dkirillov/distribution
1
0
Fork 0
forked from TrueCloudLab/distribution
Code Pull requests Activity
distribution/vendor
History
Milos Gajdos 52d68216c0
feature: Bump go-jose and require signing algorithms in auth 
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00
..
cloud.google.com/go Otel tracing MVP: vendor changes 2023-12-11 21:18:42 +01:00
github.com feature: Bump go-jose and require signing algorithms in auth 2024-05-30 20:44:35 +01:00
go.opencensus.io vendor: update gcs driver dependencies files 2023-05-31 09:28:43 +02:00
go.opentelemetry.io Otel tracing MVP: vendor changes 2023-12-11 21:18:42 +01:00
golang.org/x vendor: update manifest dependencies 2024-04-26 22:22:49 +08:00
google.golang.org build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 2024-03-13 23:16:02 +00:00
gopkg.in testing: replace legacy gopkg.in/check.v1 2023-12-13 09:22:43 +00:00
modules.txt feature: Bump go-jose and require signing algorithms in auth 2024-05-30 20:44:35 +01:00