v1.1.4

What's Changed

• Update rekor-tiles version path in #531
• Bump production Sigstore TUF root to latest in #537
• Bump staging Sigstore TUF root to latest in #538
• Bump deps for sigstore libraries in #543

Full Changelog: v1.1.3...v1.1.4

v1.1.3

What's Changed

• Set user agent for TUF and Rekor v2 clients in #525

Full Changelog: v1.1.2...v1.1.3

v1.1.2

What's Changed

• Allow no timestamps to be provided when verifying a key in #510
• Support other key algorithms for Rekor v2 in #520

Full Changelog: v1.1.1...v1.1.2

v1.1.1

What's Changed

• Make conformance compatible with rekor v2 in #505
• Update GetSigningConfig to use signing_config.v0.2.json in #506
• Refactor SelectService to return Service rather than URL, add supported API versions in #503
• Remove noisy log message in #507

Full Changelog: v1.1.0...v1.1.1

v1.1.0

sigstore-go v1.1.0 introduces support for Rekor v2, a redesigned and modernized transparency log that's cheaper to operate, easier to scale, and simpler to maintain.

What's Changed

• Error Wrapping in TUF by @lukehinds in #482
• Avoid naked errors from other modules by @kommendorkapten in #484
• Added a parameter to the TUF options for live refresh. by @kommendorkapten in #485
• Add end to end tests by @cmurphy in #489
• Fail SigstoreTimestampingAuthority Verify early with nil Root by @dmitris in #490
• Add support for Rekor V2 for signing and verification by @cmurphy in #481
• Allow public keys to sign hashedrekord by @cmurphy in #497
• Add support for operator in SigningConfig by @haydentherapper in #494
• Add MarshalJSON to SigningConfig, fix marshaling bug by @haydentherapper in #498
• Select highest API version for SigningConfig services always by @haydentherapper in #499

Full Changelog: v1.0.0...v1.1.0

v1.0.0

We're very excited to release sigstore-go 1.0! View the blog post announcing this release for more details.

This release should contain the last set of breaking changes until version 2.0, including a few renames (such as SignedEntityVerifier -> Verifier and VerifyTimestampAuthority -> VerifySignedTimestamp). We are excited to begin a new phase of simple, stable APIs!

What's Changed

• Prevent duplicate timestamps from same TSA by @codysoyland in #472
• Update theupdateframework/go-tuf to v2.1.0 and copy in unexported repo type from theupdateframework/go-tuf/examples/repository directory by @malancas in #474
• Add verification errors to output of VerifyTimestampAuthority by @codysoyland in #473
• Use repository.Type from go-tuf in tests by @codysoyland in #475
• Rename and deprecate SignedEntityVerifier in favor of Verifier by @codysoyland in #476
• Deprecate and rename VerifyTimestampAuthority/VerifyArtifactTransparencyLog by @codysoyland in #477
• Update README for 1.0.0 release by @codysoyland in #480

Full Changelog: v0.7.3...v1.0.0

v0.7.3

Note: v0.7.3 will likely be the last release before v1.0.

What's Changed

• Add context to Rekor interactions in signer by @codysoyland in #461
• Use default Verifier for the public key contained in a certificate (closes #74) by @ret2libc in #424
• Select highest API version with multiple SigningConfig services by @haydentherapper in #459
• Fix SigningConfig ValidFor when dates are missing by @jku in #465
• correct error on unsupported TrustedRoot media type by @dmitris in #466
• Signing example improvements by @jku in #458
• Disable TUF timestamping when TUF cache disabled by @codysoyland in #470

Full Changelog: v0.7.2...v0.7.3

v0.7.2

What's Changed

• don't return error if logIndex is 0 by @bobcallaway in #452

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

• Remove installable commands by @codysoyland in #398
• Improve URLToPath by @codysoyland in #408
• expand examples documentation by @dmitris in #412
• Update staging TUF root to latest by @haydentherapper in #415
• Update TUF root to latest v12 by @haydentherapper in #414
• Support for multi-subject attestations using different hash algorithms by @codysoyland in #361
• Simplify multihasher using multiwriter by @codysoyland in #422
• pkg/root: fix typo in nolint annotation by @ret2libc in #433
• Update Keypair.SignData with context param by @bdehamer in #427
• Implement support for SigningConfig v0.2 by @haydentherapper in #434
• Add support for verifying multiple artifacts by @malancas in #431
• Fix lint errors, standardize policy language by @haydentherapper in #436
• added public key check for SCTs by @Horiodino in #428
• Added a new function to create a live trusted root from any target. by @kommendorkapten in #441
• root: Fix trusted root creation with ed25519 keys by @jku in #448

Full Changelog: v0.7.0...v0.7.1

v0.7.0

Breaking Changes

• Removed WithOnlineVerification() configuration option, and online argument to VerifyArtifactTransparencyLog() by @steiza in #344
• Add interface types for TimestampingAuthority and CertificateAuthority by @codysoyland in #300
• Simplify HasPublicKey interface method by @codysoyland in #348
• Rename GetCertificate to Certificate by @codysoyland in #349
• Verify certificate validity with only current time, bump conformance tests by @haydentherapper in #277

What's Changed

• Include URI for CA verified timestamps by @cmurphy in #270
• Add Windows to README as tested platform by @steiza in #299
• Check if entry has inclusion proof rather than entity by @adityasaky in #310
• Allow parsing of certificates from Fulcio if ctlog is disabled by @codysoyland in #288
• feat: add unit test for online tlog verification by @vishal-chdhry in #296
• update sigstore dependencies for oci-image-verification example by @dmitris in #319
• Update oci-image-verification.md by @dmitris in #320
• expand oci-image-verification example for private infra by @dmitris in #321
• Update BaseSignedEntity interface implementation by @cmurphy in #333
• ci: address zizmor's findings by @woodruffw in #336
• Adds a check to ensure SCT time is while a CT log key was valid by @steiza in #350
• Update staging TUF root to latest by @haydentherapper in #354
• Update prod TUF root to v10 by @haydentherapper in #353
• Opt into Actions CodeQL public preview by @steiza in #362
• Refactor DoS limits to separate func by @codysoyland in #364
• Fix intoto unmarshal by @codysoyland in #366
• Add custom-certificate-validator example by @codysoyland in #351
• Add support for SigningConfig by @haydentherapper in #367
• Bump conformance to latest version by @haydentherapper in #377
• Support additional SigningConfig configurations by @haydentherapper in #379
• Use multi-directory configuration for dependabot by @codysoyland in #380
• Use glob support for directories key by @codysoyland in #383
• chore: relax go directive to permit 1.22.x by @dnwe in #384
• docs: minor edits to docs by @trishankatdatadog in #370

New Contributors

• @dmitris made their first contribution in #319
• @woodruffw made their first contribution in #336
• @dnwe made their first contribution in #384
• @trishankatdatadog made their first contribution in #370

Full Changelog: v0.6.2...v0.7.0