v1.1.2

Fixed

• Updated the staging-root.json for recent changes to the Sigstore staging
  instance (#602)
• Switched TUF requests to their CDN endpoints, rather than direct GCS
  access (#609)

v1.1.2rc1

What's Changed

• MyPy 1.1, fixes by @woodruffw in #530
• TUF TrustUpdater basic logging by @jleightcap in #518
• verify: Stop using pydantic aliases in constructor to avoid mypy plugin bug by @tetsuo-cpp in #536
• treewide: Replace ambient credential detection with id by @tetsuo-cpp in #535
• TrustUpdater error handling by @tnytown in #525
• oidc: configure timeouts for requests by @tnytown in #541
• Move all error diagnostics to _errors by @tnytown in #531
• sct, test_sign: adjust exception messages by @tnytown in #543
• Pin requirements on releases with a workflow by @tnytown in #548
• sigstore: 1.1.2rc1 by @tnytown in #557

Full Changelog: v1.1.1...v1.1.2rc1

Release 1.1.1

What's Changed

• NewTypes for clearer encoding types by @emilejbm in #474
• pyproject.toml: pin pydantic ~= 1.10 by @tnytown in #504
• keyring: CTFE & Rekor shared Keyring abstraction by @jleightcap in #458
• Use DEFAULT_AUDIENCE instead of hard-coding by @di in #507
• chore: rename some error types by @woodruffw in #508
• Ignore targets missing the custom field by @di in #522
• Add CI to test install-ability of requirements.txt file by @di in #521
• Release verification with both (.sig, .crt) + .sigstore by @jleightcap in #517
• sigstore: 1.1.0rc1 by @woodruffw in #523
• sigstore: 1.1.1rc1 by @woodruffw in #524
• Prep 1.1.1 by @woodruffw in #526

New Contributors

• @emilejbm made their first contribution in #474
• @tnytown made their first contribution in #504

Full Changelog: v1.1.0...v1.1.1

Release 1.1.1rc1

What's Changed

• NewTypes for clearer encoding types by @emilejbm in #474
• pyproject.toml: pin pydantic ~= 1.10 by @tnytown in #504
• keyring: CTFE & Rekor shared Keyring abstraction by @jleightcap in #458
• Use DEFAULT_AUDIENCE instead of hard-coding by @di in #507
• chore: rename some error types by @woodruffw in #508
• Ignore targets missing the custom field by @di in #522
• Add CI to test install-ability of requirements.txt file by @di in #521
• Release verification with both (.sig, .crt) + .sigstore by @jleightcap in #517
• sigstore: 1.1.0rc1 by @woodruffw in #523
• sigstore: 1.1.1rc1 by @woodruffw in #524

New Contributors

• @emilejbm made their first contribution in #474
• @tnytown made their first contribution in #504

Full Changelog: v1.1.0...v1.1.1rc1

Release 1.1.0

Added

• sigstore sign now supports Sigstore bundles, which encapsulate the same
  state as the default {input}.crt, {input}.sig, and {input}.rekor
  files combined. The default output for the Sigstore bundle is
  {input}.sigstore; this can be disabled with --no-bundle or changed with
  --bundle <FILE>
  (#465)

• sigstore verify now supports Sigstore bundles. By default, sigstore looks
  for an {input}.sigstore; this can be changed with --bundle <FILE> or the
  legacy method of verification can be used instead via the --signature and
  --certificate flags
  (#478)

• sigstore verify identity and sigstore verify github now support the
  --offline flag, which tells sigstore to do offline transparency log
  entry verification. This option replaces the unstable
  --require-rekor-offline option, which has been removed
  (#478)

Fixed

• Constrained our dependency on pyOpenSSL to >= 23.0.0 to prevent
  a runtime error caused by incompatible earlier versions
  (#448)

Removed

• --rekor-bundle and --require-rekor-offline have been removed entirely,
  as their functionality have been wholly supplanted by Sigstore bundle support
  and the new sigstore verify --offline flag
  (#478)

Release 1.0.0

Changed

• sigstore.rekor is now sigstore.transparency, and its constituent APIs
  have been renamed to removed implementation detail references
  (#402)

• sigstore.transparency.RekorEntryMissing is now LogEntryMissing
  (#414)

Fixed

• The TUF network timeout has been relaxed from 4 seconds to 30 seconds,
  which should reduce the likelihood of spurious timeout errors in environments
  like GitHub Actions (#432)

Release 1.0.0rc1

sigstore: 1.0.0rc1 (#427)

Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: William Woodruff <[email protected]>

Release 0.10.0

Added

• sigstore now supports the -v/--verbose flag as an alternative to
  SIGSTORE_LOGLEVEL for debug logging
  (#372)

• The sigstore verify identity has been added, and is functionally
  equivalent to the existing sigstore verify subcommand.
  sigstore verify is unchanged, but will be marked deprecated in a future
  stable version of sigstore-python
  (#379)

• sigstore now has a public, importable Python API! You can find its
  documentation here
  (#383)

• sigstore --staging is now the intended way to request Sigstore's staging
  instance, rather than per-subcommand options like sigstore sign --staging.
  The latter is unchanged, but will be marked deprecated in a future stable
  version of sigstore-python
  (#383)

• The per-subcommand options --rekor-url and --rekor-root-pubkey have been
  moved to the top-level sigstore command. Their subcommand forms are unchanged
  and will continue to work, but will be marked deprecated in a future stable
  version of sigstore-python
  (#381)

• sigstore verify github has been added, allowing for verification of
  GitHub-specific claims within given certificate(s)
  (#381)

Release 0.9.0

[0.9.0]

Added

• sigstore verify now supports --certificate-chain and --rekor-url
  during verification. Ordinary uses (i.e. the default or --staging)
  are not affected (#323)

Changed

• sigstore sign and sigstore verify now stream their input, rather than
  consuming it into a single buffer
  (#329)

• A series of Python 3.11 deprecation warnings were eliminated
  (#341)

• The "splash" page presented to users during the OAuth flow has been updated
  to reflect the user-friendly page added to cosign
  (#356)

• sigstore now uses TUF to retrieve its trust material for Fulcio and Rekor,
  replacing the material that was previously baked into sigstore._store
  (#351)

Release 0.8.3

What's Changed

• sigstore: 0.8.3 by @woodruffw in #317

Full Changelog: v0.8.2...v0.8.3