Skip to content

Releases: sigstore/sigstore-python

v3.0.0

16 May 16:12
@woodruffw woodruffw
v3.0.0
8578b54
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v3.0.0 Latest
Latest

Maintainers' note: this is a major release, with significant public API and CLI
changes. We strongly recommend you read the entries below to fully
understand the changes between 2.x and 3.x.

Added

  • API: Signer.sign_artifact() has been added, replacing the removed
    Signer.sign() API

  • API: Signer.sign_dsse() has been added. It takes an in-toto Statement
    as an input, producing a DSSE-formatted signature rather than a "bare"
    signature (#804)

  • API: "v3" Sigstore bundles are now supported during verification
    (#901)

  • API: Verifier.verify(...) can now take a Hashed as an input, performing
    signature verification on a pre-computed hash value
    (#904)

  • API: The sigstore.dsse module has been been added, including APIs
    for representing in-toto statements and DSSE envelopes
    (#930)

  • CLI: The --trust-config flag has been added as a global option,
    enabling consistent "BYO PKI" uses of sigstore with a single flag
    (#1010)

  • CLI: The sigstore verify subcommands can now verify bundles containing
    DSSE entries, such as those produced by
    GitHub Artifact Attestations
    (#1015)

Removed

  • BREAKING API CHANGE: SigningResult has been removed.
    The public signing APIs now return sigstore.models.Bundle.

  • BREAKING API CHANGE: VerificationMaterials has been removed.
    The public verification APIs now accept sigstore.models.Bundle.

  • BREAKING API CHANGE: Signer.sign(...) has been removed. Use
    either sign_artifact(...) or sign_dsse(...), depending on whether
    you're signing opaque bytes or an in-toto statement.

  • BREAKING API CHANGE: VerificationResult has been removed.
    The public verification and policy APIs now raise
    sigstore.errors.VerificationError on failure.

  • BREAKING CLI CHANGE: The --rekor-url and --fulcio-url
    flags have been entirely removed. To configure a custom PKI, use
    --trust-config
    (#1010)

Changed

  • BREAKING API CHANGE: Verifier.verify(...) now takes a bytes | Hashed
    as its verification input, rather than implicitly receiving the input through
    the VerificationMaterials parameter
    (#904)

  • BREAKING API CHANGE: VerificationMaterials.rekor_entry(...) now takes
    a Hashed parameter to convey the digest used for Rekor entry lookup
    (#904)

  • BREAKING API CHANGE: Verifier.verify(...) now takes a sigstore.models.Bundle,
    instead of a VerificationMaterials (#937)

  • BREAKING CLI CHANGE: sigstore sign now emits {input}.sigstore.json
    by default instead of {input}.sigstore, per the client specification
    (#1007)

  • sigstore-python now requires inclusion proofs in all signing and verification
    flows, regardless of bundle version of input types. Inputs that do not
    have an inclusion proof (such as detached materials) cause an online lookup
    before any further processing is performed
    (#937)

  • sigstore-python now generates "v3" bundles by default during signing
    (#937)

  • CLI: Bundles are now always verified offline. The offline flag has no effect.
    (#937)

  • CLI: "Detached" materials are now always verified online, due to a lack of
    an inclusion proof. Passing --offline with detached materials will cause
    an error (#937)

  • API: sigstore.transparency has been removed, and its pre-existing APIs
    have been re-homed under sigstore.models
    (#990)

  • API: oidc.IdentityToken.expected_certificate_subject has been renamed
    to oidc.IdentityToken.federated_issuer to better describe what it actually
    contains. No functional changes have been made to it
    (#1016)

  • API: policy.Identity now takes an optional OIDC issuer, rather than a
    required one (#1015)

  • CLI: sigstore verify github now requires --cert-identity or
    --repository, not just --cert-identity
    (#1015)

Assets 11

v3.0.0rc2

07 May 16:13
@woodruffw woodruffw
v3.0.0rc2
3a19f88
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v3.0.0rc2 Pre-release
Pre-release 
sigstore: 3.0.0rc2 (#1005)

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Assets 11

v3.0.0rc1

02 May 15:20
@woodruffw woodruffw
v3.0.0rc1
d9965ca
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v3.0.0rc1 Pre-release
Pre-release 
sigstore: 3.0.0rc1 (#998)

Signed-off-by: William Woodruff <william@trailofbits.com>
Assets 11

v2.1.5

08 Apr 14:26
@jku jku
v2.1.5
8e365d7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.1.5

This is a bug fix release to fix the release pipeline that failed for 2.1.4 release.

