SOPS v3.13.1 released on 16-05-2026

SOPS v3.13.1 is out now. It provides step‑by‑step installation and binary verification instructions for the pre-built binaries, guidance for SLSA provenance and SBOM verification, and details for verifying container images and signatures — useful for operators and users who need reproducible, verifiable artefacts.
See the release on GitHub for downloadable artefacts, checksums, the in‑toto provenance file and the full changelog comparing v3.13.0…v3.13.1.
What’s in this release
- Installation and binary verification: download pre-built binaries (example shown for linux/amd64), move the binary into PATH and make it executable; verify the checksums file signature with cosign verify-blob and then validate the binary with sha256sum -c.
- Artifact provenance and SLSA verification: an in-toto metadata file (sops-v3.13.1.intoto.jsonl) is included in the release artifacts; verify provenance with slsa-verifier verify-artifact using source URI github.com/getsops/sops and source tag v3.13.1.
- Container images and image verification: published images on GHCR and Quay (Debian-slim and Alpine variants) for linux/amd64 and linux/arm64; Debian images include extra key-service dependencies while Alpine images are smaller; image signatures can be checked with cosign and SLSA attestations are available.
Upgrade notes
- No breaking changes are listed in the release notes; review the full changelog (compare v3.13.0…v3.13.1) before upgrading.
- To roll back, reinstall the previous release available from the project’s GitHub releases (see the changelog link for the prior tag).
Try the release and share any feedback or issues you encounter so others can benefit from your experience.


