Releases: sigstore/sigstore-python
v3.3.0
Added
-
CLI: The
sigstore verifycommand now outputs the inner in-toto statement
when verifying DSSE envelopes. If verification is successful, the output
will be the inner in-toto statement. This allows the user to see the
statement's predicate, whichsigstore-pythondoes not verify and should be
verified by the user. -
CLI: The
sigstore attestsubcommand has been added. This command is
similar tocosign attestin that it signs over an artifact and a
predicate using a DSSE envelope. This commands requires the user to pass
a path to the file containing the predicate, and the predicate type.
Currently only the SLSA Provenance v0.2 and v1.0 types are supported. -
CLI: The
sigstore verifycommand now supports verifying digests. This means
that the user can now pass a digest likesha256:aaaa....instead of the
path to an artifact, andsigstore-pythonwill verify it as if it was the
artifact with that digest.
v3.2.0
Added
-
API:
models.Bundle.BundleTypeis now a public API
(#1089) -
CLI: The
sigstore plumbingsubcommand hierarchy has been added. This
hierarchy is for developer-only interactions, such as fixing malformed
Sigstore bundles. These subcommands are not considered stable until
explicitly documented as such.
(#1089)
Changed
- CLI: The default console logger now emits to
stderr, rather thanstdout
(#1089)
v3.1.0
Added
-
API:
dsse.StatementBuilderhas been added. It can be used to construct an
in-totoStatementfor subsequent enveloping and signing.
This API is public but is not considered stable until the next major
release.
(#1077) -
API:
dsse.Digest,dsse.DigestSet, anddsse.Subjecthave been added.
These types can be used with theStatementBuilderAPI as part of in-toto
Statementconstruction.
These API are public but are not considered stable until the next major
release.
(#1078)
Changed
- API:
verify_dssenow rejects bundles with DSSE envelopes that have more than
one signature, rather than checking all signatures against the same key
(#1062)
v3.0.0
Maintainers' note: this is a major release, with significant public API and CLI
changes. We strongly recommend you read the entries below to fully
understand the changes between 2.x and 3.x.
Added
-
API:
Signer.sign_artifact()has been added, replacing the removed
Signer.sign()API -
API:
Signer.sign_dsse()has been added. It takes an in-totoStatement
as an input, producing a DSSE-formatted signature rather than a "bare"
signature (#804) -
API: "v3" Sigstore bundles are now supported during verification
(#901) -
API:
Verifier.verify(...)can now take aHashedas an input, performing
signature verification on a pre-computed hash value
(#904) -
API: The
sigstore.dssemodule has been been added, including APIs
for representing in-toto statements and DSSE envelopes
(#930) -
CLI: The
--trust-configflag has been added as a global option,
enabling consistent "BYO PKI" uses ofsigstorewith a single flag
(#1010) -
CLI: The
sigstore verifysubcommands can now verify bundles containing
DSSE entries, such as those produced by
GitHub Artifact Attestations
(#1015)
Removed
-
BREAKING API CHANGE:
SigningResulthas been removed.
The public signing APIs now returnsigstore.models.Bundle. -
BREAKING API CHANGE:
VerificationMaterialshas been removed.
The public verification APIs now acceptsigstore.models.Bundle. -
BREAKING API CHANGE:
Signer.sign(...)has been removed. Use
eithersign_artifact(...)orsign_dsse(...), depending on whether
you're signing opaque bytes or an in-toto statement. -
BREAKING API CHANGE:
VerificationResulthas been removed.
The public verification and policy APIs now raise
sigstore.errors.VerificationErroron failure. -
BREAKING CLI CHANGE: The
--rekor-urland--fulcio-url
flags have been entirely removed. To configure a custom PKI, use
--trust-config
(#1010)
Changed
-
BREAKING API CHANGE:
Verifier.verify(...)now takes abytes | Hashed
as its verification input, rather than implicitly receiving the input through
theVerificationMaterialsparameter
(#904) -
BREAKING API CHANGE:
VerificationMaterials.rekor_entry(...)now takes
aHashedparameter to convey the digest used for Rekor entry lookup
(#904) -
BREAKING API CHANGE:
Verifier.verify(...)now takes asigstore.models.Bundle,
instead of aVerificationMaterials(#937) -
BREAKING CLI CHANGE:
sigstore signnow emits{input}.sigstore.json
by default instead of{input}.sigstore, per the client specification
(#1007) -
sigstore-python now requires inclusion proofs in all signing and verification
flows, regardless of bundle version of input types. Inputs that do not
have an inclusion proof (such as detached materials) cause an online lookup
before any further processing is performed
(#937) -
sigstore-python now generates "v3" bundles by default during signing
(#937) -
CLI: Bundles are now always verified offline. The offline flag has no effect.
(#937) -
CLI: "Detached" materials are now always verified online, due to a lack of
an inclusion proof. Passing--offlinewith detached materials will cause
an error (#937) -
API:
sigstore.transparencyhas been removed, and its pre-existing APIs
have been re-homed undersigstore.models
(#990) -
API:
oidc.IdentityToken.expected_certificate_subjecthas been renamed
tooidc.IdentityToken.federated_issuerto better describe what it actually
contains. No functional changes have been made to it
(#1016) -
API:
policy.Identitynow takes an optional OIDC issuer, rather than a
required one (#1015) -
CLI:
sigstore verify githubnow requires--cert-identityor
--repository, not just--cert-identity
(#1015)
v3.0.0rc2
sigstore: 3.0.0rc2 (#1005) Signed-off-by: Facundo Tuesca <[email protected]>
v3.0.0rc1
sigstore: 3.0.0rc1 (#998) Signed-off-by: William Woodruff <[email protected]>
v2.1.5
This is a bug fix release to fix the release pipeline that failed for 2.1.4 release.
What's Changed
- Backport slsa release workflow upgrade (in 2.1.5)
- Pinned
securesystemslibdependency more strictly to prevent future breakage (in 2.1.4)
Full Changelog: v2.1.4...v2.1.5
