From 1e3f93e5a56f9ea45150a7efad1e54ecd998ff9f Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Sun, 4 Feb 2024 09:41:45 +0100
Subject: [PATCH 1/8] rekor/checkpoint: handle missing ancillary data (#891)

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 sigstore/_internal/rekor/checkpoint.py | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/sigstore/_internal/rekor/checkpoint.py b/sigstore/_internal/rekor/checkpoint.py
index 177b9e2cf..3c1300544 100644
--- a/sigstore/_internal/rekor/checkpoint.py
+++ b/sigstore/_internal/rekor/checkpoint.py
@@ -58,7 +58,7 @@ class LogCheckpoint(BaseModel):
     - an origin, e.g. "rekor.sigstage.dev - 8050909264565447525"
     - the size of the log,
     - the hash of the log,
-    - and any ancillary contants, e.g. "Timestamp: 1679349379012118479"
+    - and any optional ancillary contants, e.g. "Timestamp: 1679349379012118479"
 
     See: <https://github.com/transparency-dev/formats/blob/main/log/README.md>
     """
@@ -75,7 +75,7 @@ def from_text(cls, text: str) -> LogCheckpoint:
         """
 
         lines = text.strip().split("\n")
-        if len(lines) < 4:
+        if len(lines) < 3:
             raise CheckpointError("Malformed LogCheckpoint: too few items in header!")
 
         origin = lines[0]
@@ -99,12 +99,7 @@ def to_text(self) -> str:
         See class definition for a prose description of the format.
         """
         return "\n".join(
-            [
-                self.origin,
-                str(self.log_size),
-                self.log_hash,
-            ]
-            + self.other_content
+            [self.origin, str(self.log_size), self.log_hash, *self.other_content]
         )
 
 

From aa9533423a7f392bd0809551b1e8b88c821360c3 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Sun, 4 Feb 2024 11:10:53 +0100
Subject: [PATCH 2/8] ci: run on series/* branches

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e8994983a..cac29ca81 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - series/*
   pull_request:
   schedule:
     - cron: '0 12 * * *'

From f99055fdad4ea1de8953b8f2c2cdcb93f00d11d6 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Sun, 4 Feb 2024 11:16:25 +0100
Subject: [PATCH 3/8] CHANGELOG: record changes for 2.1.1

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e20cafa43..cb70e7dde 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,13 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [2.1.1]
+
+### Fixed
+
+* Fixed an incorrect assumption about Rekor checkpoints that future releases
+  of Rekor will not uphold ([#891](https://github.com/sigstore/sigstore-python/pull/891))
+
 ## [2.1.0]
 
 ### Added

From ee08464f83131bdfb79cd69824aeed5bd0663f4c Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Sun, 4 Feb 2024 11:21:29 +0100
Subject: [PATCH 4/8] sigstore: prep 2.1.2

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 sigstore/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index c84c0679e..49a5d87e8 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "2.1.0"
+__version__ = "2.1.2"

From 332f6d2e99a197616decd020163a5a9a53ab7f83 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Sun, 4 Feb 2024 11:22:29 +0100
Subject: [PATCH 5/8] CHANGELOG: 2.1.2

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 CHANGELOG.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cb70e7dde..c65afeabd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [2.1.2]
+
+This is a corrective release for [2.1.1].
+
 ## [2.1.1]
 
 ### Fixed
@@ -304,7 +308,9 @@ All versions prior to 0.9.0 are untracked.
   ([#351](https://github.com/sigstore/sigstore-python/pull/351))
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.0...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.2...HEAD
+[2.1.2]: https://github.com/sigstore/sigstore-python/compare/v2.1.1...v2.1.2
+[2.1.1]: https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.1
 [2.1.0]: https://github.com/sigstore/sigstore-python/compare/v2.0.1...v2.1.0
 [2.0.1]: https://github.com/sigstore/sigstore-python/compare/v2.0.0...v2.0.1
 [2.0.0]: https://github.com/sigstore/sigstore-python/compare/v1.1.2...v2.0.0

From 3c042244aaa1b69d7a868fed02ca57076c4721de Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 19 Mar 2024 13:25:32 -0400
Subject: [PATCH 6/8] pyproject: bump protobuf specs (#943)

* pyproject: bump protobuf specs

Signed-off-by: William Woodruff <william@trailofbits.com>

* pyproject: loosen constraint

Signed-off-by: William Woodruff <william@trailofbits.com>

* CHANGELOG: record change

Signed-off-by: William Woodruff <william@trailofbits.com>

* CHANGELOG: prep 2.1.3

Signed-off-by: William Woodruff <william@trailofbits.com>

* sigstore: 2.1.3

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 CHANGELOG.md         | 11 ++++++++++-
 pyproject.toml       |  2 +-
 sigstore/__init__.py |  2 +-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c65afeabd..e5e5ce461 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,14 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [2.1.3]
+
+## Fixed
+
+* Loosened a version constraint on the `sigstore-protobuf-specs` dependency,
+  to ease use in testing environments
+  ([#943](https://github.com/sigstore/sigstore-python/pull/943))
+
 ## [2.1.2]
 
