v2.35.0
suzuki-shunsuke
Shunsuke Suzuki
Pull Requests | Issues | v2.34.0...v2.35.0
Features
#3119 #3131 Verify packages' GitHub Artifact Attestations
When aqua installs packages, it verifies their GitHub Artifact Attestations if they are provided and registries have settings for GitHub Artifact Attestations.
#3117 Create GitHub Artifact Attestations of aqua
We start providing aqua's GitHub Artifact Attestations!
https://github.com/aquaproj/aqua/attestations
If you download aqua from GitHub Releases, you can verify GitHub Artifact Attestations using GitHub CLI.
https://aquaproj.github.io/docs/install#verify-downloaded-binaries-from-github-releases
Reference:
- https://aquaproj.github.io/docs/reference/security/github-artifact-attestations
- https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
Fixes
#3129 Redirect stdout of some commands to stderr
aqua executes some os commands to install packages.
- go install
- go build
- cargo
- cosign
- slsa-verifier
- minisign
- gh attestation verify
aqua should redirect the stdout of these commands to stderr.