Skip to content

v3.3.0
Compare
Choose a tag to compare
@woodruffw woodruffw released this 18 Sep 15:02
· 74 commits to main since this release
v3.3.0
343cbbf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Added

  • CLI: The sigstore verify command now outputs the inner in-toto statement
    when verifying DSSE envelopes. If verification is successful, the output
    will be the inner in-toto statement. This allows the user to see the
    statement's predicate, which sigstore-python does not verify and should be
    verified by the user.

  • CLI: The sigstore attest subcommand has been added. This command is
    similar to cosign attest in that it signs over an artifact and a
    predicate using a DSSE envelope. This commands requires the user to pass
    a path to the file containing the predicate, and the predicate type.
    Currently only the SLSA Provenance v0.2 and v1.0 types are supported.

  • CLI: The sigstore verify command now supports verifying digests. This means
    that the user can now pass a digest like sha256:aaaa.... instead of the
    path to an artifact, and sigstore-python will verify it as if it was the
    artifact with that digest.

Assets 11
Loading