metal-stack · Gerrit91 · May 21, 2026 · May 21, 2026 · May 21, 2026
@@ -0,0 +1,44 @@
+---
+slug: /release-notes/v0.22.10
+title: v0.22.10
+sidebar_position: 1
+---
+# metal-stack v0.22.10
+See original release note at [https://github.com/metal-stack/releases/releases/tag/v0.22.10](https://github.com/metal-stack/releases/releases/tag/v0.22.10)
+## General
+* [Gardener v1.129](https://github.com/gardener/gardener/releases/tag/v1.129.0)
+   * Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the `CloudProfile` you can also use the upstream version of the gardener-apiserver.
+## Breaking Changes
+* Migrated to connectrpc simple, you need to adjust your client implementation. (metal-stack/go-ipam#188)
+## Component Releases
+### metal-roles v0.20.3
+* Make default src address loopback optional on SONiC (metal-stack/metal-roles#563) @iljarotar
+* adapt oci-mirror-config to newer tags (metal-stack/metal-roles#586) @mwennrich
+* add xdr provider config if extension is enabled (metal-stack/metal-roles#566) @ulrichSchreiner
+### metal-api v0.43.3
+* Quick fix for wrong machine connections (metal-stack/metal-api#644) @iljarotar
+* Use refactored auditing from metal-lib (metal-stack/metal-api#645) @majst01
+* Update metal-lib to contain audit fix. (metal-stack/metal-api#647) @Gerrit91
+### metalctl v0.18.9
+* metal-go v0.43.2 (metal-stack/metalctl#303) @iljarotar
+# Merged Pull Requests
+This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories.
+
+The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release.
+
+* Gardener v1.129 (metal-stack/releases#285) @Gerrit91
+* fix: update kernel versions for debian and ubuntu targets (copyfail fix) (metal-stack/metal-images#406) @mwennrich
+* Bump releases to version v0.22.9 (metal-stack/website#257) @metal-robot[bot]
+* update kernels (dirtyfrag, CVE-2026-43284, CVE-2026-43500) (metal-stack/metal-images#407) @mwennrich
+* Bump metal-api to version v0.43.2 (metal-stack/metal-python#163) @metal-robot[bot]
+* Bump metal-api to version v0.43.2 (metal-stack/metal-go#224) @metal-robot[bot]
+* Add information regarding artifact signing (metal-stack/website#88) @simcod
+* Forgot to push OCI artifact link not working. (metal-stack/website#264) @Gerrit91
+* Go 1.26.3 (metal-stack/builder#92) @majst01
+* chore(deps): bump the other-dependencies group across 1 directory with 8 updates (metal-stack/website#265) @dependabot[bot]
+* Update debian kernel (metal-stack/metal-images#408) @majst01
+* Implement Task API (metal-stack/cli#31) @Gerrit91
+* Fix auditing misses user in context (metal-stack/metal-lib#207) @majst01
+* Bump metal-api to version v0.43.3 (metal-stack/metal-python#164) @metal-robot[bot]
+* Bump metal-api to version v0.43.3 (metal-stack/metal-go#225) @metal-robot[bot]
+* Next release (metal-stack/releases#286) @metal-robot[bot]
@@ -7,7 +7,7 @@
         "releasePath": "binaries.metal-stack.metalctl.version",
         "repo": "metal-stack/metalctl",
         "branch": "main",
-        "tag": "v0.18.8",
+        "tag": "v0.18.9",
         "position": 1,
         "withDocs": true
       }
@@ -48,7 +48,7 @@
         "releasePath": "docker-images.metal-stack.control-plane.metal-api.tag",
         "repo": "metal-stack/metal-api",
         "branch": "main",
-        "tag": "v0.43.1",
+        "tag": "v0.43.3",
         "position": 4,
         "withDocs": false
       },

@@ -1 +1 @@
-{"version": "v0.22.9"}
+{"version": "v0.22.10"}
@@ -0,0 +1,41 @@
+---
+slug: /artifact-signing
+title: Artifact Signing
+sidebar_position: 5
+---
+
+# Artifact Signing
+
+To increase trust and integrity, metal-stack introduces artifact signing for its released components.
