Android but isn’t!
 *  Fix: Change `CertificatePinner` to skip sanitizing the certificate chain
    when no certificates were pinned. This avoids an SSL failure in insecure
    “trust everyone” configurations, such as when talking to a development
    HTTPS server that has a self-signed certificate.


## Version 3.1.1

_2016-02-07_

 *  Fix: Don't crash when finding the trust manager if the Play Services (GMS)

				"multipart/example",
				"multipart/form-data",
				"multipart/header-set",
				"multipart/mixed",
				"multipart/parallel",
				"multipart/related",
				"multipart/report",
				"multipart/signed",
				"multipart/voice-message",
				"text/x-actionscript",
				"text/x-ada",
				"text/x-applescript",
				"text/asp",
				"text/aspdotnet",
				"text/x-aspectj",
				"text/x-assembly",

- `kubeadm alpha certs renew` and `kubeadm upgrade` now supports renewal of certificates embedded in KubeConfig files managed by kubeadm; this does not apply to certificates signed by external CAs.  ([#77180](https://github.com/kubernetes/kubernetes/pull/77180), [@fabriziopandini](https://github.com/fabriziopandini))

		Description:    "Your key is too long",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrUnsignedHeaders: {
		Code:           "AccessDenied",
		Description:    "There were headers present in the request which were not signed",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrInvalidQueryParams: {
		Code:           "AuthorizationQueryParametersError",

  // +listType=atomic
  optional bytes request = 1;

  // Requested signer for the request. It is a qualified name in the form:
  // `scope-hostname.io/name`.
  // If empty, it will be defaulted:
  //  1. If it's a kubelet client certificate, it is assigned
  //     "kubernetes.io/kube-apiserver-client-kubelet".
  //  2. If it's a kubelet serving certificate, it is assigned
  //     "kubernetes.io/kubelet-serving".

(The jury all brightened up again.)

  `Please your Majesty,' said the Knave, `I didn't write it, and
they can't prove I did:  there's no name signed at the end.'

  `If you didn't sign it,' said the King, `that only makes the
matter worse.  You MUST have meant some mischief, or else you'd
have signed your name like an honest man.'

  There was a general clapping of hands at this:  it was the

### Signing Release Artifacts

Release artifacts are [signed](https://github.com/kubernetes/enhancements/issues/3031) using [cosign](https://github.com/sigstore/cosign)
signatures
and there is experimental support for [verifying image signatures](https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-images/).

  - The requested name did not match the set of authorized names (`x509.HostnameError`)
  - The error surfaced after attempting a connection contained one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority". ([#120736](https://github.com/kubernetes/kubernetes/pull/120736), [@MadhavJivrajani](https://github.com/MadhavJivrajani))

For detailed release notes on the three alpha features from SIG AWS, please refer to the following Changelogs:

- Kubeadm: add support for certificate chain validation. When using kubeadm in external CA mode, this allows an intermediate CA to be used to sign the certificates. The intermediate CA certificate must be appended to each signed certificate for this to work correctly. ([#97266](https://github.com/kubernetes/kubernetes/pull/97266), [@robbiemcmichael](https://github.com/robbiemcmichael)) [SIG Cluster Lifecycle]