v0.3.0
gittuf's third alpha release adds support for verifying SSH Git signatures among other things. Note that verify-ref
has been updated with a breaking change. Now, it performs full verification by default.
Changelog
- Added check to prevent duplicate RSL entries for the same ref and target
- Added a formal developer mode for new early-stage gittuf features
- Added early support for attestations with one type for approving reference changes (developer mode only)
- Added support for gittuf-specific Git hooks with a pre-push hook to fetch / create / push RSL entries
- Updated
verify-ref
to perform full verification by default (BREAKING CHANGE) - Updated identification of trusted keys in policy to support varying threshold values between delegations
- Added verification tests for delegated policies
- Added root key management commands to the CLI
- Added command to list rules in gittuf policy
- Added support for standard encoding of private and public keys
- Added support for verifying SSH Git commit and tag signatures
- Added check for cycles when walking policy graph during verification
- Added autogenerated CLI docs
- Removed file rule verification when no file rules exist in the policy for efficiency
- Added command to sign existing policy file with no other changes
- Added get started guide and gittuf logo to docs
- Removed CLI usage message for gittuf errors
- Updated various dependencies
Contributors
This release includes work by @datosh, @neilnaveen, @naveensrinivasan, @JustinCappos, @wlynch, and @adityasaky. We continue to be grateful to @dependabot for keeping our dependencies updated.