Skip to content

v4.0.0

Latest
Latest
Compare
Choose a tag to compare
@jku jku released this 19 Sep 10:51
· 2 commits to main since this release
v4.0.0
7a9551f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This is a major release with a host of API and functionality changes. The major new feature
is Rekor v2 support but many other changes are also included, see list below.

Added

  • cli: Add --rekor-version to sign command arguments: This can be useful
    if Sigstore instance provides multiple Rekor versions and user wants to
    override the default choice
    #1471
  • cli: Support parallel signing. When multiple artifacts are signed, the Rekor
    requests are submitted in parallel: this is especially useful with Rekor v2.
    #1468, #1478,
    #1485
  • oidc (API): Allow custom audience claims via API
    #1402
  • rekor (API): Support Rekor v2 (aka rekor-tiles) in both verification and signing.
    #1370, #1422,
    #1432
  • trust (API): Make TrustedRoot, SigningConfig and ClientTrustConfig public API
    #1496

Changed

  • cli: Improve verify UX when wrong instance is used
    #1510
  • deps: replace sigstore_protobuf_specs dependency with sigstore-models
    #1470
  • trust: Update embedded TUF root
    #1515
  • trust (API): TrustConfig now provides the production()and staging() helpers. Similar methods were removed from
    SigningConfig, TrustedRoot, SigningContext and Issuer. Use TrustConfig everywhere in code base.
    #1363
  • trust (API): support SigningConfig v0.2, remove support for v0.1. The new format now fully defines the
    sigstore instance the client uses. SigningConfig class now has methods to return actual clients
    (like RekorClient) instead of just URLs for that sigstore instance. The --trust-config cli option now
    expects the trust config to contain a v0.2 SigningConfig.
    #1358, #1407
  • trust: Support ed25519 keys in trusted root
    #1377

Fixed

  • rekor: resolve circular import of LogEntry
    #1458
  • rekor: Fix checkpoint signature lookup when there are multiple signatures
    #1514
  • rekor: Fix entry handling so inclusion promise is optional
    #1382
  • rekor: Avoid trailing slash in post to /entries
    #1366
  • sign: fetch TSA timestamps before submitting an entry to Rekor
    #1463
  • timestamp: Specify sha256 in TSA timestamp request
    #1373
  • trust: Fail less hard when trusted root contains unknown keys
    #1424
  • verify: Fix TSA cert chain construction (fixes issue in the case where certificate is not embedded in
    the timestamp)
    #1482
  • verify: Use TSA hash algorithm specified in the timestamp (SHA-256, SHA-384 and SHA-512 are supported)
    #1385
  • verify: Check artifact signing time against all established times
    #1381
  • verify: Handle unset TSA timestamp validity end
    #1368

New Contributors

Full Changelog: v3.6.5...v4.0.0

Contributors

SequeI and enlightened88
Assets 4
Loading