch 'dev' into isolate-metrics
• 50b334d Merge branch 'dev' into isolate-metrics
• 0b58daf Merge branch 'dev' into notes
• 4bbd9f1 Merge branch 'dev' into proposal_errorimprovements
• 8549d91 Merge branch 'dev' into ratify-err-doc
• 060c5a5 Merge branch 'dev' into ratify-err-doc
• f510dd9 Merge branch 'dev' into remove-autorest-adal
• 518ad3d Merge branch 'dev' into remove-autorest-adal
• 6f92077 Merge branch 'dev' into template-result
• e757310 Merge branch 'dev' into verification-response
• 34fbf9f Merge branch 'main' into dev
• 49201e9 Merge branch 'main' into staging
• f201712 Merge branch 'main' into staging
• 8c87951 Merge branch 'staging' into dependabot/github_actions/codecov/codecov-action-4.3.0
• 73ef709 Merge branch 'staging' into multi-tenancy-pr-2
• 6a93bbf Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
• 6daec5d Merge pull request #1376 from deislabs/staging
• 9ac7d5a Merge pull request #1379 from deislabs/dependabot/github_actions/codecov/codecov-action-4.3.0
• 6a5f10c Merge pull request #1388 from deislabs/staging
• 6a26a56 Merge pull request #1424 from deislabs/dev
• 194c2aa Merge pull request #1431 from akashsinghal/akashsinghal/fixCosignConfig
• f0b1e6b Merge pull request #1444 from deislabs/dev
• d78461a Merge pull request #1480 from deislabs/dev
• c92687d Merge pull request #1499 from deislabs/dev
• 61f7c60 Merge pull request #1520 from binbin-li/isolate-metrics
• 340c4db Merge pull request #1521 from susanshi/dev
• 8a6f018 Merge pull request #1532 from binbin-li/clean-package
• b6a5701 Merge pull request #1533 from ratify-project/dev
• 6443a65 Merge pull request #1539 from binbin-li/run-scorecard-on-dev
• d9d46fe Merge pull request #1542 from binbin-li/fix-vulnerability
• 5d4720f Merge pull request #1563 from ratify-project/dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
• 5e81022 Merge pull request #1581 from ratify-project/dev
• 9bf9232 Merge pull request #1585 from ratify-project/dev
• 47b3331 Merge pull request #1589 from ratify-project/dependabot/docker/httpserver/golang-b405b62
• e4c58e2 Merge pull request #1590 from ratify-project/dependabot/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
• db3b86f Merge pull request #1597 from ratify-project/dev
• 7f1ecfb Merge pull request #1608 from susanshi/notes
• 357eb51 Merge pull request #1613 from ZAFT-Armored-Keeper-of-Unity/helmfile-update-1.13.2
• db7e6ee Merge p...

v1.2.2

Bug Fixes

• CVE-2024-41110

Changelog

• 32273d4 chore: Release 1.2.2 vuln bump-up (#1698)
• 0f2a6ad chore: release 1.2.2 helm chart update (#1700)

v1.2.1

Bug Fixes

• CVE-2024-35255
• CVE-2024-6104

Changelog

• ca750c7 Merge pull request #1609 from ZAFT-Armored-Keeper-of-Unity/release-1.2.1
• ac7c142 Merge pull request #1611 from ZAFT-Armored-Keeper-of-Unity/ratify-1.13.2
• ca7c358 chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
• 2dfab79 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.18 (#1557)
• 1472bfa chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.18 to 1.27.21 (#1586)
• 1f59f71 chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.21 to 1.27.23 (#1602)
• e21a23c chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.21 to 1.17.22 (#1594)
• c28d56b chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.22 to 1.17.23 (#1600)
• a9b89b5 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.3 to 1.28.5 (#1558)
• bac0633 chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.5 to 1.28.6 (#1587)
• 9ec06c4 chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 CVE GO-2024-2947 (#1595)
• 2b19603 chore: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#1577)
• 1afc81e chore: Bump k8s.io/client-go from 0.28.10 to 0.28.11 (#1573)
• ca3f41b chore: cherry pick vuln scanner to release 1.2 (#1564)
• ceffa17 chore: prepare release 1.2.1 charts update 2
• 8e173a4 chore: prepare release 1.2.1 charts update 3
• 975ac96 chore: update deislabs.github.io to ratify-project.github.io (#1566)
• bf8e96d chore: update helm charts
• bf227cf chore:add no-lint config
• 78c3fbc ci: switch region from eastus to westus2 (#1591)
• 19f55c4 fix go.mod

