v2.1.1

Fixed

• Fixed an incorrect assumption about Rekor checkpoints that future releases
  of Rekor will not uphold (#891)

Full Changelog: v2.1.0...v2.1.1

v2.1.0

What's Changed

• Update pinned requirements for v2.0.1 by @github-actions in #800
• build(deps-dev): update ruff requirement from <0.0.293 to <0.1.1 by @dependabot in #798
• ci: add Python 3.12 by @woodruffw in #801
• build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #799
• build(deps-dev): update ruff requirement from <0.1.1 to <0.1.2 by @dependabot in #805
• build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #806
• treewide: switch to ruff format by @woodruffw in #811
• build(deps-dev): update ruff requirement from <0.1.4 to <0.1.5 by @dependabot in #812
• build(deps-dev): update ruff requirement from <0.1.5 to <0.1.6 by @dependabot in #813
• build(deps-dev): update ruff requirement from <0.1.6 to <0.1.7 by @dependabot in #815
• build(deps-dev): bump cryptography from 41.0.4 to 41.0.7 by @dependabot in #816
• build(deps): bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11 by @dependabot in #817
• build(deps): bump actions/deploy-pages from 2.0.4 to 2.0.5 by @dependabot in #818
• build(deps): bump actions/deploy-pages from 2.0.5 to 3.0.0 by @dependabot in #819
• build(deps): bump actions/setup-python from 4.7.1 to 4.8.0 by @dependabot in #822
• _cli: use rich's logging handler by @woodruffw in #824
• build(deps): bump actions/setup-python from 4.8.0 to 5.0.0 by @dependabot in #826
• cli: search for {input}.sigstore.json by default by @woodruffw in #820
• build(deps): bump actions/deploy-pages from 3.0.0 to 3.0.1 by @dependabot in #827
• build(deps-dev): bump id from 1.1.0 to 1.2.1 by @dependabot in #828
• workflows/release: fix build provenance job by @woodruffw in #829
• pyproject: sigstore-rekor-types==0.0.11 by @woodruffw in #831
• Prep 2.1.0 by @tetsuo-cpp in #832

Full Changelog: v2.0.1...v2.1.0

v2.0.1

Fixed

• CLI: When using --certificate-chain, read as bytes instead of str
  as expected by the underlying API (#796)

v2.0.0

Added

• CLI: sigstore sign and sigstore get-identity-token now support the
  --oauth-force-oob option; which has the same behavior as the
  preexisting SIGSTORE_OAUTH_FORCE_OOB environment variable
  (#667)

• Version 0.2 of the Sigstore bundle format is now supported
  (#705)

• API addition: VerificationMaterials.to_bundle() is a new public API for
  producing a standard Sigstore bundle from sigstore-python's internal
  representation (#719)

• API addition: New method sign.SigningResult.to_bundle() allows signing
  applications to serialize to the bundle format that is already usable in
  verification with verify.VerificationMaterials.from_bundle()
  (#765)

Changed

• sigstore verify now performs additional verification of Rekor's inclusion
  proofs by cross-checking them against signed checkpoints
  (#634)

• A cached copy of the trust bundle is now included with the distribution
  (#611)

• Stopped emitting .sig and .crt signing outputs by default in sigstore sign.
  Sigstore bundles are now preferred
  (#614)

• Trust root configuration now assumes that the TUF repository contains a trust
  bundle, rather than falling back to deprecated individual targets
  (#626)

• API change: the sigstore.oidc.IdentityToken API has been stabilized as
  a wrapper for OIDC tokens
  (#635)

• API change: Signer.sign now takes a sigstore.oidc.IdentityToken for
  its identity argument, rather than a "raw" OIDC token
  (#635)

• API change: Issuer.identity_token now returns a
  sigstore.oidc.IdentityToken, rather than a "raw" OIDC token
  (#635)

• sigstore verify is not longer a backwards-compatible alias for
  sigstore verify identity, as it was during the 1.0 release series
  (#642)

• API change: the Signer API has been broken up into SigningContext
  and Signer, allowing a SigningContext to create individual Signer
  instances that correspond to a single IdentityToken. This new API
  also enables ephemeral key and certificate reuse across multiple inputs,
  reducing the number of cryptographic operations and network roundtrips
  required when signing more than one input
  (#645)

