chore: prep v0.0.28

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.0.28]
+
+### Changed
+
+- Upgraded `sigstore` dependency to `>=4.0.0`. Since version `4.0.0`,
+  `sigstore` supports signing using the new Rekor v2 instance, which
+  will become the default in the future. We force the version to 1,
+  so any attestations created with `pypi-attestations==0.0.28` will
+  still contain Rekor v1 entries.
+- Repository has been moved to the `pypi` GitHub org. The new URL
+  is https://github.com/pypi/pypi-attestations.
+
 ## [0.0.27]
 
 ### Fixed
@@ -17,30 +29,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   string comparison. This fixes an issue where verification would fail
   due to the artifact filename having the wheel tags in a different
   order than the ones in the attestation.
-  ([#127](https://github.com/trailofbits/pypi-attestations/pull/127))
+  ([#127](https://github.com/pypi/pypi-attestations/pull/127))
 
 ## [0.0.26]
 
 ### Fixed
 
 - This library no longer enforces distribution name "ultranormalization,"
   which went above the requirements specified in PEP 740
-  ([#124](https://github.com/trailofbits/pypi-attestations/pull/124))
+  ([#124](https://github.com/pypi/pypi-attestations/pull/124))
 
 ## [0.0.25]
 
 ### Fixed
 
 - Make the `GooglePublisher` type and APIs public
-  ([#117](https://github.com/trailofbits/pypi-attestations/pull/117))
+  ([#117](https://github.com/pypi/pypi-attestations/pull/117))
 
 ## [0.0.24]
 
 ### Added
 
 - The `GooglePublisher` type has been added to support
   Google Cloud-based Trusted Publishers
-  ([#114](https://github.com/trailofbits/pypi-attestations/pull/114))
+  ([#114](https://github.com/pypi/pypi-attestations/pull/114))
 
 ## [0.0.23]
 
@@ -64,15 +76,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   if the `Source Repository Ref` or `Source Repository Digest` claim
   was missing from the attestation's certificate. We require at least
   one of the two claims, but not necessarily both
-  ([#109](https://github.com/trailofbits/pypi-attestations/pull/109))
+  ([#109](https://github.com/pypi/pypi-attestations/pull/109))
 
 ## [0.0.22]
 
 ### Changed
 
 - The `inspect` subcommand now ignores inputs that don't match `*.attestation`,
   rather than failing on them
-  ([#93](https://github.com/trailofbits/pypi-attestations/pull/93))
+  ([#93](https://github.com/pypi/pypi-attestations/pull/93))
 
 ### Added
 
@@ -95,10 +107,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - The CLI entrypoint is now `pypi-attestations`
-  ([#82](https://github.com/trailofbits/pypi-attestations/pull/82))
+  ([#82](https://github.com/pypi/pypi-attestations/pull/82))
 - The CLI `verify` subcommand has been changed to `verify attestation`,
   as in `pypi-attestations verify attestation --identity ...`
-  ([#82](https://github.com/trailofbits/pypi-attestations/pull/82))
+  ([#82](https://github.com/pypi/pypi-attestations/pull/82))
 
 ### Added
 
@@ -108,14 +120,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   downloading it and its provenance from PyPI, verifying them using
   `sigstore` and checking that the repository matches the one in the
   PyPI provenance file.
-  ([#82](https://github.com/trailofbits/pypi-attestations/pull/82))
+  ([#82](https://github.com/pypi/pypi-attestations/pull/82))
 
 ## [0.0.20]
 
 ### Changed
 
 - Explicitly support sigstore-python 3.6
-  ([#79](https://github.com/trailofbits/pypi-attestations/pull/79))
+  ([#79](https://github.com/pypi/pypi-attestations/pull/79))
 
 ## [0.0.19]
 
@@ -127,26 +139,26 @@ This is a corrective release for [0.0.18].
 
 - The `Attestation` type now has a `certificate_claims` property to expose
   underlying Fulcio signing certificate extensions
-  ([#70](https://github.com/trailofbits/pypi-attestations/pull/70))
+  ([#70](https://github.com/pypi/pypi-attestations/pull/70))
 
 ## [0.0.17]
 
 ### Fixed
 
 - The `GitLabPublisher` policy now takes the workflow file path in order to
   verify attestations, rathen than assuming it will always be `gitlab-ci.yml`
-  ([#71](https://github.com/trailofbits/pypi-attestations/pull/71)).
+  ([#71](https://github.com/pypi/pypi-attestations/pull/71)).
 - The `GitLabPublisher` now longer expects claims being passed during construction,
   rather the `ref` and `sha` claims are extracted from the certificate's extensions,
   similar to `GitHubPublisher`'s behavior
-  ([#71](https://github.com/trailofbits/pypi-attestations/pull/71)).
+  ([#71](https://github.com/pypi/pypi-attestations/pull/71)).
 
 
 ### Changed
 
 - Publisher classes (`GitLabPublisher` and `GitHubPublisher`) no longer take a claims
   dictionary during construction
-  ([#72](https://github.com/trailofbits/pypi-attestations/pull/72)).
+  ([#72](https://github.com/pypi/pypi-attestations/pull/72)).
 
 ## [0.0.16]
 
@@ -165,19 +177,19 @@ This is a corrective release for [0.0.14].
 
 - The `Distribution` API now handles ZIP source distributions
   (those ending with `.zip`) instead of rejecting them as invalid
-  ([#68](https://github.com/trailofbits/pypi-attestations/pull/68))
+  ([#68](https://github.com/pypi/pypi-attestations/pull/68))
 
 ## [0.0.13]
 
 ### Changed
 
 - The minimum Python version required has been brought back to `3.9`
-  ([#64](https://github.com/trailofbits/pypi-attestations/pull/64)).
+  ([#64](https://github.com/pypi/pypi-attestations/pull/64)).
 
 - The `Attestation.verify(...)` API has been changed to remove the `Verifier`
   argument in favor of an optional `staging: bool` kwarg to select the
   Sigstore instance
-  ([#62](https://github.com/trailofbits/pypi-attestations/pull/62))
+  ([#62](https://github.com/pypi/pypi-attestations/pull/62))
 
 - The `Attestation.verify(...)` API has been changed to accept both `Publisher`
   and `VerificationPolicy` objects as a policy. The publisher object is internally
@@ -190,7 +202,7 @@ This is a corrective release for [0.0.14].
 
 - `python -m pypi_attestations verify` now exits with a non-zero exit code
   if the verification step fails
-  ([#57](https://github.com/trailofbits/pypi-attestations/pull/57))
+  ([#57](https://github.com/pypi/pypi-attestations/pull/57))
 
 ## [0.0.12]
 
@@ -199,74 +211,74 @@ This is a corrective release for [0.0.14].
 - Base64-encoded bytes inside Attestation objects contained newline characters
   every 76 characters due to a bug in Pydantic's Base64Bytes type. Those
   newlines were also (incorrectly) ignored by Pydantic during decoding
-  ([#48](https://github.com/trailofbits/pypi-attestations/pull/48)).
+  ([#48](https://github.com/pypi/pypi-attestations/pull/48)).
 
 ## [0.0.11]
 
 ### Changed
 
 - The minimum version of sigstore-python is now `3.2.0`, owing to private
-  API changes ([#45](https://github.com/trailofbits/pypi-attestations/pull/45))
+  API changes ([#45](https://github.com/pypi/pypi-attestations/pull/45))
 
 ## [0.0.10]
 
 ### Changed
 
 - The minimum Python version required has been bumped to `3.11`
-  ([#37](https://github.com/trailofbits/pypi-attestations/pull/37))
+  ([#37](https://github.com/pypi/pypi-attestations/pull/37))
 
 ### Added
 
 - The `Provenance`, `Publisher`, `GitHubPublisher`, `GitLabPublisher`, and
   `AttestationBundle` types have been added
-  ([#36](https://github.com/trailofbits/pypi-attestations/pull/36)).
+  ([#36](https://github.com/pypi/pypi-attestations/pull/36)).
 
 ## [0.0.9]
 
 ### Added
 
 - The `Distribution` type and APIs have been added, allowing a user to supply
   a pre-computed digest instead of performing I/O
-  ([#34](https://github.com/trailofbits/pypi-attestations/pull/34))
+  ([#34](https://github.com/pypi/pypi-attestations/pull/34))
 
 ### Changed
 
 - `sign` and `verify` no longer perform I/O
-  ([#34](https://github.com/trailofbits/pypi-attestations/pull/34))
+  ([#34](https://github.com/pypi/pypi-attestations/pull/34))
 
 
 ### Fixed
 
 - `verify`: catch another leaky error case
-  ([#32](https://github.com/trailofbits/pypi-attestations/pull/32))
+  ([#32](https://github.com/pypi/pypi-attestations/pull/32))
 
 
 ## [0.0.8]
 
 ### Fixed
 
 - `AttestationType` is now re-exported at the top-level as a public API
-  ([#31](https://github.com/trailofbits/pypi-attestations/pull/31))
+  ([#31](https://github.com/pypi/pypi-attestations/pull/31))
 
 ## [0.0.7]
 
 ### Added
 
 - `AttestationType` has been added, as an enumeration of all currently known
   attestation types (by URL)
-  ([#29](https://github.com/trailofbits/pypi-attestations/pull/29))
+  ([#29](https://github.com/pypi/pypi-attestations/pull/29))
 
