Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump sigstore from 1.1.2 to 2.0.0 in /.github/requirements #9668

Merged
merged 1 commit into from
Sep 29, 2023
Merged

Bump sigstore from 1.1.2 to 2.0.0 in /.github/requirements #9668

merged 1 commit into from
Sep 29, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 29, 2023

Bumps sigstore from 1.1.2 to 2.0.0.

Release notes

Sourced from sigstore's releases.

v2.0.0

Added

  • CLI: sigstore sign and sigstore get-identity-token now support the --oauth-force-oob option; which has the same behavior as the preexisting SIGSTORE_OAUTH_FORCE_OOB environment variable (#667)

  • Version 0.2 of the Sigstore bundle format is now supported (#705)

  • API addition: VerificationMaterials.to_bundle() is a new public API for producing a standard Sigstore bundle from sigstore-python's internal representation (#719)

  • API addition: New method sign.SigningResult.to_bundle() allows signing applications to serialize to the bundle format that is already usable in verification with verify.VerificationMaterials.from_bundle() (#765)

Changed

  • sigstore verify now performs additional verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints (#634)

  • A cached copy of the trust bundle is now included with the distribution (#611)

  • Stopped emitting .sig and .crt signing outputs by default in sigstore sign. Sigstore bundles are now preferred (#614)

  • Trust root configuration now assumes that the TUF repository contains a trust bundle, rather than falling back to deprecated individual targets (#626)

  • API change: the sigstore.oidc.IdentityToken API has been stabilized as a wrapper for OIDC tokens (#635)

  • API change: Signer.sign now takes a sigstore.oidc.IdentityToken for its identity argument, rather than a "raw" OIDC token (#635)

  • API change: Issuer.identity_token now returns a sigstore.oidc.IdentityToken, rather than a "raw" OIDC token (#635)

  • sigstore verify is not longer a backwards-compatible alias for

... (truncated)

Changelog

Sourced from sigstore's changelog.

[2.0.0]

Added

  • CLI: sigstore sign and sigstore get-identity-token now support the --oauth-force-oob option; which has the same behavior as the preexisting SIGSTORE_OAUTH_FORCE_OOB environment variable (#667)

  • Version 0.2 of the Sigstore bundle format is now supported (#705)

  • API addition: VerificationMaterials.to_bundle() is a new public API for producing a standard Sigstore bundle from sigstore-python's internal representation (#719)

  • API addition: New method sign.SigningResult.to_bundle() allows signing applications to serialize to the bundle format that is already usable in verification with verify.VerificationMaterials.from_bundle() (#765)

Changed

  • sigstore verify now performs additional verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints (#634)

  • A cached copy of the trust bundle is now included with the distribution (#611)

  • Stopped emitting .sig and .crt signing outputs by default in sigstore sign. Sigstore bundles are now preferred (#614)

  • Trust root configuration now assumes that the TUF repository contains a trust bundle, rather than falling back to deprecated individual targets (#626)

  • API change: the sigstore.oidc.IdentityToken API has been stabilized as a wrapper for OIDC tokens (#635)

  • API change: Signer.sign now takes a sigstore.oidc.IdentityToken for its identity argument, rather than a "raw" OIDC token (#635)

  • API change: Issuer.identity_token now returns a sigstore.oidc.IdentityToken, rather than a "raw" OIDC token (#635)

... (truncated)

Commits
  • 6c7069e Prep 2.0.0 (#778)
  • 9255024 build(deps): bump actions/checkout from 4.0.0 to 4.1.0 (#776)
  • ecf6d55 build(deps-dev): update ruff requirement from <0.0.291 to <0.0.292 (#777)
  • 106b5f1 build(deps): bump cryptography from 41.0.3 to 41.0.4 in /install (#775)
  • 1491ab1 build(deps-dev): update ruff requirement from <0.0.290 to <0.0.291 (#773)
  • 2444b28 build(deps-dev): update ruff requirement from <0.0.289 to <0.0.290 (#772)
  • 87681a9 sigstore: 2.0.0rc3 (#768)
  • f87cb8f build(deps-dev): update ruff requirement from <0.0.288 to <0.0.289 (#769)
  • c338354 pyproject: bump id (#767)
  • 68aa69a sign: Make SigningResult._to_bundle() public (#765)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump sigstore from 1.1.2 to 2.0.0 in /.github/requirements
0818fc0 
Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 1.1.2 to 2.0.0.
- [Release notes](https://github.com/sigstore/sigstore-python/releases)
- [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md)
- [Commits](sigstore/sigstore-python@v1.1.2...v2.0.0)

---
updated-dependencies:
- dependency-name: sigstore
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Sep 29, 2023
@alex alex merged commit 2dae9a7 into main Sep 29, 2023
78 checks passed
@dependabot dependabot bot deleted the dependabot/pip/dot-github/requirements/sigstore-2.0.0 branch September 29, 2023 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alex