• sigstore sign now uses an ephemeral P-256 keypair, rather than P-384
  (#662)

• API change: RekorClientError does not try to always parse response
  content as JSON
  (#694)

• API change: LogEntry.inclusion_promise can now be None, but only
  if LogEntry.inclusion_proof is not None
  (#705)

• sigstore-python's minimum supported Python version is now 3.8
  (#745)

Fixed

• Fixed a case where sigstore verify would fail to verify an otherwise valid
  inclusion proof due to an incorrect timerange check
  (#633)

• Removed an unnecessary and backwards-incompatible parameter from the
  sigstore.oidc.detect_credential API
  (#641)

• Fixed a case where sigstore sign (and sigstore verify) could fail while
  using a private instance due to a missing due to a missing ExtendedKeyUsage
  in the CA. We now enforce the fact that the TBSPrecertificate signer must be
  a valid CA (#658)

• Fixed a case where identity token retrieval would produce an unhelpful
  error message (#767)

v2.0.0rc3

What's Changed

• build(deps-dev): update ruff requirement from <0.0.279 to <0.0.281 by @dependabot in #714
• build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /install by @dependabot in #716
• Add VerificationMaterials.to_bundle() by @sethmlarson in #719
• conformance: bump runner by @jleightcap in #720
• build(deps-dev): update ruff requirement from <0.0.281 to <0.0.282 by @dependabot in #722
• doc: README document the (now default) .sigstore bundles by @jleightcap in #721
• build(deps-dev): update ruff requirement from <0.0.282 to <0.0.283 by @dependabot in #725
• build(deps): bump slsa-framework/slsa-github-generator from 1.7.0 to 1.8.0 by @dependabot in #727
• models: require checkpoint in embedded inclusion proof by @woodruffw in #723
• build(deps-dev): update ruff requirement from <0.0.283 to <0.0.284 by @dependabot in #728
• build(deps): bump actions/deploy-pages from 2.0.3 to 2.0.4 by @dependabot in #731
• build(deps): bump pypa/gh-action-pypi-publish from 1.8.8 to 1.8.9 by @dependabot in #730
• build(deps): bump pypa/gh-action-pypi-publish from 1.8.9 to 1.8.10 by @dependabot in #732
• build(deps-dev): update ruff requirement from <0.0.284 to <0.0.286 by @dependabot in #733
• Add SECURITY.md file by @david-a-wheeler in #735
• build(deps): bump slsa-framework/slsa-github-generator from 1.8.0 to 1.9.0 by @dependabot in #736
• build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #737
• Try separate config for /install directory by @di in #742
• Revert "Try separate config for /install directory (#742)" by @di in #743
• Pass --upgrade to pip-compile in pin-requirements.yml by @di in #744
• Drop support for Python 3.7 by @di in #745
• Update securityscorecards.dev URL by @di in #746
• Update pin-requirements.yml to use latest tag as default by @di in #748
• Update pin-requirements.yml by @di in #749
• CHANGELOG: record #745 by @woodruffw in #747
• Update pin-requirements.yml by @di in #750
• build(deps-dev): update ruff requirement from <0.0.286 to <0.0.287 by @dependabot in #740
• Update pin-requirements.yml by @di in #751
• Update pin-requirements.yml by @di in #752
• pin-requirements: explicitly fetch tags by @woodruffw in #753
• Update comments by @woodruffw in #717
• Update pinned requirements for v1.1.2 by @github-actions in #755
• Pydantic fixes by @jku in #757
• build(deps-dev): update ruff requirement from <0.0.287 to <0.0.288 by @dependabot in #758
• build(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #760
• Allow -v/--verbose anywhere in command line by @jku in #759
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #762
• Remove security policy by @haydentherapper in #764
• sign: Make SigningResult._to_bundle() public by @jku in #765
• pyproject: bump id by @woodruffw in #767
• build(deps-dev): update ruff requirement from <0.0.288 to <0.0.289 by @dependabot in #769
• sigstore: 2.0.0rc3 by @woodruffw in #768

New Contributors

• @sethmlarson made their first contribution in #719
• @david-a-wheeler made their first contribution in #735

