This file tracks the changes introduced by gittuf versions.
- Added support for
policy-staging
for sequential signing of metadata to meet a threshold - Added support for minimum required signatures for rules
- Added support for profiling with pprof
- Added
--from-entry
toverify-ref
- Added debug statements for
--verbose
flag - Added caching of verifiers for each verified namespace (reference or file path) to avoid repeated searches of the same policy state
- Added separated
add-rule
andupdate-rule
workflows for policy - Added dogfooding plan
- Added CI workflows for phase 1 of dogfooding
- Added OpenSSF Scorecard for the repository
- Updated policy to require each rule name to be unique across all rule files
- Updated file rules verification to use same policy as branch protection rules verification
- Update reference authorization attestations to use merge tree for the change being authorized
- Updated design document with definitions and a diagram
- Updated tag verification to check the tag's RSL entry points to either the tag object or the tag's target object
- Updated roadmap to indicate status for each item
- Updated minimum Go version to 1.22
- Updated pointer to gittuf community details
- Updated various dependencies and CI workflows
- Added check to prevent duplicate RSL entries for the same ref and target
- Added a formal developer mode for new early-stage gittuf features
- Added early support for attestations with one type for approving reference changes (developer mode only)
- Added support for gittuf-specific Git hooks with a pre-push hook to fetch / create / push RSL entries
- Updated
verify-ref
to perform full verification by default (BREAKING CHANGE) - Updated identification of trusted keys in policy to support varying threshold values between delegations
- Added verification tests for delegated policies
- Added root key management commands to the CLI
- Added command to list rules in gittuf policy
- Added support for standard encoding of private and public keys
- Added support for verifying SSH Git commit and tag signatures
- Added check for cycles when walking policy graph during verification
- Added autogenerated CLI docs
- Removed file rule verification when no file rules exist in the policy for efficiency
- Added command to sign existing policy file with no other changes
- Added get started guide and gittuf logo to docs
- Removed CLI usage message for gittuf errors
- Updated various dependencies
- Added support to RSL to find unskipped entries
- Added
Get*
functions to gitinterface to compartmentalize choice of Git library - Added support in RSL and policy functions for RSL annotation entries
- Added recovery mode for policy verification workflow
- Added
go fmt
as Makefile target - Updated length of refspecs slice to account for doubled entries
- Added support for merge commits in gitinterface
- Updated CLI to check if Git signing is viable to abort early
- Fixed bug in CLI that required an unnecessary signing key argument
- Fixed
clone
's ability to handle trailing slashes - Improved testing for in policy verification for delegations
- Added plumbing for better logging
- Updated various dependencies
- Updated installation instructions to include Sigstore verification of binaries
- Implemented reference state log (RSL)
- Added support for Git reference policies using RSL entry signatures
- Added support for file policies using commit signatures
- Added support for basic gittuf sync operations