Releases: sigstore/sigstore-python
Release 1.1.1rc1
What's Changed
- NewTypes for clearer encoding types by @emilejbm in #474
- pyproject.toml: pin pydantic ~= 1.10 by @tnytown in #504
- keyring: CTFE & Rekor shared
Keyring
abstraction by @jleightcap in #458 - Use DEFAULT_AUDIENCE instead of hard-coding by @di in #507
- chore: rename some error types by @woodruffw in #508
- Ignore targets missing the
custom
field by @di in #522 - Add CI to test install-ability of
requirements.txt
file by @di in #521 - Release verification with both (
.sig
,.crt
) +.sigstore
by @jleightcap in #517 - sigstore: 1.1.0rc1 by @woodruffw in #523
- sigstore: 1.1.1rc1 by @woodruffw in #524
New Contributors
Full Changelog: v1.1.0...v1.1.1rc1
Release 1.1.0
Added
-
sigstore sign
now supports Sigstore bundles, which encapsulate the same
state as the default{input}.crt
,{input}.sig
, and{input}.rekor
files combined. The default output for the Sigstore bundle is
{input}.sigstore
; this can be disabled with--no-bundle
or changed with
--bundle <FILE>
(#465) -
sigstore verify
now supports Sigstore bundles. By default,sigstore
looks
for an{input}.sigstore
; this can be changed with--bundle <FILE>
or the
legacy method of verification can be used instead via the--signature
and
--certificate
flags
(#478) -
sigstore verify identity
andsigstore verify github
now support the
--offline
flag, which tellssigstore
to do offline transparency log
entry verification. This option replaces the unstable
--require-rekor-offline
option, which has been removed
(#478)
Fixed
- Constrained our dependency on
pyOpenSSL
to>= 23.0.0
to prevent
a runtime error caused by incompatible earlier versions
(#448)
Removed
--rekor-bundle
and--require-rekor-offline
have been removed entirely,
as their functionality have been wholly supplanted by Sigstore bundle support
and the newsigstore verify --offline
flag
(#478)
Release 1.0.0
Changed
-
sigstore.rekor
is nowsigstore.transparency
, and its constituent APIs
have been renamed to removed implementation detail references
(#402) -
sigstore.transparency.RekorEntryMissing
is nowLogEntryMissing
(#414)
Fixed
- The TUF network timeout has been relaxed from 4 seconds to 30 seconds,
which should reduce the likelihood of spurious timeout errors in environments
like GitHub Actions (#432)
Release 1.0.0rc1
sigstore: 1.0.0rc1 (#427) Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com>
Release 0.10.0
Added
-
sigstore
now supports the-v
/--verbose
flag as an alternative to
SIGSTORE_LOGLEVEL
for debug logging
(#372) -
The
sigstore verify identity
has been added, and is functionally
equivalent to the existingsigstore verify
subcommand.
sigstore verify
is unchanged, but will be marked deprecated in a future
stable version ofsigstore-python
(#379) -
sigstore
now has a public, importable Python API! You can find its
documentation here
(#383) -
sigstore --staging
is now the intended way to request Sigstore's staging
instance, rather than per-subcommand options likesigstore sign --staging
.
The latter is unchanged, but will be marked deprecated in a future stable
version ofsigstore-python
(#383) -
The per-subcommand options
--rekor-url
and--rekor-root-pubkey
have been
moved to the top-levelsigstore
command. Their subcommand forms are unchanged
and will continue to work, but will be marked deprecated in a future stable
version ofsigstore-python
(#381) -
sigstore verify github
has been added, allowing for verification of
GitHub-specific claims within given certificate(s)
(#381)
Release 0.9.0
[0.9.0]
Added
sigstore verify
now supports--certificate-chain
and--rekor-url
during verification. Ordinary uses (i.e. the default or--staging
)
are not affected (#323)
Changed
-
sigstore sign
andsigstore verify
now stream their input, rather than
consuming it into a single buffer
(#329) -
A series of Python 3.11 deprecation warnings were eliminated
(#341) -
The "splash" page presented to users during the OAuth flow has been updated
to reflect the user-friendly page added tocosign
(#356) -
sigstore
now uses TUF to retrieve its trust material for Fulcio and Rekor,
replacing the material that was previously baked intosigstore._store
(#351)
Release 0.8.3
Release 0.8.2
Release 0.8.1
Release 0.8.0
What's Changed
- scorecards-analysis: bump scorecard-action to 2.0.6 by @woodruffw in #293
- .bump: delete by @woodruffw in #294
- build(deps): bump sigstore from 0.6.8 to 0.7.0 in /install by @dependabot in #295
- dependabot: Setup Dependabot for GitHub Actions by @tetsuo-cpp in #302
- workflows: Add conformance testing workflow by @tetsuo-cpp in #298
- build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1 by @dependabot in #303
- build(deps): bump actions/setup-python from 2.3.2 to 4.3.0 by @dependabot in #304
- Refactor the verification API by @woodruffw in #299
- sigstore, test: add actual SANs to policy failure reason by @woodruffw in #309
- workflows/staging-tests: add missing identity check by @woodruffw in #307
- oidc/oauth: avoid logging the OAuth auth headers by @woodruffw in #312
- sigstore: 0.8.0 by @woodruffw in #314
Full Changelog: v0.7.0...v0.8.0