What's Changed

  • Backport slsa release workflow upgrade (in 2.1.5)
  • Pinned securesystemslib dependency more strictly to prevent future breakage (in 2.1.4)

Full Changelog: v2.1.4...v2.1.5

Assets 11

v2.1.4

08 Apr 11:21
@jku jku
v2.1.4
2edc752
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.1.4

This release was never pushed to PyPI because of a release workflow issue.

Fixed

  • Pinned securesystemslib dependency strictly to prevent future breakage
Assets 2

v2.1.3

19 Mar 17:26
@woodruffw woodruffw
v2.1.3
3c04224
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.1.3

Fixed

  • Loosened a version constraint on the sigstore-protobuf-specs dependency,
    to ease use in testing environments
    (#943)
Assets 11

v2.1.2

04 Feb 10:24
@woodruffw woodruffw
v2.1.2
332f6d2
This commit was signed with the committer’s verified signature.
woodruffw William Woodruff
SSH Key Fingerprint: SSQW2duDxMV9E1YvK+DSF4MmWZ3bG+KHMnwDqnH1pew Learn about vigilant mode.
Compare
Choose a tag to compare
v2.1.2

This is a corrective release for 2.1.1.

Full Changelog: v2.1.1...v2.1.2

Assets 11

v2.1.1

04 Feb 10:18
@woodruffw woodruffw
v2.1.1
f99055f
This commit was signed with the committer’s verified signature.
woodruffw William Woodruff
SSH Key Fingerprint: SSQW2duDxMV9E1YvK+DSF4MmWZ3bG+KHMnwDqnH1pew Learn about vigilant mode.
Compare
Choose a tag to compare
v2.1.1

Fixed

  • Fixed an incorrect assumption about Rekor checkpoints that future releases
    of Rekor will not uphold (#891)

Full Changelog: v2.1.0...v2.1.1

Assets 11

v2.1.0

13 Dec 06:20
@tetsuo-cpp tetsuo-cpp
v2.1.0
8ac0049
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.1.0

What's Changed

  • Update pinned requirements for v2.0.1 by @github-actions in #800
  • build(deps-dev): update ruff requirement from <0.0.293 to <0.1.1 by @dependabot in #798
  • ci: add Python 3.12 by @woodruffw in #801
  • build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #799
  • build(deps-dev): update ruff requirement from <0.1.1 to <0.1.2 by @dependabot in #805
  • build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #806
  • treewide: switch to ruff format by @woodruffw in #811
  • build(deps-dev): update ruff requirement from <0.1.4 to <0.1.5 by @dependabot in #812
  • build(deps-dev): update ruff requirement from <0.1.5 to <0.1.6 by @dependabot in #813
  • build(deps-dev): update ruff requirement from <0.1.6 to <0.1.7 by @dependabot in #815
  • build(deps-dev): bump cryptography from 41.0.4 to 41.0.7 by @dependabot in #816
  • build(deps): bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11 by @dependabot in #817
  • build(deps): bump actions/deploy-pages from 2.0.4 to 2.0.5 by @dependabot in #818
  • build(deps): bump actions/deploy-pages from 2.0.5 to 3.0.0 by @dependabot in #819
  • build(deps): bump actions/setup-python from 4.7.1 to 4.8.0 by @dependabot in #822
  • _cli: use rich's logging handler by @woodruffw in #824
  • build(deps): bump actions/setup-python from 4.8.0 to 5.0.0 by @dependabot in #826
  • cli: search for {input}.sigstore.json by default by @woodruffw in #820
  • build(deps): bump actions/deploy-pages from 3.0.0 to 3.0.1 by @dependabot in #827
  • build(deps-dev): bump id from 1.1.0 to 1.2.1 by @dependabot in #828
  • workflows/release: fix build provenance job by @woodruffw in #829
  • pyproject: sigstore-rekor-types==0.0.11 by @woodruffw in #831
  • Prep 2.1.0 by @tetsuo-cpp in #832

Full Changelog: v2.0.1...v2.1.0

Contributors

woodruffw, dependabot, and tetsuo-cpp
Assets 11

v2.0.1

17 Oct 20:34
@woodruffw woodruffw
v2.0.1
2d6177d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.0.1

Fixed

  • CLI: When using --certificate-chain, read as bytes instead of str
    as expected by the underlying API (#796)
Assets 11