SOPS v3.13.0 released on 08-05-2026
SOPS v3.13.0 is out now. It bundles pre-built binaries and container images with signed checksums, SLSA/in-toto provenance and SBOMs so users can install and verify artifacts with Cosign, sha256sum and slsa-verifier.
Downloads, checksums, signature bundles, provenance files and SBOMs are available from the GitHub release — use those artifacts to validate any binary or image before putting it into production.
What’s in this release
- Installation and verification: pre-built binaries with a checksums file and Cosign-signed bundle (sops-v3.13.0.checksums.sigstore.json); instructions to verify checksums with cosign and binary integrity with sha256sum, plus in-toto/SLSA provenance (sops-v3.13.0.intoto.jsonl) and SBOMs (SPDX JSON).
- Container images: ghcr.io/getsops/sops:v3.13.0 and v3.13.0-alpine (also on quay.io) for linux/amd64 and linux/arm64; Debian images include GnuPG and cloud/KMS deps, Alpine images are smaller with fewer dependencies; images are signed with Cosign and include SLSA provenance attestations.
- Key user-facing changes and fixes: YAML inline comments are preserved through encrypt/edit roundtrips; improved error message for top-level arrays; new env vars SOPS_GCP_KMS_ENDPOINT and SOPS_GCP_KMS_UNIVERSE_DOMAIN; support for space-separated keys in SOPS_AGE_KEY; HC Vault allowlist support; several sops exec-file fixes (correct GID, stricter –filename handling); GPG agent cache key change and centralized metadata serialization; cosign updated to v3.
Upgrade notes
- Support for Go 1.24 has been dropped — if you build SOPS from source, build with a newer Go toolchain.
- Always verify the checksums signature and binary/image provenance before installing. If you need to revert, the full changelog and previous tag compare are available (compare v3.12.2…v3.13.0) on the project’s GitHub.
Let us know how the verification workflow and the new preservation of YAML inline comments work for you — feedback from users helps catch real-world edge cases.
