In Toto Versions Save

See CHANGELOG.md for details.

See CHANGELOG.md for details.

Changed

• Default type for CLI arg --run-timeout to avoid type mismatch (#626)
• Dependency update (#627)

Added

• CLI argument to control command execution timeout (#605)
• ITE-4 resolver for directories ("dirHash", #590)

Changed

• Lint configuration (#602)
• Output stream cleanup to address flaky tests on Windows (#597)
• Layout expiry condition (#616)
• Dependency updates (#604, #607, #608, #609, #617, #618, #619, #620, #622, #623)

Removed

• AppVeyor test configuration (#598)

This release includes breaking changes such as the removal of the user_settings module and changes to exceptions raised during artifact recording. Additionally, it incorporates changes for issues captured in security advisories GHSA-p86f-xmg6-9q4x, GHSA-jjgp-whrp-gq8m, and GHSA-wc64-c5rv-32pf, the last of which has been assigned CVE-2023-32076.

Added

• Generic interface for ITE-4 resolvers (#584)
• ITE-4 resolver for OSTree repositories (#585)
• Warning when --bits is used with non RSA keys in in-toto-keygen (#588)
• Support for GitHub's security reporting feature (#567)
• Tool to check local artifacts against in-toto link metadata (#589, GHSA-p86f-xmg6-9q4x)
• Testing in CI for Python 3.11 (#594)

Changed

• Recording of file hashes to use ITE-4 file resolver (#584)
• Exceptions returned to Python defaults when recording file artifacts (#592)
• Documentation about in-toto governance to reflect project changes (#591)
• Code style to use black + isort, includes update to codebase to conform (#593)
• Verification documentation to reflect how PGP trust model is used (GHSA-jjgp-whrp-gq8m)

Removed

• Support for user_settings module that enabled configuring in-toto via RC files and environment variables (GHSA-wc64-c5rv-32pf)

Added

• Support for DSSE in metadata generation tools (#503, #577)
• Ability to set command, byproducts, environment in the in_toto_record APIs (#564)

Changed

• Various dependency updates and dependabot changes
• Simplified link threshold check (#573)

Added

• Moved subprocess execution wrapper to in-toto from securesystemslib (#544)
• Support for in-toto flavoured GPGSigner and GPGKey for use with securesystemlib's new signer API (#538)
• Acknowledgement to Purdue University (#526)

Changed

• Invocation of bandit linter (#541)
• Link to in-toto specification in README (#551)
• Dependency updates (#543, #549)

Fixed

• Includes tests in source distribution

Added

• ECDSA key type in CLI (#520)
• Windows builds in GitHub Actions CI (#513)
• Dependabot version monitoring for GitHub Actions (#498)

Changed

• Build is now reproducible, thanks to hatchling (#490)
• Misc test updates (#487, #500, #529)
• Misc docs updates (#499, #512, #516, #515, #530)

Removed

• Obsolete test dependency (#521)

Added

• Python 3.10 support (#480)
• Roadmap review (#463)

Changed

• Bump dependencies: attrs (#482), cffi (#474), cryptography (#468, #472, #477, #481), iso8601 (#476, #478, #479), pycparser (#475), pynacl (#483), securesystemslib (#469)
• Use explicit UTF-8 encoding in open calls (#470)
• Misc. linter changes (#473)
• Update acknowledgment to reflect Purdue (#471)

Removed

• Python 3.6 support (#485)