 ### Changed
 
 - `Attestation.verify` now checks the attestation's type against
   `AttestationType` before returning it
-  ([#29](https://github.com/trailofbits/pypi-attestations/pull/29))
+  ([#29](https://github.com/pypi/pypi-attestations/pull/29))
 
 ### Fixed
 
 - `Attestation.sign` now only returns `AttestationError` when failing to sign a
   distribution file
-  ([#28](https://github.com/trailofbits/pypi-attestations/pull/28))
+  ([#28](https://github.com/pypi/pypi-attestations/pull/28))
 
 ## [0.0.6]
 
@@ -276,28 +288,28 @@ This is a corrective release for [0.0.14].
   intended for local development, and not for external use. Its flags and
   commands are not subject to stabilization unless explicitly documented
   in a future release
-  ([#22](https://github.com/trailofbits/pypi-attestations/pull/22))
+  ([#22](https://github.com/pypi/pypi-attestations/pull/22))
 
 ### Changed
 
 - The name of this project is now `pypi-attestations`, renamed from
-  `pypi-attestion-models` ([#25](https://github.com/trailofbits/pypi-attestations/pull/25))
+  `pypi-attestion-models` ([#25](https://github.com/pypi/pypi-attestations/pull/25))
 
 - The model conversion functions have been moved into the `Attestation` class
-  ([#24](https://github.com/trailofbits/pypi-attestations/pull/24))
+  ([#24](https://github.com/pypi/pypi-attestations/pull/24))
 
 ## [0.0.5] - 2024-06-20
 
 ### Added
 
 - `Attestation.verify` now returns the inner statement's predicate components
-  ([#20](https://github.com/trailofbits/pypi-attestations/pull/20))
+  ([#20](https://github.com/pypi/pypi-attestations/pull/20))
 
 ## [0.0.4] - 2024-06-11
 
 ### Changed
 
-- Switch to in-toto statements ([#18](https://github.com/trailofbits/pypi-attestations/pull/18))
+- Switch to in-toto statements ([#18](https://github.com/pypi/pypi-attestations/pull/18))
 
 ## [0.0.3] - 2024-06-10
 
@@ -315,31 +327,33 @@ This is a corrective release for [0.0.14].
 
 - Initial implementation
 
-[Unreleased]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.27...HEAD
-[0.0.27]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.26...v0.0.27
-[0.0.26]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.25...v0.0.26
-[0.0.25]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.24...v0.0.25
-[0.0.24]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.23...v0.0.24
-[0.0.23]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.22...v0.0.23
-[0.0.22]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.21...v0.0.22
-[0.0.21]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.20...v0.0.21
-[0.0.20]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.19...v0.0.20
-[0.0.19]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.18...v0.0.19
-[0.0.18]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.17...v0.0.18
-[0.0.17]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.16...v0.0.17
-[0.0.16]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.15...v0.0.16
-[0.0.15]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.14...v0.0.15
-[0.0.14]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.13...v0.0.14
-[0.0.13]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.12...v0.0.13
-[0.0.12]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.11...v0.0.12
-[0.0.11]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.10...v0.0.11
-[0.0.10]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.9...v0.0.10
-[0.0.9]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.8...v0.0.9
-[0.0.8]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.7...v0.0.8
-[0.0.7]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.6...v0.0.7
-[0.0.6]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.5...v0.0.6
-[0.0.5]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.4...v0.0.5
-[0.0.4]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.3...v0.0.4
-[0.0.3]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.2...v0.0.3
-[0.0.2]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.1...v0.0.2
-[0.0.1]: https://github.com/trailofbits/pypi-attestation-models/releases/tag/v0.0.1
+[Unreleased]: https://github.com/pypi/pypi-attestations/compare/v0.0.28...HEAD
+[0.0.28]: https://github.com/pypi/pypi-attestations/compare/v0.0.27...v0.0.28
+[0.0.27]: https://github.com/pypi/pypi-attestations/compare/v0.0.26...v0.0.27
+[0.0.26]: https://github.com/pypi/pypi-attestations/compare/v0.0.25...v0.0.26
+[0.0.25]: https://github.com/pypi/pypi-attestations/compare/v0.0.24...v0.0.25
+[0.0.24]: https://github.com/pypi/pypi-attestations/compare/v0.0.23...v0.0.24
+[0.0.23]: https://github.com/pypi/pypi-attestations/compare/v0.0.22...v0.0.23
+[0.0.22]: https://github.com/pypi/pypi-attestations/compare/v0.0.21...v0.0.22
+[0.0.21]: https://github.com/pypi/pypi-attestations/compare/v0.0.20...v0.0.21
+[0.0.20]: https://github.com/pypi/pypi-attestations/compare/v0.0.19...v0.0.20
+[0.0.19]: https://github.com/pypi/pypi-attestations/compare/v0.0.18...v0.0.19
+[0.0.18]: https://github.com/pypi/pypi-attestations/compare/v0.0.17...v0.0.18
+[0.0.17]: https://github.com/pypi/pypi-attestations/compare/v0.0.16...v0.0.17
+[0.0.16]: https://github.com/pypi/pypi-attestations/compare/v0.0.15...v0.0.16
+[0.0.15]: https://github.com/pypi/pypi-attestations/compare/v0.0.14...v0.0.15
+[0.0.14]: https://github.com/pypi/pypi-attestations/compare/v0.0.13...v0.0.14
+[0.0.13]: https://github.com/pypi/pypi-attestations/compare/v0.0.12...v0.0.13
+[0.0.12]: https://github.com/pypi/pypi-attestations/compare/v0.0.11...v0.0.12
+[0.0.11]: https://github.com/pypi/pypi-attestations/compare/v0.0.10...v0.0.11
+[0.0.10]: https://github.com/pypi/pypi-attestations/compare/v0.0.9...v0.0.10
+[0.0.9]: https://github.com/pypi/pypi-attestations/compare/v0.0.8...v0.0.9
+[0.0.8]: https://github.com/pypi/pypi-attestations/compare/v0.0.7...v0.0.8
+[0.0.7]: https://github.com/pypi/pypi-attestations/compare/v0.0.6...v0.0.7
+[0.0.6]: https://github.com/pypi/pypi-attestations/compare/v0.0.5...v0.0.6
+[0.0.5]: https://github.com/pypi/pypi-attestations/compare/v0.0.4...v0.0.5
+[0.0.4]: https://github.com/pypi/pypi-attestations/compare/v0.0.3...v0.0.4
+[0.0.3]: https://github.com/pypi/pypi-attestations/compare/v0.0.2...v0.0.3
+[0.0.2]: https://github.com/pypi/pypi-attestations/compare/v0.0.1...v0.0.2
+[0.0.1]: https://github.com/pypi/pypi-attestations/releases/tag/v0.0.1
+

