Releases: sigstore/sigstore-python
Releases · sigstore/sigstore-python
v3.5.6
v3.5.5
v3.5.4
This is the last planned bug fix release in 3.5 series: all users should upgrade to a newer release series, preferably 4.1.
(this release was never published to PyPI because of a release process issue #1591)
Fixed
v4.1.0
Added
- cli: Support using other Sigstore instances with
--instance URL.
New instances are trusted with new top level commandtrust-instance ROOTFILE.
#1548
Changed
- Added cryptography 46 to list of compatible cryptography releases
(#1544) - Improved error message when verifying bundles with unsupported log entry versions
(#1569)
Fixed
- cli: Always read/write UTF-8. This fixes an issue on Windows where the platform
default encoding was used: the issue has existed for a while, but became more visible
with signature bundles that contain rekor2 entries.
#1553
v3.6.6
v4.0.0
This is a major release with a host of API and functionality changes. The major new feature
is Rekor v2 support but many other changes are also included, see list below.
Added
- cli: Add
--rekor-versiontosigncommand arguments: This can be useful
if Sigstore instance provides multiple Rekor versions and user wants to
override the default choice
#1471 - cli: Support parallel signing. When multiple artifacts are signed, the Rekor
requests are submitted in parallel: this is especially useful with Rekor v2.
#1468, #1478,
#1485 - oidc (API): Allow custom audience claims via API
#1402 - rekor (API): Support Rekor v2 (aka rekor-tiles) in both verification and signing.
#1370, #1422,
#1432 - trust (API): Make TrustedRoot, SigningConfig and ClientTrustConfig public API
#1496
Changed
- cli: Improve verify UX when wrong instance is used
#1510 - deps: replace sigstore_protobuf_specs dependency with sigstore-models
#1470 - trust: Update embedded TUF root
#1515 - trust (API): TrustConfig now provides the
production()andstaging()helpers. Similar methods were removed from
SigningConfig, TrustedRoot, SigningContext and Issuer. Use TrustConfig everywhere in code base.
#1363 - trust (API): support SigningConfig v0.2, remove support for v0.1. The new format now fully defines the
sigstore instance the client uses.SigningConfigclass now has methods to return actual clients
(like RekorClient) instead of just URLs for that sigstore instance. The--trust-configcli option now
expects the trust config to contain a v0.2 SigningConfig.
#1358, #1407 - trust: Support ed25519 keys in trusted root
#1377
Fixed
- rekor: resolve circular import of LogEntry
#1458 - rekor: Fix checkpoint signature lookup when there are multiple signatures
#1514 - rekor: Fix entry handling so inclusion promise is optional
#1382 - rekor: Avoid trailing slash in post to /entries
#1366 - sign: fetch TSA timestamps before submitting an entry to Rekor
#1463 - timestamp: Specify sha256 in TSA timestamp request
#1373 - trust: Fail less hard when trusted root contains unknown keys
#1424 - verify: Fix TSA cert chain construction (fixes issue in the case where certificate is not embedded in
the timestamp)
#1482 - verify: Use TSA hash algorithm specified in the timestamp (SHA-256, SHA-384 and SHA-512 are supported)
#1385 - verify: Check artifact signing time against all established times
#1381 - verify: Handle unset TSA timestamp validity end
#1368
New Contributors
- @enlightened88 made their first contribution in #1391
- @SequeI made their first contribution in #1402
Full Changelog: v3.6.5...v4.0.0
Contributors
SequeI and enlightened88
Assets 4
v3.6.5
v3.6.4
v3.6.3
v3.6.2
Fixed
- Fixed issue where a trust root with multiple rekor keys was not considered valid: Now any rekor key listed in the trust root is considered good to verify entries #1350
Changed
- Upgraded python-tuf dependency to 6.0: Connections to TUF repository now use system certificates (instead of certifi) and have automatic retries
- Updated the embedded TUF root to version 12
Full Changelog: v3.6.1...v3.6.2