+
+The release vector is published as an OCI artifact and signed using [cosign](https://github.com/sigstore/cosign).
+
+The images are signed using a public key that is always attached to a metal-stack release in the [releases repository](https://github.com/metal-stack/releases/blob/master/cosign.pub).
+
+To verify an image, the following command can be used:
+
+```bash
+cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:v0.9.2
+
+Verification for ghcr.io/metal-stack/metal-deployment-base:v0.9.2 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+
+[{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}},{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]
+```
+
+Certain images we also sign keyless in addition, such the command can also look like this:
+
+```bash
+cosign verify ghcr.io/metal-stack/metal-deployment-base:v0.9.2 --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@metal-stack.iam.gserviceaccount.com
+
+Verification for ghcr.io/metal-stack/metal-deployment-base:v0.9.2 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The code-signing certificate was verified using trusted certificate authority certificates
+
+[{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}},{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]
+```
@@ -0,0 +1,44 @@
+---
+slug: /release-notes/v0.22.10
+title: v0.22.10
+sidebar_position: 1
+---
+# metal-stack v0.22.10
+See original release note at [https://github.com/metal-stack/releases/releases/tag/v0.22.10](https://github.com/metal-stack/releases/releases/tag/v0.22.10)
+## General
+* [Gardener v1.129](https://github.com/gardener/gardener/releases/tag/v1.129.0)
+   * Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the `CloudProfile` you can also use the upstream version of the gardener-apiserver.
+## Breaking Changes
+* Migrated to connectrpc simple, you need to adjust your client implementation. (metal-stack/go-ipam#188)
+## Component Releases
+### metal-roles v0.20.3
+* Make default src address loopback optional on SONiC (metal-stack/metal-roles#563) @iljarotar
+* adapt oci-mirror-config to newer tags (metal-stack/metal-roles#586) @mwennrich
+* add xdr provider config if extension is enabled (metal-stack/metal-roles#566) @ulrichSchreiner
+### metal-api v0.43.3
+* Quick fix for wrong machine connections (metal-stack/metal-api#644) @iljarotar
+* Use refactored auditing from metal-lib (metal-stack/metal-api#645) @majst01
+* Update metal-lib to contain audit fix. (metal-stack/metal-api#647) @Gerrit91
+### metalctl v0.18.9
+* metal-go v0.43.2 (metal-stack/metalctl#303) @iljarotar
+# Merged Pull Requests
+This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories.
+
+The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release.
+
+* Gardener v1.129 (metal-stack/releases#285) @Gerrit91
+* fix: update kernel versions for debian and ubuntu targets (copyfail fix) (metal-stack/metal-images#406) @mwennrich
+* Bump releases to version v0.22.9 (metal-stack/website#257) @metal-robot[bot]
+* update kernels (dirtyfrag, CVE-2026-43284, CVE-2026-43500) (metal-stack/metal-images#407) @mwennrich
+* Bump metal-api to version v0.43.2 (metal-stack/metal-python#163) @metal-robot[bot]
+* Bump metal-api to version v0.43.2 (metal-stack/metal-go#224) @metal-robot[bot]
+* Add information regarding artifact signing (metal-stack/website#88) @simcod
+* Forgot to push OCI artifact link not working. (metal-stack/website#264) @Gerrit91
+* Go 1.26.3 (metal-stack/builder#92) @majst01
+* chore(deps): bump the other-dependencies group across 1 directory with 8 updates (metal-stack/website#265) @dependabot[bot]
+* Update debian kernel (metal-stack/metal-images#408) @majst01
+* Implement Task API (metal-stack/cli#31) @Gerrit91
+* Fix auditing misses user in context (metal-stack/metal-lib#207) @majst01
+* Bump metal-api to version v0.43.3 (metal-stack/metal-python#164) @metal-robot[bot]
+* Bump metal-api to version v0.43.3 (metal-stack/metal-go#225) @metal-robot[bot]
+* Next release (metal-stack/releases#286) @metal-robot[bot]