Release 1.1.1rc1

What's Changed

• NewTypes for clearer encoding types by @emilejbm in #474
• pyproject.toml: pin pydantic ~= 1.10 by @tnytown in #504
• keyring: CTFE & Rekor shared Keyring abstraction by @jleightcap in #458
• Use DEFAULT_AUDIENCE instead of hard-coding by @di in #507
• chore: rename some error types by @woodruffw in #508
• Ignore targets missing the custom field by @di in #522
• Add CI to test install-ability of requirements.txt file by @di in #521
• Release verification with both (.sig, .crt) + .sigstore by @jleightcap in #517
• sigstore: 1.1.0rc1 by @woodruffw in #523
• sigstore: 1.1.1rc1 by @woodruffw in #524

New Contributors

• @emilejbm made their first contribution in #474
• @tnytown made their first contribution in #504

Full Changelog: v1.1.0...v1.1.1rc1

Release 1.1.0

Added

• sigstore sign now supports Sigstore bundles, which encapsulate the same
  state as the default {input}.crt, {input}.sig, and {input}.rekor
  files combined. The default output for the Sigstore bundle is
  {input}.sigstore; this can be disabled with --no-bundle or changed with
  --bundle <FILE>
  (#465)

• sigstore verify now supports Sigstore bundles. By default, sigstore looks
  for an {input}.sigstore; this can be changed with --bundle <FILE> or the
  legacy method of verification can be used instead via the --signature and
  --certificate flags
  (#478)

• sigstore verify identity and sigstore verify github now support the
  --offline flag, which tells sigstore to do offline transparency log
  entry verification. This option replaces the unstable
  --require-rekor-offline option, which has been removed
  (#478)

Fixed

• Constrained our dependency on pyOpenSSL to >= 23.0.0 to prevent
  a runtime error caused by incompatible earlier versions
  (#448)

Removed

• --rekor-bundle and --require-rekor-offline have been removed entirely,
  as their functionality have been wholly supplanted by Sigstore bundle support
  and the new sigstore verify --offline flag
  (#478)

Release 1.0.0

Changed

• sigstore.rekor is now sigstore.transparency, and its constituent APIs
  have been renamed to removed implementation detail references
  (#402)

• sigstore.transparency.RekorEntryMissing is now LogEntryMissing
  (#414)

Fixed

• The TUF network timeout has been relaxed from 4 seconds to 30 seconds,
  which should reduce the likelihood of spurious timeout errors in environments
  like GitHub Actions (#432)

Release 1.0.0rc1

sigstore: 1.0.0rc1 (#427)

Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Release 0.10.0

Added

• sigstore now supports the -v/--verbose flag as an alternative to
  SIGSTORE_LOGLEVEL for debug logging
  (#372)

• The sigstore verify identity has been added, and is functionally
  equivalent to the existing sigstore verify subcommand.
  sigstore verify is unchanged, but will be marked deprecated in a future
  stable version of sigstore-python
  (#379)

• sigstore now has a public, importable Python API! You can find its
  documentation here
  (#383)

• sigstore --staging is now the intended way to request Sigstore's staging
  instance, rather than per-subcommand options like sigstore sign --staging.
  The latter is unchanged, but will be marked deprecated in a future stable
  version of sigstore-python
  (#383)

• The per-subcommand options --rekor-url and --rekor-root-pubkey have been
  moved to the top-level sigstore command. Their subcommand forms are unchanged
  and will continue to work, but will be marked deprecated in a future stable
  version of sigstore-python
  (#381)

• sigstore verify github has been added, allowing for verification of
  GitHub-specific claims within given certificate(s)
  (#381)

Release 0.9.0

[0.9.0]

Added

• sigstore verify now supports --certificate-chain and --rekor-url
  during verification. Ordinary uses (i.e. the default or --staging)
  are not affected (#323)

Changed

• sigstore sign and sigstore verify now stream their input, rather than
  consuming it into a single buffer
  (#329)

• A series of Python 3.11 deprecation warnings were eliminated
  (#341)

• The "splash" page presented to users during the OAuth flow has been updated
  to reflect the user-friendly page added to cosign
  (#356)

• sigstore now uses TUF to retrieve its trust material for Fulcio and Rekor,
  replacing the material that was previously baked into sigstore._store
  (#351)

Release 0.8.3

What's Changed

• sigstore: 0.8.3 by @woodruffw in #317

Full Changelog: v0.8.2...v0.8.3

Release 0.8.2

What's Changed

• sigstore: 0.8.2 by @woodruffw in #316

Full Changelog: v0.8.1...v0.8.2

Release 0.8.1

What's Changed

• sigstore: 0.8.1 by @woodruffw in #315

Full Changelog: v0.8.0...v0.8.1

Release 0.8.0

What's Changed

• scorecards-analysis: bump scorecard-action to 2.0.6 by @woodruffw in #293
• .bump: delete by @woodruffw in #294
• build(deps): bump sigstore from 0.6.8 to 0.7.0 in /install by @dependabot in #295
• dependabot: Setup Dependabot for GitHub Actions by @tetsuo-cpp in #302
• workflows: Add conformance testing workflow by @tetsuo-cpp in #298
• build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1 by @dependabot in #303
• build(deps): bump actions/setup-python from 2.3.2 to 4.3.0 by @dependabot in #304
• Refactor the verification API by @woodruffw in #299
• sigstore, test: add actual SANs to policy failure reason by @woodruffw in #309
• workflows/staging-tests: add missing identity check by @woodruffw in #307
• oidc/oauth: avoid logging the OAuth auth headers by @woodruffw in #312
• sigstore: 0.8.0 by @woodruffw in #314

Full Changelog: v0.7.0...v0.8.0