v5.0.0

This release, most notably, marks stable securesystemslib v1.0.0 as minimum
requirement. The update causes a minor break in the new DSSE API (see below)
and affects users who also directly depend on securesystemslib. See the securesystemslib release
notes
and the updated python-tuf examples (#2617) for details. ngclient API remains
backwards-compatible.

Changed

• DSSE API: change SimpleEnvelope.signatures type to dict, remove
  SimpleEnvelope.signatures_dict (#2617)
• ngclient: support app-specific user-agents (#2612)
• Various build, test and lint improvements

v4.0.0

This release is a small API change for Metadata API users (see below).
ngclient API is compatible but optional DSSE support has been added.

Added

• Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

• Metadata API: Improved verification functionality for repository users (#2551):
  • This is an API change for Metadata API users (
    Root.get_verification_result() and Targets.get_verification_result()
    specifically)
  • Root.get_root_verification_result() has been added to handle the special
    case of root verification
• Started using UTC datetimes instead of naive datetimes internally (#2573)
• Constrain securesystemslib dependency to <0.32.0 in preparation for future
  securesystemslib API changes
• Various build, test and lint improvements

v3.1.1

This is a security fix release to address advisory GHSA-77hh-43cm-v8j6. The issue does not affect tuf.ngclient users, but could affect tuf.api.metadata users.

Changed

• Added additional input validation to tuf.api.metadata.Targets.get_delegated_role()

v3.1.0

See CHANGELOG.md for details.

v3.0.0

See CHANGELOG.md for details.

v2.1.0

See CHANGELOG.md for details.

v2.0.0

See CHANGELOG.md for details.

v1.1.0

See CHANGELOG.md for details.

v1.0.0

This release makes ngclient and the Metadata API the supported python-tuf APIs.
It also removes the legacy implementation as documented in the 1.0.0 announcement:
all library code is now contained in tuf.api or tuf.ngclient.

See Python-TUF reaches version 1.0.0 for a blog post about this release.

Added

• tests: Extend testing (#1689, #1703, #1711, #1728, #1735, #1738,
  #1742, #1766, #1777, #1809, #1831)

Changed

• Metadata API: Disallow microseconds in expiry (#1712)
• Metadata API: Preserve role keyid order (#1754)
• Metadata API: Make exceptions more consistent (#1725, #1734, #1787, #1840,
  #1836)
• Metadata API: Update supported spec version to "1.0.28" (#1825)
• Metadata API: Accept legacy spec version "1.0" (#1796)
• Metadata API: Accept custom fields in Metadata (#1861)
• ngclient: Remove temporary file in failure cases (#1757)
• ngclient: Explicitly encode rolename in URL (#1759)
• ngclient: Allow HTTP payload compression (#1774)
• ngclient: Make exceptions more consistent (#1799, #1810)
• docs: Improve documentation (#1744, #1749, #1750, #1755, #1771, #1776, #1772,
  #1780, #1781, #1800, #1815, #1820, #1829, #1838, #1850, #1853, #1855, #1856,
  #1868, #1871)
• build: Various build infrastructure improvements (#1718, #1724, #1760, #1762,
  #1767, #1803, #1830, #1832, #1837, #1839)
• build: Stop supporting EOL Python 3.6 (#1783)
• build: Update dependencies (#1809, #1827, #1834, #1863, #1865, #1870)

Removed

• Remove all legacy code including old client, repository_tool, repository_lib
  and the scripts (#1790)
• Metadata API: Remove modification helper methods that are no longer necessary
  (#1736, #1740, #1743)
• tests: Remove client tests that were replaced with better ones (#1741)
• tests: Stop using unittest_toolbox (#1792)
• docs: Remove deprecated documentation (#1768, #1769, #1773, #1848)

v0.20.0

NOTE: This will be the final release of python-tuf that includes the legacy implementation code. Please see the 1.0.0 announcement page for more details about the next release and the deprecation of the legacy implementation, including migration instructions.

Added

• metadata API: misc input validation (#1630, #1688, #1668, #1672, #1690)
• doc: repository library design document and ADR (#1693)
• doc: 1.0.0 announcement (#1706)
• doc: misc docstrings in metadata API (#1620)
• doc: repository and client examples (#1675, #1685, #1700)
• test: ngclient key rotation (#1635, #1649, #1691)
• test: ngclient top-level role update (#1636)
• test: ngclient non-consistent snapshot (#1666, #1705)
• test: more lint/type checks and auto-formatting (#1658, #1664, #1659, #1674, #1677, #1687, #1699, #1701, #1708, #1710, #1720, #1726)
• build: Python 3.10 support (#1628)

Changed

• ngclient: misc API changes (#1604, #1731)
• ngclient: avoid re-loading verified targets metadata (#1593)
• ngclient: implicitly call refresh() (#1654)
• ngclient: return loaded metadata (#1680)
• ngclient: skip visited nodes on delegation tree traversal (#1683)
• ngclient: remove URL normalisation (#1686)
• build: modernise packaging configuration (#1626)
• build: bump dependencies (#1609, #1611, #1616, #1621)
• build: limit GitHub Action token visibility and permissions (#1652, #1663)
• test: misc test changes (#1715, #1670, #1671, #1631, #1695, #1702)

Removed

• doc: obsolete roadmap (#1698)