Sigstore Python Versions Save

A Sigstore client for Python

v3.0.0

2 weeks ago

Maintainers' note: this is a major release, with significant public API and CLI changes. We strongly recommend you read the entries below to fully understand the changes between 2.x and 3.x.

Added

API: Signer.sign_artifact() has been added, replacing the removed Signer.sign() API
API: Signer.sign_dsse() has been added. It takes an in-toto Statement as an input, producing a DSSE-formatted signature rather than a "bare" signature (#804)
API: "v3" Sigstore bundles are now supported during verification (#901)
API: Verifier.verify(...) can now take a Hashed as an input, performing signature verification on a pre-computed hash value (#904)
API: The sigstore.dsse module has been been added, including APIs for representing in-toto statements and DSSE envelopes (#930)
CLI: The --trust-config flag has been added as a global option, enabling consistent "BYO PKI" uses of sigstore with a single flag (#1010)
CLI: The sigstore verify subcommands can now verify bundles containing DSSE entries, such as those produced by GitHub Artifact Attestations (#1015)

Removed

BREAKING API CHANGE: SigningResult has been removed. The public signing APIs now return sigstore.models.Bundle.
BREAKING API CHANGE: VerificationMaterials has been removed. The public verification APIs now accept sigstore.models.Bundle.
BREAKING API CHANGE: Signer.sign(...) has been removed. Use either sign_artifact(...) or sign_dsse(...), depending on whether you're signing opaque bytes or an in-toto statement.
BREAKING API CHANGE: VerificationResult has been removed. The public verification and policy APIs now raise sigstore.errors.VerificationError on failure.
BREAKING CLI CHANGE: The --rekor-url and --fulcio-url flags have been entirely removed. To configure a custom PKI, use --trust-config (#1010)

Changed

BREAKING API CHANGE: Verifier.verify(...) now takes a bytes | Hashed as its verification input, rather than implicitly receiving the input through the VerificationMaterials parameter (#904)
BREAKING API CHANGE: VerificationMaterials.rekor_entry(...) now takes a Hashed parameter to convey the digest used for Rekor entry lookup (#904)
BREAKING API CHANGE: Verifier.verify(...) now takes a sigstore.models.Bundle, instead of a VerificationMaterials (#937)
BREAKING CLI CHANGE: sigstore sign now emits {input}.sigstore.json by default instead of {input}.sigstore, per the client specification (#1007)
sigstore-python now requires inclusion proofs in all signing and verification flows, regardless of bundle version of input types. Inputs that do not have an inclusion proof (such as detached materials) cause an online lookup before any further processing is performed (#937)
sigstore-python now generates "v3" bundles by default during signing (#937)
CLI: Bundles are now always verified offline. The offline flag has no effect. (#937)
CLI: "Detached" materials are now always verified online, due to a lack of an inclusion proof. Passing --offline with detached materials will cause an error (#937)
API: sigstore.transparency has been removed, and its pre-existing APIs have been re-homed under sigstore.models (#990)
API: oidc.IdentityToken.expected_certificate_subject has been renamed to oidc.IdentityToken.federated_issuer to better describe what it actually contains. No functional changes have been made to it (#1016)
API: policy.Identity now takes an optional OIDC issuer, rather than a required one (#1015)
CLI: sigstore verify github now requires --cert-identity or --repository, not just --cert-identity (#1015)

v3.0.0rc2

3 weeks ago

v3.0.0rc1

4 weeks ago

v2.1.5

1 month ago

This is a bug fix release to fix the release pipeline that failed for 2.1.4 release.

What's Changed

Backport slsa release workflow upgrade (in 2.1.5)
Pinned securesystemslib dependency more strictly to prevent future breakage (in 2.1.4)

Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.1.4...v2.1.5

v2.1.4

1 month ago

This release was never pushed to PyPI because of a release workflow issue.

Fixed

Pinned securesystemslib dependency strictly to prevent future breakage

v2.1.3

2 months ago

Fixed

Loosened a version constraint on the sigstore-protobuf-specs dependency, to ease use in testing environments (#943)

v2.1.2

3 months ago

This is a corrective release for 2.1.1.

Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.1.1...v2.1.2

v2.1.1

3 months ago

Fixed

Fixed an incorrect assumption about Rekor checkpoints that future releases of Rekor will not uphold (#891)

Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.1

v2.1.0

5 months ago

What's Changed

Update pinned requirements for v2.0.1 by @github-actions in https://github.com/sigstore/sigstore-python/pull/800
build(deps-dev): update ruff requirement from <0.0.293 to <0.1.1 by @dependabot in https://github.com/sigstore/sigstore-python/pull/798
ci: add Python 3.12 by @woodruffw in https://github.com/sigstore/sigstore-python/pull/801
build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in https://github.com/sigstore/sigstore-python/pull/799
build(deps-dev): update ruff requirement from <0.1.1 to <0.1.2 by @dependabot in https://github.com/sigstore/sigstore-python/pull/805
build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in https://github.com/sigstore/sigstore-python/pull/806
treewide: switch to ruff format by @woodruffw in https://github.com/sigstore/sigstore-python/pull/811
build(deps-dev): update ruff requirement from <0.1.4 to <0.1.5 by @dependabot in https://github.com/sigstore/sigstore-python/pull/812
build(deps-dev): update ruff requirement from <0.1.5 to <0.1.6 by @dependabot in https://github.com/sigstore/sigstore-python/pull/813
build(deps-dev): update ruff requirement from <0.1.6 to <0.1.7 by @dependabot in https://github.com/sigstore/sigstore-python/pull/815
build(deps-dev): bump cryptography from 41.0.4 to 41.0.7 by @dependabot in https://github.com/sigstore/sigstore-python/pull/816
build(deps): bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11 by @dependabot in https://github.com/sigstore/sigstore-python/pull/817
build(deps): bump actions/deploy-pages from 2.0.4 to 2.0.5 by @dependabot in https://github.com/sigstore/sigstore-python/pull/818
build(deps): bump actions/deploy-pages from 2.0.5 to 3.0.0 by @dependabot in https://github.com/sigstore/sigstore-python/pull/819
build(deps): bump actions/setup-python from 4.7.1 to 4.8.0 by @dependabot in https://github.com/sigstore/sigstore-python/pull/822
_cli: use rich's logging handler by @woodruffw in https://github.com/sigstore/sigstore-python/pull/824
build(deps): bump actions/setup-python from 4.8.0 to 5.0.0 by @dependabot in https://github.com/sigstore/sigstore-python/pull/826
cli: search for {input}.sigstore.json by default by @woodruffw in https://github.com/sigstore/sigstore-python/pull/820
build(deps): bump actions/deploy-pages from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore-python/pull/827
build(deps-dev): bump id from 1.1.0 to 1.2.1 by @dependabot in https://github.com/sigstore/sigstore-python/pull/828
workflows/release: fix build provenance job by @woodruffw in https://github.com/sigstore/sigstore-python/pull/829
pyproject: sigstore-rekor-types==0.0.11 by @woodruffw in https://github.com/sigstore/sigstore-python/pull/831
Prep 2.1.0 by @tetsuo-cpp in https://github.com/sigstore/sigstore-python/pull/832

Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.0.1...v2.1.0

v2.0.1

7 months ago

Fixed

CLI: When using --certificate-chain, read as bytes instead of str as expected by the underlying API (#796)