Full Changelog: v2.0.0rc2...v2.0.0rc3

v2.0.0rc2

What's Changed

• build(deps-dev): update ruff requirement from <0.0.275 to <0.0.276 by @dependabot in #686
• build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #690
• build(deps): bump pypa/gh-action-pypi-publish from 1.8.6 to 1.8.7 by @dependabot in #689
• Handle the case of missing EKU in _is_preissuer by @ccordoui in #674
• don't parse error messages as json by @bobcallaway in #694
• Bump sigstore-conformance to 0.0.5 by @tetsuo-cpp in #684
• build(deps): bump requests from 2.28.2 to 2.31.0 in /install by @dependabot in #688
• Fix missing SigningContext import in sign example by @mayaCostantini in #682
• build(deps-dev): update ruff requirement from <0.0.276 to <0.0.277 by @dependabot in #696
• Add timezone (utc) info into the cert not_valid_after field by @perone in #701
• build(deps-dev): update ruff requirement from <0.0.277 to <0.0.278 by @dependabot in #698
• Fixing documentation message about the sign API by @perone in #702
• build(deps): bump actions/deploy-pages from 2.0.2 to 2.0.3 by @dependabot in #703
• build(deps): bump actions/upload-pages-artifact from 1.0.9 to 2.0.0 by @dependabot in #704
• build(deps-dev): update ruff requirement from <0.0.278 to <0.0.279 by @dependabot in #706
• build(deps): bump pypa/gh-action-pypi-publish from 1.8.7 to 1.8.8 by @dependabot in #709
• build(deps): bump actions/setup-python from 4.6.1 to 4.7.0 by @dependabot in #708
• pyproject: bump sigstore-protobuf-specs by @woodruffw in #705
• sigstore: 2.0.0rc2 by @woodruffw in #713

New Contributors

• @ccordoui made their first contribution in #674
• @perone made their first contribution in #701

Full Changelog: v2.0.0rc1...v2.0.0rc2

v2.0.0rc1

What's Changed

• CHANGELOG: fix link by @woodruffw in #622
• build(deps): bump actions/setup-python from 4.5.0 to 4.6.0 by @dependabot in #617
• build(deps): bump actions/deploy-pages from 2.0.0 to 2.0.1 by @dependabot in #615
• build(deps): bump github/codeql-action from 2.2.11 to 2.3.0 by @dependabot in #619
• build(deps): bump actions/checkout from 3.5.1 to 3.5.2 by @dependabot in #613
• build(deps-dev): update ruff requirement from <0.0.262 to <0.0.263 by @dependabot in #618
• tuf: embed trusted root target by @tnytown in #611
• Update pinned requirements for v1.1.2 by @github-actions in #624
• _cli: emit only sigstore bundle by default by @tnytown in #614
• tuf: remove non-trusted-root handling paths by @woodruffw in #626
• build(deps-dev): update ruff requirement from <0.0.263 to <0.0.264 by @dependabot in #631
• _cli: implement --output-directory by @tnytown in #627
• workflows: bump sigstore-conformance by @woodruffw in #637
• conformance: remove old id-token permission by @woodruffw in #639
• build(deps): bump github/codeql-action from 2.3.0 to 2.3.2 by @dependabot in #640
• workflows: Remove id-token: write permission by @tetsuo-cpp in #638
• sigstore: fix detect_credential signature by @woodruffw in #641
• cli: Remove default subcommand hack by @woodruffw in #642
• verify: fix timerange inclusion check by @woodruffw in #633
• build(deps): bump peter-evans/create-pull-request from 5.0.0 to 5.0.1 by @dependabot in #643
• build(deps-dev): update ruff requirement from <0.0.264 to <0.0.265 by @dependabot in #644
• build(deps): bump pypa/gh-action-pypi-publish from 1.8.5 to 1.8.6 by @dependabot in #646
• build(deps): bump github/codeql-action from 2.3.2 to 2.3.3 by @dependabot in #647
• build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.2 by @dependabot in #648
• Root hash signature verification v2 by @tnytown in #634
• build(deps-dev): update ruff requirement from <0.0.265 to <0.0.266 by @dependabot in #649
• build(deps-dev): bump tuf from 2.1.0 to 3.0.0 by @dependabot in #650
• build(deps-dev): bump pyjwt from 2.6.0 to 2.7.0 by @dependabot in #651
• build(deps-dev): update ruff requirement from <0.0.266 to <0.0.270 by @dependabot in #655
• sigstore: ratchet down the bundle certs by @woodruffw in #632
• sigstore: refactor, use IdentityToken everywhere by @woodruffw in #635
• build(deps): bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 by @dependabot in #652
• build(deps): bump actions/setup-python from 4.6.0 to 4.6.1 by @dependabot in #657
• build(deps): bump github/codeql-action from 2.3.3 to 2.3.5 by @dependabot in #659
• build(deps-dev): update ruff requirement from <0.0.270 to <0.0.271 by @dependabot in #660
• build(deps): bump github/codeql-action from 2.3.5 to 2.3.6 by @dependabot in #664
• Add option to sign multiple artifacts with the same key and certificate by @mayaCostantini in #645
• workflows: debug staging-tests by @woodruffw in #669
• build(deps-dev): update ruff requirement from <0.0.271 to <0.0.272 by @dependabot in #671
• build(deps): bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 by @dependabot in #670
• sign: switch to P-256 by @woodruffw in #662
• sign: switch another keysite to P-256 by @woodruffw in #673
• feat: Add --oauth-force-oob CLI option by @laurentsimon in #667
• build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #677
• build(deps): bump github/codeql-action from 2.3.6 to 2.13.4 by @dependabot in #676
• build(deps-dev): update ruff requirement from <0.0.272 to <0.0.273 by @dependabot in #675
• build(deps): bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 by @dependabot in #679
• build(deps): bump actions/upload-pages-artifact from 1.0.8 to 1.0.9 by @dependabot in #681
• build(deps): bump actions/deploy-pages from 2.0.1 to 2.0.2 by @dependabot in #678
• build(deps-dev): update ruff requirement from <0.0.273 to <0.0.275 by @dependabot in #683
• sigstore: 2.0.0rc1 by @tetsuo-cpp in #685

