v0.26.0

Added

• Private key URI schemes for signer instantiation (#456)
• Public key container class for signature verification (#456)
• Post-quantum sphincs+ signing scheme (#427)
• Hardware Security Module (HSM) signing (#472)
• Google Cloud KMS signing (#442, #480)

Changed

• Use pyproject.toml for build configuration (#253)
• Use hatchling as build backend (#484)
• Auto-format and lint all code (#439, #490)
• Various CI and build improvements (#459, #460, #476, #493, #464)

Removed

• Drop colorama optional dependency and colorized output support (#443)

Fixed

• Don't shell out to gpg on import (#437)
• Fix metaclass definition (#473)
• Make GPGSigner signatures specification compliant (#486)

v0.25.0

Changed

• Do not use max salt lengths in RSA PSS signature creation (#436)
• Restrict read and write access for new private keys (#231)
• Replaced deprecated distutils.version.StrictVersion (#433)
• Bumped dependencies: cryptography (#435)

Fixed

• GPG availability check in tests (#434)

v0.24.0

Added

• GPGSigner to support gpg signing via Signer interface (#341, #419)

Changed

• Use max salt lengths in RSA PSS signature creation & automatically verify previous/new
  sigs (#422)
• Speed up canonical json encoding (#410)
• Bumped dependencies: cffi (#415), colorama (#413), cryptography (#405, #406, #414,
  #417, #424, #425), ed25519 (#412)
• Changed Debian packaging metadata (#392)

Fixed

• Minor test fixes (#403, #420)

v0.23.0

Fixed

• Race condition in gpg test cleanup function (#397)

Changed

• Consistently raise custom FormatError in keys.verify_signature() (#391)
• Bumped dependencies: cryptography (#396), ed25519 (#394, #398)
• Updated Debian packaging metadata (#392)

v0.22.0

Fixed

• Removed broken Dependabot badge in README (#377)

Added

• Python 3.10 support (#380)
• __eq__ method for Signature objects (#383)
• unrecognized_fields attribute for Signature objects (#387)

Changed

• Bumped dependencies: cffi (#373), cryptography (#376, #379), ed25519 (#378,
  #390), pycparser (#375), pynacl (#382)
• Misc docstring improvements (#380, #381, #384)

Removed

• Python 3.6 support (#385)

v0.21.0

NOTE: This is the first release of securesystemslib to require Python 3.6
or newer.

Fixed

• Clarified licensing and copyright notices with regards to code that is
  derived from Thandy (#366)

Added

• Added machinery for static type checking with mypy, including type annotation
  of the util module (#361)
• Added type annotations to storage module (#362)

Changed

• Bumped dependencies: six (#350), cffi (#364), ed25519 (#356),
  cryptography (#369)

Removed

• Removed support for Python 2.7 (#352) and the use of future and six modules
  which were required to support code running on both Python 2 and 3 (#359)

v0.20.1

NOTE: this will be the final release of securesystemslib that supports Python 2.7.
This is because Python 2.7 was marked end-of-life in January of 2020, and since then several of securesystemslib's direct and transitive dependencies have stopped supporting Python 2.7. securesystemslib's major users, the Python implementations of tuf (v0.167.0) and in-toto (v1.1.0), have already dropped support for Python 2.7.

Changed

• Switched to GitHub-native Dependabot (#349)
• Updated Debian packaging metadata (#343)
• Bump cryptography dependency (#346)

Fixed

• Fix the Signer abstract base class's method signature to include self (#348)

v0.20.0

Added

• Add signing abstraction to facilitate custom implementations (#319)

Changed

• Refactor imports to allow vendoring for pip (#316)
• Limit GitHub Actions to avoid duplicate Dependabot builds (#335)
• Enhance GitHub Action reporting for ed25519 upstream check (#338)
• Bump dependencies: cryptography (#336)

Fixed

• Pad OpenPGP EdDSA signatures to avoid sporadic verification failures (#340)

v0.19.0

Added

• Enable setting which GPG client to use through an environment variable (#315)

Changed

• Dropped support for EOL Python 3.5 and add support for Python 3.9 (#314)
• Converted the default local storage backend, FilesystemBackend, to be a
  singleton (#302)
• Migrated CI from travis-ci.org to travis-ci.com (#303) then later to GitHub
  Actions (#324)
• Bump dependencies: cffi (#306, #329), cryptography (#322, #333). NOTE: the
  latest version of cryptography is no longer used on Python 2, as that is not
  supported.
• Updated Debian packaging metadata (#313 & #318)
• Improved messaging for issues automatically filed on upstream changes to our
  vendored ed25519 dependency (#317)
• Updated the ed25519 tracking script for upstream's branch name change (#331)

Fixed

• Empty lists should not be used as the default argument for a function (#304)

v0.18.0

Added

• interface.generate_and_write_unencrypted_{rsa,ed25519,ecdsa}_keypair (#288)
• interface.generate_and_write_{rsa,ed25519,ecdsa}_keypair_with_prompt (#288)
• interface.import_privatekey_from_file(#288)
• GitHub Action to auto-check upstream changes for vendored ed25519 (#294)

Changed

• interface.generate_and_write_{rsa,ed25519,ecdsa}_keypair require a password
  as first positional argument (#288)
• interface.import_{rsa,ed25519,ecdsa}_privatekey_from_file do not error on
  empty password, but pass it on to lower level decryption routines (#288)
• interface.import_ecdsa_privatekey_from_file supports loading unencrypted
  private keys (#288)
• Revise interface and gpg.functions docstrings, and example snippets, and
  use Sphinx compatible Google Style docstring format (#288, #300)
• Linter-flagged cosmetic changes (#292, #295, #296)
• Bump dependencies: cryptography (#291, #293)
• Bump vendor copy of ed25519 (#299)