Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new post: Announcing sigstore-python 2.0 #45

Merged
merged 8 commits into from
Sep 29, 2023
Merged

new post: Announcing sigstore-python 2.0 #45

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
166ef1e
new post: Announcing sigstore-python 2.0
woodruffw Sep 25, 2023
ef8848f
Update announcing-sigstore-python-20.md
woodruffw Sep 25, 2023
92c5bd3
Update announcing-sigstore-python-20.md
woodruffw Sep 25, 2023
b218a38
Update announcing-sigstore-python-20.md
woodruffw Sep 25, 2023
5827a1f
Update announcing-sigstore-python-20.md
woodruffw Sep 25, 2023
a023964
post: reflow
woodruffw Sep 26, 2023
1ecb0e4
post: highlight action, CPython
woodruffw Sep 26, 2023
3d3e773
post: add Seth's employer, reflow, emoji
woodruffw Sep 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions content/announcing-sigstore-python-20.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
+++
title = "Announcing sigstore-python 2.0"
date = "2023-09-29"
tags = ["sigstore", "python", "clients"]
draft = false
author = "William Woodruff (Trail of Bits), Dustin Ingram (Google)"
type = "post"
+++

We are delighted to announce the 2.0 release of [sigstore-python]!
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

```bash
$ python -m pip install sigstore
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
$ python -m sigstore --version
sigstore 2.0.0
```

This release has been in the works for a while, and contains a number
of significant improvements and breaking changes to both the `sigstore`
CLI and Python APIs.

Read on for a summary of our biggest changes, or check out our
[CHANGELOG] for additional details!

## CLI changes

* `sigstore verify` is **no longer** a backwards-compatible alias for
`sigstore verify identity`, as it was in the 1.x series. Users must now
invoke `sigstore verify identity` or `sigstore verify github` explicitly.

* Sigstore's [bundle format] is now preferred throughout the CLI, and is
the default input and output format! This means that
`sigstore sign secret.txt` and `sigstore verify identity secret.txt` will now
generate or verify `secret.txt.sigstore`, respectively.
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

* `sigstore sign` and `sigstore get-identity-token` now support the
`--oauth-force-oob` flag, providing a CLI option for the pre-existing
`SIGSTORE_OAUTH_FORCE_OOB` environment variable.

## API changes

Check out [our API documentation] for additional details, including
usage examples!

* sigstore-python's APIs have been significantly refactored to improve type
hygiene. In particular, the `IdentityToken` type has been stabilized and made
part of the public interface, replacing many sites where a raw OIDC token
was previously passed in.

* The `Signer` API is now two different APIs: `Signer` and `SigningContext`.
This change better reflects sigstore-python's interior lifetimes and
allows developers to reuse an ephemeral keypair across multiple inputs,
saving unnecessary network round-trips when signing multiple things!
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

* Bundle generation is now exposed as part of the public API:
`VerificationMaterials.to_bundle()` and `SigningResult.to_bundle()` can
now both be used to produce an interoperable Sigstore bundle.

## Project-level changes

* Our minimum Python version is now 3.8! This keeps us
consistent with the broader Python ecosystem, which has considered Python 3.7
[EOL since June 2023].

* We now interact with the public trust root a little
differently: it now assumes that the trust root contains a [trust bundle],
rather than falling back to the deprecated individual TUF targets.
Additionally, sigstore-python now comes with an initial baked-in
copy of the trust bundle, to ease bootstrapping (and offline verification).

## Up next

This 2.0 release of sigstore-python is filled with internal changes that
set us up for new public-facing features and enhancements, including
[support for Fulcio's newer claim formats],
["full" offline verification support], and [additional "plumbing" CLI routines]
for Sigstore power users.

Many thanks to everybody who contributed to the 2.0 release, with special
thanks to Alex Cameron (Trail of Bits), Maya Costantini (Red Hat),
Jussi Kukkonen (Google), Jack Leightcap (Trail of Bits), and Andrew Pan
(Trail of Bits) for their significant feature contributions!

[sigstore-python]: https://pypi.org/p/sigstore

[CHANGELOG]: https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md

[bundle format]: https://github.com/sigstore/protobuf-specs

[EOL since June 2023]: https://www.python.org/downloads/release/python-3717/

[our API documentation]: https://sigstore.github.io/sigstore-python/sigstore.html

[trust bundle]: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto

[support for Fulcio's newer claim formats]: https://github.com/sigstore/sigstore-python/issues/425

["full" offline verification support]: https://github.com/sigstore/sigstore-python/issues/483

[additional "plumbing" CLI routines]: https://github.com/sigstore/sigstore-python/issues/718