New Contributors

• @github-actions made their first contribution in #624
• @laurentsimon made their first contribution in #667

Full Changelog: v1.1.2...v2.0.0rc1

v1.1.2

Fixed

• Updated the staging-root.json for recent changes to the Sigstore staging
  instance (#602)
• Switched TUF requests to their CDN endpoints, rather than direct GCS
  access (#609)

v1.1.2rc1

What's Changed

• MyPy 1.1, fixes by @woodruffw in #530
• TUF TrustUpdater basic logging by @jleightcap in #518
• verify: Stop using pydantic aliases in constructor to avoid mypy plugin bug by @tetsuo-cpp in #536
• treewide: Replace ambient credential detection with id by @tetsuo-cpp in #535
• TrustUpdater error handling by @tnytown in #525
• oidc: configure timeouts for requests by @tnytown in #541
• Move all error diagnostics to _errors by @tnytown in #531
• sct, test_sign: adjust exception messages by @tnytown in #543
• Pin requirements on releases with a workflow by @tnytown in #548
• sigstore: 1.1.2rc1 by @tnytown in #557

Full Changelog: v1.1.1...v1.1.2rc1

Release 1.1.1

What's Changed

• NewTypes for clearer encoding types by @emilejbm in #474
• pyproject.toml: pin pydantic ~= 1.10 by @tnytown in #504
• keyring: CTFE & Rekor shared Keyring abstraction by @jleightcap in #458
• Use DEFAULT_AUDIENCE instead of hard-coding by @di in #507
• chore: rename some error types by @woodruffw in #508
• Ignore targets missing the custom field by @di in #522
• Add CI to test install-ability of requirements.txt file by @di in #521
• Release verification with both (.sig, .crt) + .sigstore by @jleightcap in #517
• sigstore: 1.1.0rc1 by @woodruffw in #523
• sigstore: 1.1.1rc1 by @woodruffw in #524
• Prep 1.1.1 by @woodruffw in #526

New Contributors

• @emilejbm made their first contribution in #474
• @tnytown made their first contribution in #504

Full Changelog: v1.1.0...v1.1.1