sigstore · woodruffw · Nov 23, 2022 · Nov 23, 2022 · Nov 23, 2022 · Nov 23, 2022
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -51,7 +51,8 @@ jobs:
               sigstore verify "${dist}" \
               --cert "smoketest-artifacts/${dist_base}.crt" \
               --signature "smoketest-artifacts/${dist_base}.sig" \
-              --cert-oidc-issuer https://token.actions.githubusercontent.com
+              --cert-oidc-issuer https://token.actions.githubusercontent.com \
+              --cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/staging-tests.yml@${GITHUB_REF}
 
             rm -rf smoketest-env
           done

diff --git a/README.md b/README.md
@@ -152,9 +152,9 @@ Verifying:
 <!-- @begin-sigstore-verify-help@ -->
 ```
 usage: sigstore verify [-h] [--certificate FILE] [--signature FILE]
-                       [--rekor-bundle FILE] --cert-identity IDENTITY
-                       --cert-oidc-issuer URL [--require-rekor-offline]
-                       [--staging] [--rekor-url URL]
+                       [--rekor-bundle FILE] [--cert-email EMAIL]
+                       --cert-identity IDENTITY --cert-oidc-issuer URL
+                       [--require-rekor-offline] [--staging] [--rekor-url URL]
                        FILE [FILE ...]
 
 positional arguments:
@@ -173,6 +173,8 @@ Verification inputs:
                         multiple inputs (default: None)
 
 Extended verification options:
+  --cert-email EMAIL    Deprecated; causes an error. Use --cert-identity
+                        instead (default: None)
   --cert-identity IDENTITY
                         The identity to check for in the certificate's Subject
                         Alternative Name (default: None)

diff --git a/sigstore/__init__.py b/sigstore/__init__.py
@@ -16,4 +16,4 @@
 The `sigstore` APIs.
 """
 
-__version__ = "0.8.0"
+__version__ = "0.8.1"
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -275,6 +275,12 @@ def _parser() -> argparse.ArgumentParser:
     )
 
     verification_options = verify.add_argument_group("Extended verification options")
+    verification_options.add_argument(
+        "--cert-email",
+        metavar="EMAIL",
+        type=str,
+        help="Deprecated; causes an error. Use --cert-identity instead",
+    )
     verification_options.add_argument(
         "--cert-identity",
         metavar="IDENTITY",
@@ -461,6 +467,15 @@ def _sign(args: argparse.Namespace) -> None:
 
 
 def _verify(args: argparse.Namespace) -> None:
+    # `--cert-email` has been functionally removed, but we check for it
+    # explicitly to provide a nicer error message than just a missing
+    # option.
+    if args.cert_email:
+        args._parser.error(
+            "--cert-email is a disabled alias for --cert-identity; "
+            "use --cert-identity instead"
+        )
+
     # `--rekor-bundle` is a temporary option, pending stabilization of the
     # Sigstore bundle format.
     if args.rekor_bundle: