Releases: sigstore/sigstore-python
v3.0.0
Maintainers' note: this is a major release, with significant public API and CLI
changes. We strongly recommend you read the entries below to fully
understand the changes between 2.x and 3.x.
Added
-
API:
Signer.sign_artifact()has been added, replacing the removed
Signer.sign()API -
API:
Signer.sign_dsse()has been added. It takes an in-totoStatement
as an input, producing a DSSE-formatted signature rather than a "bare"
signature (#804) -
API: "v3" Sigstore bundles are now supported during verification
(#901) -
API:
Verifier.verify(...)can now take aHashedas an input, performing
signature verification on a pre-computed hash value
(#904) -
API: The
sigstore.dssemodule has been been added, including APIs
for representing in-toto statements and DSSE envelopes
(#930) -
CLI: The
--trust-configflag has been added as a global option,
enabling consistent "BYO PKI" uses ofsigstorewith a single flag
(#1010) -
CLI: The
sigstore verifysubcommands can now verify bundles containing
DSSE entries, such as those produced by
GitHub Artifact Attestations
(#1015)
Removed
-
BREAKING API CHANGE:
SigningResulthas been removed.
The public signing APIs now returnsigstore.models.Bundle. -
BREAKING API CHANGE:
VerificationMaterialshas been removed.
The public verification APIs now acceptsigstore.models.Bundle. -
BREAKING API CHANGE:
Signer.sign(...)has been removed. Use
eithersign_artifact(...)orsign_dsse(...), depending on whether
you're signing opaque bytes or an in-toto statement. -
BREAKING API CHANGE:
VerificationResulthas been removed.
The public verification and policy APIs now raise
sigstore.errors.VerificationErroron failure. -
BREAKING CLI CHANGE: The
--rekor-urland--fulcio-url
flags have been entirely removed. To configure a custom PKI, use
--trust-config
(#1010)
Changed
-
BREAKING API CHANGE:
Verifier.verify(...)now takes abytes | Hashed
as its verification input, rather than implicitly receiving the input through
theVerificationMaterialsparameter
(#904) -
BREAKING API CHANGE:
VerificationMaterials.rekor_entry(...)now takes
aHashedparameter to convey the digest used for Rekor entry lookup
(#904) -
BREAKING API CHANGE:
Verifier.verify(...)now takes asigstore.models.Bundle,
instead of aVerificationMaterials(#937) -
BREAKING CLI CHANGE:
sigstore signnow emits{input}.sigstore.json
by default instead of{input}.sigstore, per the client specification
(#1007) -
sigstore-python now requires inclusion proofs in all signing and verification
flows, regardless of bundle version of input types. Inputs that do not
have an inclusion proof (such as detached materials) cause an online lookup
before any further processing is performed
(#937) -
sigstore-python now generates "v3" bundles by default during signing
(#937) -
CLI: Bundles are now always verified offline. The offline flag has no effect.
(#937) -
CLI: "Detached" materials are now always verified online, due to a lack of
an inclusion proof. Passing--offlinewith detached materials will cause
an error (#937) -
API:
sigstore.transparencyhas been removed, and its pre-existing APIs
have been re-homed undersigstore.models
(#990) -
API:
oidc.IdentityToken.expected_certificate_subjecthas been renamed
tooidc.IdentityToken.federated_issuerto better describe what it actually
contains. No functional changes have been made to it
(#1016) -
API:
policy.Identitynow takes an optional OIDC issuer, rather than a
required one (#1015) -
CLI:
sigstore verify githubnow requires--cert-identityor
--repository, not just--cert-identity
(#1015)
v3.0.0rc2
sigstore: 3.0.0rc2 (#1005) Signed-off-by: Facundo Tuesca <[email protected]>
v3.0.0rc1
sigstore: 3.0.0rc1 (#998) Signed-off-by: William Woodruff <[email protected]>
v2.1.5
This is a bug fix release to fix the release pipeline that failed for 2.1.4 release.
What's Changed
- Backport slsa release workflow upgrade (in 2.1.5)
- Pinned
securesystemslibdependency more strictly to prevent future breakage (in 2.1.4)
Full Changelog: v2.1.4...v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
What's Changed
- Update pinned requirements for v2.0.1 by @github-actions in #800
- build(deps-dev): update ruff requirement from <0.0.293 to <0.1.1 by @dependabot in #798
- ci: add Python 3.12 by @woodruffw in #801
- build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #799
- build(deps-dev): update ruff requirement from <0.1.1 to <0.1.2 by @dependabot in #805
- build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #806
- treewide: switch to
ruff formatby @woodruffw in #811 - build(deps-dev): update ruff requirement from <0.1.4 to <0.1.5 by @dependabot in #812
- build(deps-dev): update ruff requirement from <0.1.5 to <0.1.6 by @dependabot in #813
- build(deps-dev): update ruff requirement from <0.1.6 to <0.1.7 by @dependabot in #815
- build(deps-dev): bump cryptography from 41.0.4 to 41.0.7 by @dependabot in #816
- build(deps): bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11 by @dependabot in #817
- build(deps): bump actions/deploy-pages from 2.0.4 to 2.0.5 by @dependabot in #818
- build(deps): bump actions/deploy-pages from 2.0.5 to 3.0.0 by @dependabot in #819
- build(deps): bump actions/setup-python from 4.7.1 to 4.8.0 by @dependabot in #822
- _cli: use rich's logging handler by @woodruffw in #824
- build(deps): bump actions/setup-python from 4.8.0 to 5.0.0 by @dependabot in #826
- cli: search for
{input}.sigstore.jsonby default by @woodruffw in #820 - build(deps): bump actions/deploy-pages from 3.0.0 to 3.0.1 by @dependabot in #827
- build(deps-dev): bump id from 1.1.0 to 1.2.1 by @dependabot in #828
- workflows/release: fix build provenance job by @woodruffw in #829
- pyproject: sigstore-rekor-types==0.0.11 by @woodruffw in #831
- Prep 2.1.0 by @tetsuo-cpp in #832
Full Changelog: v2.0.1...v2.1.0
