sigstore · loosebazooka · May 9, 2024 · May 9, 2024
diff --git a/build-logic/publishing/build.gradle.kts b/build-logic/publishing/build.gradle.kts
@@ -10,6 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.7.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.8.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1")
 }
diff --git a/gradle.properties b/gradle.properties
@@ -4,4 +4,4 @@ systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true
 
 group=dev.sigstore
 # remember to update SigstoreSignExtension.kt and build-logic/publishing/build.gradle.kts when updating this
-version=0.8.0
+version=0.9.0
diff --git a/sigstore-gradle/README.md b/sigstore-gradle/README.md
@@ -2,10 +2,8 @@
 
 A Gradle plugin for signing artifacts with Sigstore.
 
-## The current state
-
-`dev.sigstore.sign` has no releases yet.
-Signature format uses [Sigstore bundle](https://github.com/sigstore/cosign/pull/2204) JSON which is still experimental.
+`dev.sigstore.sign` is available on the gradle plugin portal.
+Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) JSON as the output format.
 
 ## Requirements
 
@@ -46,7 +44,7 @@ plugins {
 
 dependencies {
     // Override sigstore-java clients
-    sigstoreClient("dev.sigstore:sigstore-java:0.1.0")
+    sigstoreClient("dev.sigstore:sigstore-java:<alternate-version>")
 }
 
 sigstoreSign {
@@ -121,8 +119,8 @@ val zip by tasks.registering(Zip::class) {
 
 ### Signature format
 
-The signature uses [Sigstore bundle](https://github.com/sigstore/cosign/pull/2204) JSON
-stored as `.sigstore` file.
+The signature uses [Sigstore bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) JSON
+stored as `.sigstore.json` file.
 
 The file includes all the information for offline signature verification.
 
@@ -136,8 +134,8 @@ Provides `SigstoreSignFilesTask` task for signing files in Sigstore.
 The plugin adds no tasks by default.
 
 Properties:
-* `dev.sigstore.sign.remove.sigstore.asc` (since 0.6.0, default: `true`). Removes `.sigstore.asc` files from the publication.
-  Sonatype OSSRH supports publishing `.sigstore` signatures, and it does not require `.sigstore.asc` files, so
+* `dev.sigstore.sign.remove.sigstore.asc` (since 0.6.0, default: `true`). Removes `.sigstore.json.asc` files from the publication.
+  Sonatype OSSRH supports publishing `.sigstore.json` signatures, and it does not require `.sigstore.json.asc` files, so
   `dev.sigstore.sign` plugin removes them by default. If you need to sign all the files, set this property to `false`.
 
 Extensions:

diff --git a/...gstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt b/...gstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt
@@ -44,7 +44,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("0.8.0")
+        sigstoreJavaVersion.convention("0.9.0")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,