Release 1.0.0rc1

sigstore: 1.0.0rc1 (#427)

Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: William Woodruff <[email protected]>

Release 0.10.0

Added

• sigstore now supports the -v/--verbose flag as an alternative to
  SIGSTORE_LOGLEVEL for debug logging
  (#372)

• The sigstore verify identity has been added, and is functionally
  equivalent to the existing sigstore verify subcommand.
  sigstore verify is unchanged, but will be marked deprecated in a future
  stable version of sigstore-python
  (#379)

• sigstore now has a public, importable Python API! You can find its
  documentation here
  (#383)

• sigstore --staging is now the intended way to request Sigstore's staging
  instance, rather than per-subcommand options like sigstore sign --staging.
  The latter is unchanged, but will be marked deprecated in a future stable
  version of sigstore-python
  (#383)

• The per-subcommand options --rekor-url and --rekor-root-pubkey have been
  moved to the top-level sigstore command. Their subcommand forms are unchanged
  and will continue to work, but will be marked deprecated in a future stable
  version of sigstore-python
  (#381)

• sigstore verify github has been added, allowing for verification of
  GitHub-specific claims within given certificate(s)
  (#381)

Release 0.9.0

[0.9.0]

Added

• sigstore verify now supports --certificate-chain and --rekor-url
  during verification. Ordinary uses (i.e. the default or --staging)
  are not affected (#323)

Changed

• sigstore sign and sigstore verify now stream their input, rather than
  consuming it into a single buffer
  (#329)

• A series of Python 3.11 deprecation warnings were eliminated
  (#341)

• The "splash" page presented to users during the OAuth flow has been updated
  to reflect the user-friendly page added to cosign
  (#356)

• sigstore now uses TUF to retrieve its trust material for Fulcio and Rekor,
  replacing the material that was previously baked into sigstore._store
  (#351)

Release 0.8.3

What's Changed

• sigstore: 0.8.3 by @woodruffw in #317

Full Changelog: v0.8.2...v0.8.3

Release 0.8.2

What's Changed

• sigstore: 0.8.2 by @woodruffw in #316

Full Changelog: v0.8.1...v0.8.2

Release 0.8.1

What's Changed

• sigstore: 0.8.1 by @woodruffw in #315

Full Changelog: v0.8.0...v0.8.1

Release 0.8.0

What's Changed

• scorecards-analysis: bump scorecard-action to 2.0.6 by @woodruffw in #293
• .bump: delete by @woodruffw in #294
• build(deps): bump sigstore from 0.6.8 to 0.7.0 in /install by @dependabot in #295
• dependabot: Setup Dependabot for GitHub Actions by @tetsuo-cpp in #302
• workflows: Add conformance testing workflow by @tetsuo-cpp in #298
• build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1 by @dependabot in #303
• build(deps): bump actions/setup-python from 2.3.2 to 4.3.0 by @dependabot in #304
• Refactor the verification API by @woodruffw in #299
• sigstore, test: add actual SANs to policy failure reason by @woodruffw in #309
• workflows/staging-tests: add missing identity check by @woodruffw in #307
• oidc/oauth: avoid logging the OAuth auth headers by @woodruffw in #312
• sigstore: 0.8.0 by @woodruffw in #314

Full Changelog: v0.7.0...v0.8.0

Release 0.7.0

What's Changed

• build(deps): bump sigstore from 0.6.7 to 0.6.8 in /install by @dependabot in #285
• build(deps): bump pyjwt from 2.5.0 to 2.6.0 in /install by @dependabot in #266
• workflows/ci: add Python 3.11 to matrix by @woodruffw in #286
• Offline Rekor bundle generation and verification by @woodruffw in #247
• build(deps): bump cryptography from 38.0.2 to 38.0.3 in /install by @dependabot in #287
• Support --cert-identity by @woodruffw in #289
• _verify: Check for URI SANs when verifying certificate emails by @tetsuo-cpp in #288
• sigstore: 0.7.0 by @tetsuo-cpp in #290
• workflow: Workaround for SLSA generator failure by @tetsuo-cpp in #292

Full Changelog: v0.6.8...v0.7.0

Release 0.6.8

What's Changed

• _cli: add boolean envvar defaults by @woodruffw in #244
• build(deps): bump sigstore from 0.6.6 to 0.6.7 in /install by @dependabot in #246
• build(deps): bump cryptography from 38.0.1 to 38.0.2 in /install by @dependabot in #245
• build(deps): bump securesystemslib from 0.24.0 to 0.25.0 in /install by @dependabot in #254
• test: add an ambient_oidc marker by @woodruffw in #259
• Restore SLSA provenance generator by @di in #256
• add community-wide reusable workflow for license/vuln scan by @bobcallaway in #255
• ctfe: add staging targets by @asraa in #262
• fix deprecated set-output by @bobcallaway in #270
• sigstore: add a CT keyring, use it for SCT verification by @woodruffw in #267
• sigstore: 0.6.8 by @woodruffw in #284

New Contributors

• @bobcallaway made their first contribution in #255

Full Changelog: v0.6.7...v0.6.8

Release 0.6.7

What's Changed

• ci, Makefile: make check-readme a make target by @woodruffw in #233
• Makefile: run recursive make silently by @woodruffw in #234
• Tests: ensure consistency of transparency log response and entry by @woodruffw in #235
• Staging workflow improvements by @woodruffw in #202
• build(deps): bump sigstore from 0.6.5 to 0.6.6 in /install by @dependabot in #236
• rekor, verify: replace unstable API use by @woodruffw in #238
• rekor/client: fix result search by @woodruffw in #239
• build(deps): bump typing-extensions from 4.3.0 to 4.4.0 in /install by @dependabot in #240
• _verify: make the failure reason more detailed when rekor lookup fails by @woodruffw in #241
• _cli: add envvar defaults for most options by @woodruffw in #242
• sigstore: 0.6.7 by @woodruffw in #243

Full Changelog: v0.6.6...v0.6.7