Skip to content

Latest commit

 

History

History
255 lines (167 loc) · 8.57 KB

CHANGELOG.md

File metadata and controls

255 lines (167 loc) · 8.57 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Changed

  • The CLI entrypoint is now pypi-attestations (#82)
  • The CLI verify subcommand has been changed to verify attestation, as in pypi-attestations verify attestation --identity ... (#82)

Added

  • The CLI has a new subcommand verify pypi, which takes a URL to a PyPI distribution (either a wheel or a source distribution) and a GitHub/GitLab repository. The command verifies the distribution by downloading it and its provenance from PyPI, verifying them using sigstore and checking that the repository matches the one in the PyPI provenance file. (#82)

Changed

  • Explicitly support sigstore-python 3.6 (#79)

This is a corrective release for 0.0.18.

Added

  • The Attestation type now has a certificate_claims property to expose underlying Fulcio signing certificate extensions (#70)

Fixed

  • The GitLabPublisher policy now takes the workflow file path in order to verify attestations, rathen than assuming it will always be gitlab-ci.yml (#71).
  • The GitLabPublisher now longer expects claims being passed during construction, rather the ref and sha claims are extracted from the certificate's extensions, similar to GitHubPublisher's behavior (#71).

Changed

  • Publisher classes (GitLabPublisher and GitHubPublisher) no longer take a claims dictionary during construction (#72).

Added

  • Attestation.statement has been added as a convenience API for accessing the attestation's enveloped statement as a dictionary

This is a corrective release for 0.0.14.

Fixed

  • The Distribution API now handles ZIP source distributions (those ending with .zip) instead of rejecting them as invalid (#68)

Changed

  • The minimum Python version required has been brought back to 3.9 (#64).

  • The Attestation.verify(...) API has been changed to remove the Verifier argument in favor of an optional staging: bool kwarg to select the Sigstore instance (#62)

  • The Attestation.verify(...) API has been changed to accept both Publisher and VerificationPolicy objects as a policy. The publisher object is internally converted to an appropriate verification policy.

Fixed

  • python -m pypi_attestations verify now handles inputs like dist/* gracefully, by pre-filtering any attestation paths from the inputs.

  • python -m pypi_attestations verify now exits with a non-zero exit code if the verification step fails (#57)

Fixed

  • Base64-encoded bytes inside Attestation objects contained newline characters every 76 characters due to a bug in Pydantic's Base64Bytes type. Those newlines were also (incorrectly) ignored by Pydantic during decoding (#48).

Changed

  • The minimum version of sigstore-python is now 3.2.0, owing to private API changes (#45)

Changed

  • The minimum Python version required has been bumped to 3.11 (#37)

Added

  • The Provenance, Publisher, GitHubPublisher, GitLabPublisher, and AttestationBundle types have been added (#36).

Added

  • The Distribution type and APIs have been added, allowing a user to supply a pre-computed digest instead of performing I/O (#34)

Changed

  • sign and verify no longer perform I/O (#34)

Fixed

  • verify: catch another leaky error case (#32)

Fixed

  • AttestationType is now re-exported at the top-level as a public API (#31)

Added

  • AttestationType has been added, as an enumeration of all currently known attestation types (by URL) (#29)

Changed

  • Attestation.verify now checks the attestation's type against AttestationType before returning it (#29)

Fixed

  • Attestation.sign now only returns AttestationError when failing to sign a distribution file (#28)

Added

  • The python -m pypi_attestations CLI has been added. This CLI is primarily intended for local development, and not for external use. Its flags and commands are not subject to stabilization unless explicitly documented in a future release (#22)

Changed

  • The name of this project is now pypi-attestations, renamed from pypi-attestion-models (#25)

  • The model conversion functions have been moved into the Attestation class (#24)

0.0.5 - 2024-06-20

Added

  • Attestation.verify now returns the inner statement's predicate components (#20)

0.0.4 - 2024-06-11

Changed

  • Switch to in-toto statements (#18)

0.0.3 - 2024-06-10

  • No functional changes.

0.0.2 - 2024-05-16

Changed

  • Update sigstore to 3.0.0

0.0.1 - 2024-05-15

Added

  • Initial implementation