You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
The key has expired.
Added
sigstore sign now supports Sigstore bundles, which encapsulate the same
state as the default {input}.crt, {input}.sig, and {input}.rekor
files combined. The default output for the Sigstore bundle is {input}.sigstore; this can be disabled with --no-bundle or changed with --bundle <FILE>
(#465)
sigstore verify now supports Sigstore bundles. By default, sigstore looks
for an {input}.sigstore; this can be changed with --bundle <FILE> or the
legacy method of verification can be used instead via the --signature and --certificate flags
(#478)
sigstore verify identity and sigstore verify github now support the --offline flag, which tells sigstore to do offline transparency log
entry verification. This option replaces the unstable --require-rekor-offline option, which has been removed
(#478)
Fixed
Constrained our dependency on pyOpenSSL to >= 23.0.0 to prevent
a runtime error caused by incompatible earlier versions
(#448)
Removed
--rekor-bundle and --require-rekor-offline have been removed entirely,
as their functionality have been wholly supplanted by Sigstore bundle support
and the new sigstore verify --offline flag
(#478)
