From 5f3a3f0e3f904e2ccee091dc4fe94c6d63d945b0 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 23 Nov 2022 16:42:59 -0500
Subject: [PATCH 1/3] workflows/release: fix missing `--cert-identity`

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 .github/workflows/release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 292abc897..49cc1aac7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,7 +51,8 @@ jobs:
               sigstore verify "${dist}" \
               --cert "smoketest-artifacts/${dist_base}.crt" \
               --signature "smoketest-artifacts/${dist_base}.sig" \
-              --cert-oidc-issuer https://token.actions.githubusercontent.com
+              --cert-oidc-issuer https://token.actions.githubusercontent.com \
+              --cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/staging-tests.yml@${GITHUB_REF}
 
             rm -rf smoketest-env
           done

From 42a6ae04c78d93a529d6357209bc48c8583e73d2 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 23 Nov 2022 16:43:56 -0500
Subject: [PATCH 2/3] sigstore: 0.8.1

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 sigstore/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index 1a24ee029..991276ab7 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -16,4 +16,4 @@
 The `sigstore` APIs.
 """
 
-__version__ = "0.8.0"
+__version__ = "0.8.1"

From fb5897a8ef09488922a8b8a87410f858157e3f8c Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 23 Nov 2022 16:57:06 -0500
Subject: [PATCH 3/3] README, cli: produce a more explicit error on
 `--cert-email`

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 README.md        |  8 +++++---
 sigstore/_cli.py | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 8281d2fb0..28707948f 100644
--- a/README.md
+++ b/README.md
@@ -152,9 +152,9 @@ Verifying:
 <!-- @begin-sigstore-verify-help@ -->
 ```
 usage: sigstore verify [-h] [--certificate FILE] [--signature FILE]
-                       [--rekor-bundle FILE] --cert-identity IDENTITY
-                       --cert-oidc-issuer URL [--require-rekor-offline]
-                       [--staging] [--rekor-url URL]
+                       [--rekor-bundle FILE] [--cert-email EMAIL]
+                       --cert-identity IDENTITY --cert-oidc-issuer URL
+                       [--require-rekor-offline] [--staging] [--rekor-url URL]
                        FILE [FILE ...]
 
 positional arguments:
@@ -173,6 +173,8 @@ Verification inputs:
                         multiple inputs (default: None)
 
 Extended verification options:
+  --cert-email EMAIL    Deprecated; causes an error. Use --cert-identity
+                        instead (default: None)
   --cert-identity IDENTITY
                         The identity to check for in the certificate's Subject
                         Alternative Name (default: None)
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
index 8c2f24fe1..f303203c2 100644
--- a/sigstore/_cli.py
+++ b/sigstore/_cli.py
@@ -275,6 +275,12 @@ def _parser() -> argparse.ArgumentParser:
     )
 
     verification_options = verify.add_argument_group("Extended verification options")
+    verification_options.add_argument(
+        "--cert-email",
+        metavar="EMAIL",
+        type=str,
+        help="Deprecated; causes an error. Use --cert-identity instead",
+    )
     verification_options.add_argument(
         "--cert-identity",
         metavar="IDENTITY",
@@ -461,6 +467,15 @@ def _sign(args: argparse.Namespace) -> None:
 
 
 def _verify(args: argparse.Namespace) -> None:
+    # `--cert-email` has been functionally removed, but we check for it
+    # explicitly to provide a nicer error message than just a missing
+    # option.
+    if args.cert_email:
+        args._parser.error(
+            "--cert-email is a disabled alias for --cert-identity; "
+            "use --cert-identity instead"
+        )
+
     # `--rekor-bundle` is a temporary option, pending stabilization of the
     # Sigstore bundle format.
     if args.rekor_bundle: