All notable changes to sigstore-java will be documented in this file.
The format is based on Keep a Changelog.
All versions prior to 1.0.0 are untracked
- Update sigstore tuf roots to v10 for staging and public-good #848
- Tuf conformance tests for tuf client spec conformance #838
- Allow tuf updater to fetch meta without downloading targets #839
- Allow tuf targets and metadata to be stored and fetched separately #827
- Fix handling of tuf targets in subdirectories #853
- Fix tuf spec conformance for valid but duplicate signatures on a role #852
- Fix handling of rsa-pss and ed25519 signatures in tuf metadata https://github.com/sigstore/sigstore-java/pull/849/files
- Ensure log entries in sigstore bundles are entries that correspond to the verification material (signature, artifact, public-key) provided to the verifier. #856
sigstore-java,sigstore-maven-plugin,dev.sigstore.sign(gradle) are now GA