 This is a corrective release for [2.1.1].
@@ -308,7 +316,8 @@ This is a corrective release for [2.1.1].
   ([#351](https://github.com/sigstore/sigstore-python/pull/351))
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.2...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.3...HEAD
+[2.1.3]: https://github.com/sigstore/sigstore-python/compare/v2.1.2...v2.1.3
 [2.1.2]: https://github.com/sigstore/sigstore-python/compare/v2.1.1...v2.1.2
 [2.1.1]: https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.1
 [2.1.0]: https://github.com/sigstore/sigstore-python/compare/v2.0.1...v2.1.0
diff --git a/pyproject.toml b/pyproject.toml
index da614bcf0..cfcc032d1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -35,7 +35,7 @@ dependencies = [
   "requests",
   "rich ~= 13.0",
   "securesystemslib",
-  "sigstore-protobuf-specs ~= 0.2.2",
+  "sigstore-protobuf-specs >= 0.2.2, < 0.4",
   # NOTE(ww): Under active development, so strictly pinned.
   "sigstore-rekor-types == 0.0.11",
   "tuf >= 2.1,< 4.0",
diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index 49a5d87e8..310410425 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "2.1.2"
+__version__ = "2.1.3"

From 2edc752c231ed2c41e924886ddd7c8bce4fd9ed4 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Fri, 5 Apr 2024 17:03:34 +0300
Subject: [PATCH 7/8] Prepare 2.1.4 release (#961)

---
 CHANGELOG.md         | 9 ++++++++-
 pyproject.toml       | 2 +-
 sigstore/__init__.py | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e5e5ce461..ad7425fca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,12 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [2.1.4]
+
+## Fixed
+
+* Pinned `securesystemslib` dependency strictly to prevent future breakage
+
 ## [2.1.3]
 
 ## Fixed
@@ -316,7 +322,8 @@ This is a corrective release for [2.1.1].
   ([#351](https://github.com/sigstore/sigstore-python/pull/351))
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.3...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.4...HEAD
+[2.1.4]: https://github.com/sigstore/sigstore-python/compare/v2.1.3...v2.1.4
 [2.1.3]: https://github.com/sigstore/sigstore-python/compare/v2.1.2...v2.1.3
 [2.1.2]: https://github.com/sigstore/sigstore-python/compare/v2.1.1...v2.1.2
 [2.1.1]: https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.1
diff --git a/pyproject.toml b/pyproject.toml
index cfcc032d1..12bc1af42 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -34,7 +34,7 @@ dependencies = [
   "pyOpenSSL >= 23.0.0",
   "requests",
   "rich ~= 13.0",
-  "securesystemslib",
+  "securesystemslib < 0.32.0",
   "sigstore-protobuf-specs >= 0.2.2, < 0.4",
   # NOTE(ww): Under active development, so strictly pinned.
   "sigstore-rekor-types == 0.0.11",
diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index 310410425..a3327fed4 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "2.1.3"
+__version__ = "2.1.4"

From 8e365d752bb51f8cb8e6244f85c90bc838ceee58 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Mon, 8 Apr 2024 17:21:46 +0300
Subject: [PATCH 8/8] Backport slsa upgrade (#963)

* Backport b32ad1bd: Bump slsa-github-generator upgrade
* Prepare 2.1.5 release

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .github/workflows/release.yml | 2 +-
 CHANGELOG.md                  | 9 ++++++++-
 sigstore/__init__.py          | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3028fd55b..7d93a6f54 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -105,7 +105,7 @@ jobs:
       contents: write # To add assets to a release.
     # Currently this action needs to be referred by tag. More details at:
     # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
     with:
       provenance-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl
       base64-subjects: "${{ needs.build.outputs.hashes }}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad7425fca..b61ba735a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,12 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [2.1.5]
+
+## Fixed
+
+* Backported b32ad1bd (slsa-github-generator upgrade) to make release possible
+
 ## [2.1.4]
 
 ## Fixed
@@ -322,7 +328,8 @@ This is a corrective release for [2.1.1].
   ([#351](https://github.com/sigstore/sigstore-python/pull/351))
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.4...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v2.1.5...HEAD
+[2.1.5]: https://github.com/sigstore/sigstore-python/compare/v2.1.4...v2.1.5
 [2.1.4]: https://github.com/sigstore/sigstore-python/compare/v2.1.3...v2.1.4
 [2.1.3]: https://github.com/sigstore/sigstore-python/compare/v2.1.2...v2.1.3
 [2.1.2]: https://github.com/sigstore/sigstore-python/compare/v2.1.1...v2.1.2
diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index a3327fed4..67697bef0 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "2.1.4"
+__version__ = "2.1.5"