Skip to content

Tekton Chains v0.5.0
Compare
Choose a tag to compare
@tekton-robot tekton-robot released this 24 Sep 23:00
v0.5.0
9bd7fb8

πŸŽ‰ v0.5.0 πŸŽ‰

-Docs @ v0.5.0
-Examples @ v0.5.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.5.0/release.yaml

Fixes

  • Fix _type field in in-toto provenance generation (#235)
  • Fix bug in transparency log uploads (#233)
  • Fix another bug in materials and add integration test (#230)
  • Check task status params to create materials for provenance (#229)
  • Fix bug in storing attestations in OCI registry (#227)
  • fix incorrect cd (#223)
  • Fix some bugs in uploading attestations (#220)

Misc

  • Simplify looking up the RekorAnnotation, add Unit Test for HandleRetry failure (#232)
  • Bump in-toto dependency. (#226)
  • Bump most dependencies (outside of the k8s codegen and client-go). (#222)
  • Switch the linter from golint to revive. (#219)
  • πŸ”¨ Bump Pipeline, Knative, K8s deps (#218)

Docs

  • Add tutorial for generating signed provenance (#238)
  • Add minor chains tutorial enhancements (#228)

Verify the Release

The Rekor UUID for this release is 3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f

Obtain the attestation:

rekor-cli get --uuid 3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.5.0/release.yaml 
REKOR_UUID=3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.5.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do 
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
  cosign verify -key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
  cosign verify-attestation -key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done

Thanks

Thanks to these contributors who contributed to v0.5.0!

Extra shout-out for awesome release notes:

Contributors

dlorenc, mattmoor, and 4 other contributors
Assets 4
Loading