prep 3.3.0 #1129

facutuesca · 2024-09-18T13:05:16Z

Release 3.3.0

Changelog:

CLI: The sigstore verify command now outputs the inner in-toto statement
when verifying DSSE envelopes. If verification is successful, the output
will be the inner in-toto statement. This allows the user to see the
statement's predicate, which sigstore-python does not verify and should be
verified by the user.
CLI: The sigstore attest subcommand has been added. This command is
similar to cosign attest in that it signs over an artifact and a
predicate using a DSSE envelope. This commands requires the user to pass
a path to the file containing the predicate, and the predicate type.
Currently only the SLSA Provenance v0.2 and v1.0 types are supported.
CLI: The sigstore verify command now supports verifying digests. This means
that the user can now pass a digest like sha256:aaaa.... instead of the
path to an artifact, and sigstore-python will verify it as if it was the
artifact with that digest.

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

di · 2024-09-18T14:58:33Z

/gcbrun

woodruffw

woodruffw · 2024-09-18T15:03:00Z

prep 3.3.0

816ceac

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

di approved these changes Sep 18, 2024

View reviewed changes

woodruffw approved these changes Sep 18, 2024

View reviewed changes

woodruffw merged commit 343cbbf into sigstore:main Sep 18, 2024
25 checks passed

woodruffw deleted the prep-3.3.0 branch September 18, 2024 15:00

Provide feedback