Release 1.0.0

Changed

• sigstore.rekor is now sigstore.transparency, and its constituent APIs
  have been renamed to removed implementation detail references
  (#402)

• sigstore.transparency.RekorEntryMissing is now LogEntryMissing
  (#414)

Fixed

• The TUF network timeout has been relaxed from 4 seconds to 30 seconds,
  which should reduce the likelihood of spurious timeout errors in environments
  like GitHub Actions (#432)

Release 1.0.0rc1

sigstore: 1.0.0rc1 (#427)

Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Release 0.10.0

Added

• sigstore now supports the -v/--verbose flag as an alternative to
  SIGSTORE_LOGLEVEL for debug logging
  (#372)

• The sigstore verify identity has been added, and is functionally
  equivalent to the existing sigstore verify subcommand.
  sigstore verify is unchanged, but will be marked deprecated in a future
  stable version of sigstore-python
  (#379)

• sigstore now has a public, importable Python API! You can find its
  documentation here
  (#383)

• sigstore --staging is now the intended way to request Sigstore's staging
  instance, rather than per-subcommand options like sigstore sign --staging.
  The latter is unchanged, but will be marked deprecated in a future stable
  version of sigstore-python
  (#383)

• The per-subcommand options --rekor-url and --rekor-root-pubkey have been
  moved to the top-level sigstore command. Their subcommand forms are unchanged
  and will continue to work, but will be marked deprecated in a future stable
  version of sigstore-python
  (#381)

• sigstore verify github has been added, allowing for verification of
  GitHub-specific claims within given certificate(s)
  (#381)

Release 0.9.0

[0.9.0]

Added

• sigstore verify now supports --certificate-chain and --rekor-url
  during verification. Ordinary uses (i.e. the default or --staging)
  are not affected (#323)

Changed

• sigstore sign and sigstore verify now stream their input, rather than
  consuming it into a single buffer
  (#329)

• A series of Python 3.11 deprecation warnings were eliminated
  (#341)

• The "splash" page presented to users during the OAuth flow has been updated
  to reflect the user-friendly page added to cosign
  (#356)

• sigstore now uses TUF to retrieve its trust material for Fulcio and Rekor,
  replacing the material that was previously baked into sigstore._store
  (#351)

Release 0.8.3

What's Changed

• sigstore: 0.8.3 by @woodruffw in #317

Full Changelog: v0.8.2...v0.8.3

Release 0.8.2

What's Changed

• sigstore: 0.8.2 by @woodruffw in #316

Full Changelog: v0.8.1...v0.8.2

Release 0.8.1

What's Changed

• sigstore: 0.8.1 by @woodruffw in #315

Full Changelog: v0.8.0...v0.8.1

Release 0.8.0

What's Changed

• scorecards-analysis: bump scorecard-action to 2.0.6 by @woodruffw in #293
• .bump: delete by @woodruffw in #294
• build(deps): bump sigstore from 0.6.8 to 0.7.0 in /install by @dependabot in #295
• dependabot: Setup Dependabot for GitHub Actions by @tetsuo-cpp in #302
• workflows: Add conformance testing workflow by @tetsuo-cpp in #298
• build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1 by @dependabot in #303
• build(deps): bump actions/setup-python from 2.3.2 to 4.3.0 by @dependabot in #304
• Refactor the verification API by @woodruffw in #299
• sigstore, test: add actual SANs to policy failure reason by @woodruffw in #309
• workflows/staging-tests: add missing identity check by @woodruffw in #307
• oidc/oauth: avoid logging the OAuth auth headers by @woodruffw in #312
• sigstore: 0.8.0 by @woodruffw in #314

Full Changelog: v0.7.0...v0.8.0

Release 0.7.0

What's Changed

• build(deps): bump sigstore from 0.6.7 to 0.6.8 in /install by @dependabot in #285
• build(deps): bump pyjwt from 2.5.0 to 2.6.0 in /install by @dependabot in #266
• workflows/ci: add Python 3.11 to matrix by @woodruffw in #286
• Offline Rekor bundle generation and verification by @woodruffw in #247
• build(deps): bump cryptography from 38.0.2 to 38.0.3 in /install by @dependabot in #287
• Support --cert-identity by @woodruffw in #289
• _verify: Check for URI SANs when verifying certificate emails by @tetsuo-cpp in #288
• sigstore: 0.7.0 by @tetsuo-cpp in #290
• workflow: Workaround for SLSA generator failure by @tetsuo-cpp in #292

Full Changelog: v0.6.8...v0.7.0

Release 0.6.8

What's Changed

• _cli: add boolean envvar defaults by @woodruffw in #244
• build(deps): bump sigstore from 0.6.6 to 0.6.7 in /install by @dependabot in #246
• build(deps): bump cryptography from 38.0.1 to 38.0.2 in /install by @dependabot in #245
• build(deps): bump securesystemslib from 0.24.0 to 0.25.0 in /install by @dependabot in #254
• test: add an ambient_oidc marker by @woodruffw in #259
• Restore SLSA provenance generator by @di in #256
• add community-wide reusable workflow for license/vuln scan by @bobcallaway in #255
• ctfe: add staging targets by @asraa in #262
• fix deprecated set-output by @bobcallaway in #270
• sigstore: add a CT keyring, use it for SCT verification by @woodruffw in #267
• sigstore: 0.6.8 by @woodruffw in #284

New Contributors

• @bobcallaway made their first contribution in #255

Full Changelog: v0.6.7...v0.6.8