- Update to 4.2.0 (fixes CVE-2026-24408, bsc#1257303)
* Add state validation to OIDC flow to prevent Cross-site request forgery
during OIDC authorization (GHSA-hm8f-75xx-w2vr)
* verification now ensures that artifact digest documented in bundle and the
real digest match (this is a bundle consistency check: bundle signature was
always verified over real digest)
* Fix issue with Signed Certificate Timestamp parsing where extensions
were not allowed by sigstore-python
* Update supported public key algorithms
* trust: Update embedded TUF root
* Removed support for Python 3.9 as it is end-of-life
* Removed unused nonce in Oauth flow
- drop fix-ecparam-testing.patch and nofail-neg-test.patch, merged upstream
OBS-URL: https://build.opensuse.org/request/show/1329449
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-sigstore?expand=0&rev=15
- cli: Support using other Sigstore instances with --instance
URL. New instances are trusted with new top level command
trust-instance ROOTFILE. #1548
- Added cryptography 46 to list of compatible cryptography
releases (#1544)
- Improved error message when verifying bundles with
unsupported log entry versions (#1569)
- cli: Always read/write UTF-8. This fixes an issue on Windows
where the platform default encoding was used: the issue has
existed for a while, but became more visible with signature
bundles that contain rekor2 entries. #1553
- Update to 4.0.0:
This is a major release with a host of API and functionality
changes. The major new feature is Rekor v2 support but many
other changes are also included, see list below.
- cli: Add --rekor-version to sign command arguments: This
can be useful if Sigstore instance provides multiple Rekor
versions and user wants to override the default choice #1471
- cli: Support parallel signing. When multiple artifacts are
signed, the Rekor requests are submitted in parallel: this is
especially useful with Rekor v2. #1468, #1478, #1485
- oidc (API): Allow custom audience claims via API #1402
- rekor (API): Support Rekor v2 (aka rekor-tiles) in both
verification and signing. #1370, #1422, #1432
- trust (API): Make TrustedRoot, SigningConfig and
ClientTrustConfig public API #1496
- cli: Improve verify UX when wrong instance is used #1510
- deps: replace sigstore_protobuf_specs dependency with
sigstore-models #1470
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-sigstore?expand=0&rev=5
