Skip to content

v2.0.0
Compare
Choose a tag to compare
@woodruffw woodruffw released this 28 Sep 18:41
· 159 commits to main since this release
v2.0.0
6c7069e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Added

  • CLI: sigstore sign and sigstore get-identity-token now support the
    --oauth-force-oob option; which has the same behavior as the
    preexisting SIGSTORE_OAUTH_FORCE_OOB environment variable
    (#667)

  • Version 0.2 of the Sigstore bundle format is now supported
    (#705)

  • API addition: VerificationMaterials.to_bundle() is a new public API for
    producing a standard Sigstore bundle from sigstore-python's internal
    representation (#719)

  • API addition: New method sign.SigningResult.to_bundle() allows signing
    applications to serialize to the bundle format that is already usable in
    verification with verify.VerificationMaterials.from_bundle()
    (#765)

Changed

  • sigstore verify now performs additional verification of Rekor's inclusion
    proofs by cross-checking them against signed checkpoints
    (#634)

  • A cached copy of the trust bundle is now included with the distribution
    (#611)

  • Stopped emitting .sig and .crt signing outputs by default in sigstore sign.
    Sigstore bundles are now preferred
    (#614)

  • Trust root configuration now assumes that the TUF repository contains a trust
    bundle, rather than falling back to deprecated individual targets
    (#626)

  • API change: the sigstore.oidc.IdentityToken API has been stabilized as
    a wrapper for OIDC tokens
    (#635)

  • API change: Signer.sign now takes a sigstore.oidc.IdentityToken for
    its identity argument, rather than a "raw" OIDC token
    (#635)

  • API change: Issuer.identity_token now returns a
    sigstore.oidc.IdentityToken, rather than a "raw" OIDC token
    (#635)

  • sigstore verify is not longer a backwards-compatible alias for
    sigstore verify identity, as it was during the 1.0 release series
    (#642)

  • API change: the Signer API has been broken up into SigningContext
    and Signer, allowing a SigningContext to create individual Signer
    instances that correspond to a single IdentityToken. This new API
    also enables ephemeral key and certificate reuse across multiple inputs,
    reducing the number of cryptographic operations and network roundtrips
    required when signing more than one input
    (#645)

  • sigstore sign now uses an ephemeral P-256 keypair, rather than P-384
    (#662)

  • API change: RekorClientError does not try to always parse response
    content as JSON
    (#694)

  • API change: LogEntry.inclusion_promise can now be None, but only
    if LogEntry.inclusion_proof is not None
    (#705)

  • sigstore-python's minimum supported Python version is now 3.8
    (#745)

Fixed

  • Fixed a case where sigstore verify would fail to verify an otherwise valid
    inclusion proof due to an incorrect timerange check
    (#633)

  • Removed an unnecessary and backwards-incompatible parameter from the
    sigstore.oidc.detect_credential API
    (#641)

  • Fixed a case where sigstore sign (and sigstore verify) could fail while
    using a private instance due to a missing due to a missing ExtendedKeyUsage
    in the CA. We now enforce the fact that the TBSPrecertificate signer must be
    a valid CA (#658)

  • Fixed a case where identity token retrieval would produce an unhelpful
    error message (#767)

Assets 11