Releases: in-toto/attestation
v1.1.0
The v1.1.0 minor release generalizes the semantics of the DigestSet field type to support any type of immutable identifier. This change is backwards compatible because cryptographic digests are strongly recommended to achieve immutability, so any implementations that only support cryptographic DigestSet still meet the modified semantics. The _type of a Statement is still https://in-toto.io/Statement/v1
More details in the updated DigestSet spec
v1.0.2
This patch release includes a new predicate type, updates to the predicate vetting process, and more thorough DigestSet validation in Go.
Go, Python and Java APIs are not considered stable before v1.1.
What's Changed
- Add Release Attestation by @steiza in #319
- Add common action items for the new predicate vetting process by @marcelamelara in #320
- Add ITE-9 predicate template by @adityasaky in #328
- Add DigestSet hex encoding validation by @marcelamelara in #330
New Contributors
Full Changelog: v1.0.1...v1.0.2
Contributors
Assets 2
v1.0.1
This patch release includes on documentation, predicate spec and Go and Python API changes. This release also introduces new vetted predicates. Go, Python and Java APIs are not considered stable before v1.1.
What's Changed
- Update documentation: Add graphic to visualize relationships between layers by @dasiths in #166
- Add predicate specification for CycloneDX by @danbev in #129
- Remove extension fields from versioning.md by @TomHennen in #169
- Add predicate capturing results of test runs by @adityasaky in #152
- Move protos to their own directory for more consistency between different language bindings by @marcelamelara in #180
- Update SPDX predicate specification by @danbev in #187
- Update SCAI predicate to v0.2 by @marcelamelara in #170
- Link to existing predicates from predicate.md by @arewm in #195
- Autogenerate attestation libraries using protoc by @adityasaky in #192
- Update provenance.md to v1 by @trishankatdatadog in #197
- Add python bindings for protobufs by @chasen-bettinger in #172
- Enable python packaging by @adityasaky in #201
- Fix VSA dir structure and package name by @adityasaky in #204
- Add python bindings to docs by @marcelamelara in #202
- Add Java bindings by @adityasaky in #205
- Add link to SLSA/in-toto blog post by @adityasaky in #213
- Allow uses of ResourceDescriptor to require fields by @adityasaky in #211
- Use only major version for spec docs by @adityasaky in #214
- Define v0.3 of the link predicate by @adityasaky in #203
- Add governance doc by @adityasaky in #218
- Use ResourceDescriptor for statement subjects by @adityasaky in #212
- Minor typo and other fixes to SCAI predicate spec by @marcelamelara in #215
- Update Joshua's affiliation by @joshuagl in #221
- Require 'subject[*].name' to be unique for links by @adityasaky in #223
- Add Golang wrapper APIs and tests by @marcelamelara in #220
- Add proto for test result predicate by @adityasaky in #233
- Update the SLSA provenance predicate to v1 by @marcelamelara in #222
- Update supported protoc version in CI by @marcelamelara in #243
- Add SCAI predicate protobuf definition by @marcelamelara in #235
- Change annotations fields in ResourceDecriptor from objects to values by @joshuagl in #251
- fix(tests): fix go tests since #251 by @joshuagl in #259
- add missing trigger for push main branch in go-test workflow by @pxp928 in #260
- Use lower_camel_case consistently for fields in protobuf definitions by @joshuagl in #257
- Define annotations field type in ResourceDescriptor proto as Struct by @marcelamelara in #263
- Update Go tests by @adityasaky in #267
- Add Python validation APIs and unit tests by @marcelamelara in #227
- Add Go and Python bindings for SCAI predicate by @marcelamelara in #272
- vulnerability attestation: ITE-9 specification by @hectorj2f in #268
- Update vsa.md by @trishankatdatadog in #288
- Clarify specification on Bundle and Envelope media types by @marcelamelara in #283
- Add Go validator APIs for Provenance v1 predicate by @marcelamelara in #287
- in_toto_attestation/v1: fix type hints by @woodruffw in #301
- update vsa proto to v1 and update generated code by @pxp928 in #302
- Prepare python release v0.9.3 by @adityasaky in #310
- Python in CI/CD, add lintage and tests by @woodruffw in #306
- python: drop Python 3.7, run pyupgrade + isort rules by @woodruffw in #312
- update make-protos workflow to use newer version of protoc by @pxp928 in #309
New Contributors
- @dasiths made their first contribution in #166
- @danbev made their first contribution in #129
- @arewm made their first contribution in #195
- @trishankatdatadog made their first contribution in #197
- @chasen-bettinger made their first contribution in #172
- @hectorj2f made their first contribution in #268
- @woodruffw made their first contribution in #301
Full Changelog: v1.0...v1.0.1
Contributors
Assets 2
v1.0.0
v1.0 Release
Our first major release introduces new primitives, basic tooling and guidelines for contributing new predicates types. We also made significant updates to the DigestSet type and extension fields.
What's New
- Guidelines for contributing new predicates
- Attestation Bundle layer: A collection of multiple attestations in a single file.
- Resource Descriptor type: A size-efficient description of any software artifact or resource (mutable or immutable).
- Protobuf definitions: Language-independent definitions of attestation Statement and select predicates.
- Golang library and example app
DISCLAIMER: The protobuf definitions and Golang bindings will not be considered stable until the v1.1 tagged release. Use at your own risk.
Updates
- Add
dirHash1,gitCommit,gitTree, etc. to the list of pre-defined algorithms for DigestSet - Specify lowercase-hex encoding for standard algorithms only
- Relax requirements for Statement subject
name - Updated rules for extension fields and unrecognized fields
- Documentation updates
New Predicate Types
Since v0.1, we have added three predicate types to our catalog. Please note that predicates are versioned independently from the in-toto attestation spec.
- Supply Chain Attribute Integrity (SCAI): Evidence-based assertions about software artifact and supply chain attributes or behavior.
- Runtime Traces: Captures runtime traces of software supply chain operations.
- SLSA Verification Summary (VSA): SLSA verification decision about a software artifact.
Thanks
Thank you to all contributors to this release!
Full Changelog: v0.1.0...v1.0