SPIRE v1.15.0 shipped on May 19. Two items stand out for anyone running it: Sigstore-backed attestation is no longer experimental, and there is a breaking change in CLI JSON output.
Sigstore graduates in the workload attestors
The release notes are explicit: “The sigstore support in k8s and docker attestors was promoted out of experimental.” That means matching workloads on cosign-style signature verification is now a supported configuration path for the Kubernetes and Docker workload attestors, not a feature-flag preview.
Vault Key Manager
A new HashiCorp Vault Key Manager plugin lets SPIRE back its signing keys with Vault instead of the on-disk or cloud-KMS options. Combined with the existing Vault upstream authority plugin, this lets a Vault-centric organisation keep more of SPIRE’s key material under Vault control.
Smaller additions
- The Docker workload attestor now supports rootless Podman.
- The
aws_iidnode attestor gains anaccount_idselector. - The Prometheus metrics sink supports TLS.
- PROXY protocol is supported for rate limiting behind load balancers.
- An experimental
spiffe_idnode selector allows aliasing individual nodes. - WIT-SVIDs support an
issclaim.
Breaking change to watch
CLI commands no longer wrap a single object in a JSON array on output. The release notes flag this as a potentially breaking change for anyone parsing the JSON output. Automation that consumes spire-server or spire-agent JSON expecting the outer array will need to be updated. The release also bumps cosign to v3 and Go to 1.26.3.
Source: SPIRE v1.15.0 — May 19, 2026.
Stay on top of the cloud-native release wire
Kubernetes, AI infra, and CNCF moves - delivered when they matter.