v0.3.0

gittuf's third alpha release adds support for verifying SSH Git signatures among other things. Note that verify-ref has been updated with a breaking change. Now, it performs full verification by default.

Changelog

• Added check to prevent duplicate RSL entries for the same ref and target
• Added a formal developer mode for new early-stage gittuf features
• Added early support for attestations with one type for approving reference changes (developer mode only)
• Added support for gittuf-specific Git hooks with a pre-push hook to fetch / create / push RSL entries
• Updated verify-ref to perform full verification by default (BREAKING CHANGE)
• Updated identification of trusted keys in policy to support varying threshold values between delegations
• Added verification tests for delegated policies
• Added root key management commands to the CLI
• Added command to list rules in gittuf policy
• Added support for standard encoding of private and public keys
• Added support for verifying SSH Git commit and tag signatures
• Added check for cycles when walking policy graph during verification
• Added autogenerated CLI docs
• Removed file rule verification when no file rules exist in the policy for efficiency
• Added command to sign existing policy file with no other changes
• Added get started guide and gittuf logo to docs
• Removed CLI usage message for gittuf errors
• Updated various dependencies

Contributors

This release includes work by @datosh, @neilnaveen, @naveensrinivasan, @JustinCappos, @wlynch, and @adityasaky. We continue to be grateful to @dependabot for keeping our dependencies updated.