v1.2.0

🚨 Deprecations

• CertificateStore is deprecated in favor of KeyManagementProvider. Please migrate to KeyManagementProvider by following guide here. Support will be removed in Ratify v2.0.0
• Certain helm values have been deprecated in favor of new ones. (Note: deprecated values will continue to be supported)
  • .Values.notationCert is deprecated. Use .Values.notationCerts[*] to provide a list certificates to configure with notation verifier
  • .Values.akvCertConfig.* section has been deprecated. Use the equivalent .Values.azurekeyvault.* section for configuring keys + certificates from Azure Key Vault

✨ New Features

• Cosign Verifier enhancements:

  • feat: move cosign to be a built in verifier by @akashsinghal in #1343
  • feat: add key support to key management provider including akv integration by @akashsinghal in #1333
  • feat: add cosign trust policies by @akashsinghal in #1381

• Kubernetes multi-tenancy support:

  • feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
  • feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
  • feat: add cache isolation by @binbin-li in #1213
  • feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382

• CRD improvements:

  • feat: add version to CRD spec by @susanshi in #1215
  • feat: validate plugin name on CR create by @susanshi in #1265
  • feat: add key management provider resource by @akashsinghal in #1293
  • feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422

📄 Documentation

• docs: add roadmap by @yizha1 in #1344
• docs: updated docs with the latest verifier report format by @junczhu in #1236
• docs: add multi-tenancy support discussions by @binbin-li in #1175
• docs: Update log format in doc by @junczhu in #1240
• docs: update COC and add adopters.md by @FeynmanZhou in #1360
• fix: updated community meeting time to UTC by @susanshi in #1364
• build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
• docs: cosign upgrade design document by @akashsinghal in #1246
• docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399

🎉 New Contributors

• @duffney made their first contribution in #1254
• @mannbiher made their first contribution in #1418

🐛 🩹 Bug Fixes

• fix: surface plugin error in exec.go by @susanshi in #1228
• fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
• fix: update constraint templates to work with new type field by @akashsinghal in #1217
• fix: improve vuln report verifier report messages by @akashsinghal in #1238
• fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
• fix: add missing CRD conversion methods by @binbin-li in #1289
• fix: fix unit tests that fail in local environment by @binbin-li in #1292
• fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
• fix: update azure tenantId casing by @akashsinghal in #1385
• fix: rename staging to dev branch by @susanshi in #1401
• fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
• fix: add top-level read permission by @binbin-li in #1419
• fix: add akv keys check on cosign-verifier by @binbin-li in #1427
• fix: handle empty trust policies by @akashsinghal in #1431
• fix: fix missing separator in helm template by @binbin-li in #1463
• fix: check label value on pull_request_target by @binbin-li in #1471
• fix: DecodeCertificates cert length check by @susanshi in #1470
• fix: update cosign chart and remove extra logs by @akashsinghal in #1475

Changes since v1.2.0-rc.1

• 63c7bb2 Merge pull request #1519 from deislabs/cherry-pick-for-1.2.0
• 35aad7f chore: ignore CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 (#1498)
• dbc2d74 chore: ignore CVE-2023-42366 (#1494)
• da2cdca chore: prepare for release 1.2 (#1524)
• 7e00bb2 ci: switch azure ci test to use rbac for key vault access (#1523)
• 1e79038 fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version (#1505)
• c6f9483 fix: full validation should run on release branch (#1511)
• 510dd58 go mod tidy