v1.2.0

What's Changed

• Add preferred method for verifying log entry proofs by @Hayden-IO in #557
• docs(verify): annotate identity matchers and regexp semantics by @1seal in #558
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #563
• Bump the minor-patch group across 1 directory with 7 updates by @dependabot[bot] in #565
• ensure we have verification material before attempting to extract public key by @bobcallaway in #566
• fix(tlog): fail closed for rekor v2 parsing by @1seal in #562
• Bump sigstore-conformance to latest by @cmurphy in #559
• Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #573
• Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 in /examples/oci-image-verification by @dependabot[bot] in #576
• Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 in /examples/oci-image-verification by @dependabot[bot] in #571
• Bump production and staging TUF roots by @Hayden-IO in #580
• Support DSSE signing conformance test by @aaronlew02 in #582
• Fix nil pointer dereference in LiveTrustedRoot refresh by @Hayden-IO in #584
• Bump sigstore/sigstore-conformance from 0.0.25 to 0.0.26 by @dependabot[bot] in #585
• chore: remove large test dependencies by replacing ctfe usage by @Hayden-IO in #587
• Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @dependabot[bot] in #575
• Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @dependabot[bot] in #569
• Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.4.1 by @dependabot[bot] in #578
• Set minimum threshold for WithIntegratedTimestamps by @Hayden-IO in #590
• Bump all recent deps by @Hayden-IO in #586
• Bump the minor-patch group across 1 directory with 2 updates by @dependabot[bot] in #591
• Bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible in /examples/oci-image-verification by @dependabot[bot] in #595
• deps: update go-openapi/strfmt to v0.26.1 by @tonistiigi in #603
• verify message digest matches artifact hash by @piceri in #600
• Run go fix across codebase by @Hayden-IO in #610
• Harden verification, HTTP clients, and TUF by @Hayden-IO in #609
• Verify log entry digest matches artifact/envelope by @Hayden-IO in #611
• Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #608
• Bump actions/setup-go from 6.2.0 to 6.4.0 by @dependabot[bot] in #606
• Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 in /examples/oci-image-verification by @dependabot[bot] in #614
• Bump google.golang.org/grpc from 1.78.0 to 1.79.3 by @dependabot[bot] in #601
• Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 by @dependabot[bot] in #613
• Bump go-tuf, rekor-tiles versions by @Hayden-IO in #616
• Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 by @dependabot[bot] in #621
• Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /examples/oci-image-verification by @dependabot[bot] in #623
• Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 by @dependabot[bot] in #624
• bundle: cap raw TlogEntries length before per-entry parse by @tonghuaroot in #630
• Prevent multi-log threshold bypasses via single compromised log by @Hayden-IO in #633
• Verify Rekor v2 inclusion using reconstructed leaf hash by @codysoyland in #635
• Encode Rekor v2 DSSE envelopes as hashedrekord by @codysoyland in #627
• Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in #631
• Bump the minor-patch group across 2 directories with 10 updates by @dependabot[bot] in #637
• Fix conformance test failures for managed-key verification by @codysoyland in #638

New Contributors

• @1seal made their first contribution in #558
• @aaronlew02 made their first contribution in #582
• @tonistiigi made their first contribution in #603
• @piceri made their first contribution in #600
• @tonghuaroot made their first contribution in #630

Full Changelog: v1.1.4...v1.2.0