A Sigstore client for Python
Maintainers' note: this is a major release, with significant public API and CLI
changes. We strongly recommend you read the entries below to fully
understand the changes between 2.x
and 3.x
.
API: Signer.sign_artifact()
has been added, replacing the removed
Signer.sign()
API
API: Signer.sign_dsse()
has been added. It takes an in-toto Statement
as an input, producing a DSSE-formatted signature rather than a "bare"
signature (#804)
API: "v3" Sigstore bundles are now supported during verification (#901)
API: Verifier.verify(...)
can now take a Hashed
as an input, performing
signature verification on a pre-computed hash value
(#904)
API: The sigstore.dsse
module has been been added, including APIs
for representing in-toto statements and DSSE envelopes
(#930)
CLI: The --trust-config
flag has been added as a global option,
enabling consistent "BYO PKI" uses of sigstore
with a single flag
(#1010)
CLI: The sigstore verify
subcommands can now verify bundles containing
DSSE entries, such as those produced by
GitHub Artifact Attestations
(#1015)
BREAKING API CHANGE: SigningResult
has been removed.
The public signing APIs now return sigstore.models.Bundle
.
BREAKING API CHANGE: VerificationMaterials
has been removed.
The public verification APIs now accept sigstore.models.Bundle
.
BREAKING API CHANGE: Signer.sign(...)
has been removed. Use
either sign_artifact(...)
or sign_dsse(...)
, depending on whether
you're signing opaque bytes or an in-toto statement.
BREAKING API CHANGE: VerificationResult
has been removed.
The public verification and policy APIs now raise
sigstore.errors.VerificationError
on failure.
BREAKING CLI CHANGE: The --rekor-url
and --fulcio-url
flags have been entirely removed. To configure a custom PKI, use
--trust-config
(#1010)
BREAKING API CHANGE: Verifier.verify(...)
now takes a bytes | Hashed
as its verification input, rather than implicitly receiving the input through
the VerificationMaterials
parameter
(#904)
BREAKING API CHANGE: VerificationMaterials.rekor_entry(...)
now takes
a Hashed
parameter to convey the digest used for Rekor entry lookup
(#904)
BREAKING API CHANGE: Verifier.verify(...)
now takes a sigstore.models.Bundle
,
instead of a VerificationMaterials
(#937)
BREAKING CLI CHANGE: sigstore sign
now emits {input}.sigstore.json
by default instead of {input}.sigstore
, per the client specification
(#1007)
sigstore-python now requires inclusion proofs in all signing and verification flows, regardless of bundle version of input types. Inputs that do not have an inclusion proof (such as detached materials) cause an online lookup before any further processing is performed (#937)
sigstore-python now generates "v3" bundles by default during signing (#937)
CLI: Bundles are now always verified offline. The offline flag has no effect. (#937)
CLI: "Detached" materials are now always verified online, due to a lack of
an inclusion proof. Passing --offline
with detached materials will cause
an error (#937)
API: sigstore.transparency
has been removed, and its pre-existing APIs
have been re-homed under sigstore.models
(#990)
API: oidc.IdentityToken.expected_certificate_subject
has been renamed
to oidc.IdentityToken.federated_issuer
to better describe what it actually
contains. No functional changes have been made to it
(#1016)
API: policy.Identity
now takes an optional OIDC issuer, rather than a
required one (#1015)
CLI: sigstore verify github
now requires --cert-identity
or
--repository
, not just --cert-identity
(#1015)
This is a bug fix release to fix the release pipeline that failed for 2.1.4 release.
securesystemslib
dependency more strictly to prevent future breakage (in 2.1.4)Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.1.4...v2.1.5
sigstore-protobuf-specs
dependency,
to ease use in testing environments
(#943)This is a corrective release for 2.1.1.
Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.1.1...v2.1.2
Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.1
ruff format
by @woodruffw in https://github.com/sigstore/sigstore-python/pull/811
{input}.sigstore.json
by default by @woodruffw in https://github.com/sigstore/sigstore-python/pull/820
Full Changelog: https://github.com/sigstore/sigstore-python/compare/v2.0.1...v2.1.0
--certificate-chain
, read as bytes
instead of str
as expected by the underlying API (#796)