Skip to content

Releases: secure-systems-lab/securesystemslib

v1.2.0

03 Dec 09:32
8b258c2
Compare
Choose a tag to compare

See CHANGELOG.md for details.

v1.1.0

04 Jun 12:02
c70d7be
Compare
Choose a tag to compare

See CHANGELOG.md for details.

v1.0.0

02 May 10:56
v1.0.0
1092ac6
Compare
Choose a tag to compare

See CHANGELOG.md for details.

v0.31.0

04 Dec 08:55
v0.31.0
cc0ead6
Compare
Choose a tag to compare

See CHANGELOG.md for details.

0.30.0

03 Oct 10:56
@jku jku
fe0cf39
Compare
Choose a tag to compare

This release contains improved Sigstore support.

Changed

  • SigstoreSigner adapted to sigstore-python 2.0 API: This allows
    improved UX where a new signing identity can be defined using
    interactive credentials (browser login):
    SigstoreSigner.import_via_auth()
  • Documentation improvements

Removed

  • Python 3.7 is no longer supported

0.29.0

06 Sep 11:36
@jku jku
03f4ad8
Compare
Choose a tag to compare

This release is reaping the rewards of the new signer API with four(!) new
signing methods: Two cloud based KMSs, post-quantum crypto support and a
"keyless" signing system.

Advance notice to folks using the keys, ecdsa_keys, rsa_keys and
ed25519_keys modules: these modules are headed for deprecation. Please have
a look at the signer API and get in touch if the functionality you need
isn't there (or if more documentation is needed).

Added

  • Sigstore as a new experimental signing method (#552)
  • SPHINCS+ as a new experimental signing method (#568)
  • Azure Key Vault as a new signing method (#588)
  • AWS KMS as a new signing method (#609)
  • CryptoSigner as a more featureful replacement for SSLibSigner (#604)
  • Documentation that focuses on the signer API (#634, #622)

Changed

  • SSLibSigner has been deprecated: Please use CryptoSigner instead (#604)
  • keys module is not used for signature verification in signer API (#585)
  • Various minor fixes, please see git log for details

New Contributors

Full Changelog: v0.28.0...v0.29.0

v0.28.0

18 Apr 13:05
v0.28.0
88a3df2
Compare
Choose a tag to compare

Added

  • Signer: auto-keyid helper (#557)
  • Signer: de/serialization helpers (#558)
  • Signer: tests (#555, #556)
  • Sigstore Signer: import methods (#535)

Changed

  • HSMSigner: pre-hash data (#548)
  • GCP Signer, HSM Signer: auto-keyid computation (#557)
  • DSSE: serialize signature data as base64 for compliance (#565)

Removed

  • Obsolete shebangs (#544, #545)
  • Outdated schemes: md5, sha1 (#554)

Fixed

v0.27.0

14 Mar 15:06
v0.27.0
a22cbba
Compare
Choose a tag to compare

Added

  • EXPERIMENTAL DSSE implementation (#487)
  • EXPERIMENTAL sigstore signer and verifier (#522)
  • Minimal TUF/in-toto spec-compliant GPG verifier (#488)
  • API-typical 'import' and 'from URI' GPG signer methods (#488)

Changed

  • Require public key in GPG signer and disallow subkey signatures (#488)
  • Increase GPG subprocess timeout (#502)
  • Rename default branch to 'main' (#523)
  • Make HSM signer URI configurable (#526)
  • Allow tox to skip virtual HSM tests (#528)
  • Strip PEM keys to compute keyids consistently (#453)

Removed

  • Internal GPG version utils (#504)
  • Custom subprocess interface (#505)
  • Vendored ssl module (#506)

Fixed

  • Windows compatibility issues and re-enable Windows CI (#518)
  • GPG subprocess timeout configurability (#502)

v0.26.0

13 Jan 11:31
v0.26.0
fe86ea1
Compare
Choose a tag to compare

Added

  • Private key URI schemes for signer instantiation (#456)
  • Public key container class for signature verification (#456)
  • Post-quantum sphincs+ signing scheme (#427)
  • Hardware Security Module (HSM) signing (#472)
  • Google Cloud KMS signing (#442, #480)

Changed

  • Use pyproject.toml for build configuration (#253)
  • Use hatchling as build backend (#484)
  • Auto-format and lint all code (#439, #490)
  • Various CI and build improvements (#459, #460, #476, #493, #464)

Removed

  • Drop colorama optional dependency and colorized output support (#443)

Fixed

  • Don't shell out to gpg on import (#437)
  • Fix metaclass definition (#473)
  • Make GPGSigner signatures specification compliant (#486)

v0.25.0

18 Oct 12:15
v0.25.0
7ae6c54
Compare
Choose a tag to compare

Changed

  • Do not use max salt lengths in RSA PSS signature creation (#436)
  • Restrict read and write access for new private keys (#231)
  • Replaced deprecated distutils.version.StrictVersion (#433)
  • Bumped dependencies: cryptography (#435)

Fixed

  • GPG availability check in tests (#434)