README.md

@@ -1,7 +1,7 @@
 # pypi-attestations
 
 <!--- BADGES: START --->
-[![CI](https://github.com/trailofbits/pypi-attestations/actions/workflows/tests.yml/badge.svg)](https://github.com/trailofbits/pypi-attestations/actions/workflows/tests.yml)
+[![CI](https://github.com/pypi/pypi-attestations/actions/workflows/tests.yml/badge.svg)](https://github.com/pypi/pypi-attestations/actions/workflows/tests.yml)
 [![PyPI version](https://badge.fury.io/py/pypi-attestations.svg)](https://pypi.org/project/pypi-attestations)
 [![Packaging status](https://repology.org/badge/tiny-repos/python:pypi-attestations.svg)](https://repology.org/project/python:pypi-attestations/versions)
 <!--- BADGES: END --->
@@ -200,9 +200,9 @@ limitations under the License.
 
 [PEP 740]: https://peps.python.org/pep-0740/
 
-[here]: https://trailofbits.github.io/pypi-attestations
+[here]: https://pypi.github.io/pypi-attestations
 
-[public Python APIs]: https://trailofbits.github.io/pypi-attestations
+[public Python APIs]: https://pypi.github.io/pypi-attestations
 
 [the official PyPA publishing action]: https://github.com/pypa/gh-action-pypi-publish
 

pyproject.toml

@@ -10,6 +10,7 @@ readme = "README.md"
 license = "Apache-2.0"
 license-files = ["LICENSE"]
 authors = [{ name = "Trail of Bits", email = "opensource@trailofbits.com" }]
+maintainers = [{ name = "PyPI Admins", email = "admin@pypi.org" }]
 classifiers = ["Programming Language :: Python :: 3"]
 dependencies = [
     "cryptography",
@@ -48,9 +49,9 @@ pypi-attestations = "pypi_attestations._cli:main"
 
 [project.urls]
 Homepage = "https://pypi.org/project/pypi-attestations"
-Documentation = "https://trailofbits.github.io/pypi-attestations/"
-Issues = "https://github.com/trailofbits/pypi-attestations/issues"
-Source = "https://github.com/trailofbits/pypi-attestations"
+Documentation = "https://pypi.github.io/pypi-attestations/"
+Issues = "https://github.com/pypi/pypi-attestations/issues"
+Source = "https://github.com/pypi/pypi-attestations"
 
 [tool.flit.module]
 name = "pypi_attestations"

src/pypi_attestations/__init__.py

@@ -1,6 +1,6 @@
 """The `pypi-attestations` APIs."""
 
-__version__ = "0.0.27"
+__version__ = "0.0.28"
 
 from ._impl import (
     Attestation,