SOPS | v3.12.2

SOPS v3.12.2 released on 18-03-2026


SOPS v3.12.2 is out now. It makes installing pre-built binaries straightforward and puts verification front and centre: signed checksums with Cosign, SLSA provenance and SBOMs, and Cosign-signed container images.

Download the artifacts and container images from the project’s GitHub release page for binaries, checksums, provenance and the full changelog.

What’s in this release

  • Pre-built platform binaries and a signed checksums file; verify the checksums file with cosign verify-blob (using the provided .pem and .sig and certificate identity/issuer regexp) and then check binary integrity with sha256sum -c.
  • SLSA provenance is included as an in-toto metadata file (sops-v3.12.2.intoto.jsonl) and each binary has an SPDX JSON SBOM named <binary>.spdx.sbom.json; verify provenance with slsa-verifier verify-artifact and –provenance-path.
  • Official container images published on GitHub Container Registry and Quay (ghcr.io/getsops/sops:v3.12.2 and :v3.12.2-alpine), available for linux/amd64 and linux/arm64; images are Cosign-signed and include SLSA attestations. Debian images include key-service dependencies; Alpine images are smaller but omit those deps.

Upgrade notes

  • No breaking changes are reported for this release — validate the checksums and provenance before trusting a new install (see the cosign and slsa-verifier commands in the release artifacts).
  • If you need to revert, the previous release tag v3.12.1 is available from the project’s releases on GitHub.

Share any notes or issues you encounter with v3.12.2 so others can learn from your experience.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes