All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- The
Attestationtype now has acertificate_claimsproperty to expose underlying Fulcio signing certificate extensions (#70)
- The
GitLabPublisherpolicy now takes the workflow file path in order to verify attestations, rathen than assuming it will always begitlab-ci.yml(#71). - The
GitLabPublishernow longer expects claims being passed during construction, rather therefandshaclaims are extracted from the certificate's extensions, similar toGitHubPublisher's behavior (#71).
- Publisher classes (
GitLabPublisherandGitHubPublisher) no longer take a claims dictionary during construction (#72).
Attestation.statementhas been added as a convenience API for accessing the attestation's enveloped statement as a dictionary
This is a corrective release for 0.0.14.
- The
DistributionAPI now handles ZIP source distributions (those ending with.zip) instead of rejecting them as invalid (#68)
-
The minimum Python version required has been brought back to
3.9(#64). -
The
Attestation.verify(...)API has been changed to remove theVerifierargument in favor of an optionalstaging: boolkwarg to select the Sigstore instance (#62) -
The
Attestation.verify(...)API has been changed to accept bothPublisherandVerificationPolicyobjects as a policy. The publisher object is internally converted to an appropriate verification policy.
-
python -m pypi_attestations verifynow handles inputs likedist/*gracefully, by pre-filtering any attestation paths from the inputs. -
python -m pypi_attestations verifynow exits with a non-zero exit code if the verification step fails (#57)
- Base64-encoded bytes inside Attestation objects contained newline characters every 76 characters due to a bug in Pydantic's Base64Bytes type. Those newlines were also (incorrectly) ignored by Pydantic during decoding (#48).
- The minimum version of sigstore-python is now
3.2.0, owing to private API changes (#45)
- The minimum Python version required has been bumped to
3.11(#37)
- The
Provenance,Publisher,GitHubPublisher,GitLabPublisher, andAttestationBundletypes have been added (#36).
- The
Distributiontype and APIs have been added, allowing a user to supply a pre-computed digest instead of performing I/O (#34)
signandverifyno longer perform I/O (#34)
verify: catch another leaky error case (#32)
AttestationTypeis now re-exported at the top-level as a public API (#31)
AttestationTypehas been added, as an enumeration of all currently known attestation types (by URL) (#29)
Attestation.verifynow checks the attestation's type againstAttestationTypebefore returning it (#29)
Attestation.signnow only returnsAttestationErrorwhen failing to sign a distribution file (#28)
- The
python -m pypi_attestationsCLI has been added. This CLI is primarily intended for local development, and not for external use. Its flags and commands are not subject to stabilization unless explicitly documented in a future release (#22)
-
The name of this project is now
pypi-attestations, renamed frompypi-attestion-models(#25) -
The model conversion functions have been moved into the
Attestationclass (#24)
0.0.5 - 2024-06-20
Attestation.verifynow returns the inner statement's predicate components (#20)
0.0.4 - 2024-06-11
- Switch to in-toto statements (#18)
0.0.3 - 2024-06-10
- No functional changes.
0.0.2 - 2024-05-16
- Update
sigstoreto 3.0.0
0.0.1 - 2024-05-15
- Initial implementation