v1.3.0

See CHANGELOG.md for details.

v1.2.0

See CHANGELOG.md for details.

v1.1.0

See CHANGELOG.md for details.

v1.0.0

See CHANGELOG.md for details.

v0.31.0

See CHANGELOG.md for details.

0.30.0

This release contains improved Sigstore support.

Changed

• SigstoreSigner adapted to sigstore-python 2.0 API: This allows
  improved UX where a new signing identity can be defined using
  interactive credentials (browser login):
  SigstoreSigner.import_via_auth()
• Documentation improvements

Removed

• Python 3.7 is no longer supported

0.29.0

This release is reaping the rewards of the new signer API with four(!) new
signing methods: Two cloud based KMSs, post-quantum crypto support and a
"keyless" signing system.

Advance notice to folks using the keys, ecdsa_keys, rsa_keys and
ed25519_keys modules: these modules are headed for deprecation. Please have
a look at the signer API and get in touch if the functionality you need
isn't there (or if more documentation is needed).

Added

• Sigstore as a new experimental signing method (#552)
• SPHINCS+ as a new experimental signing method (#568)
• Azure Key Vault as a new signing method (#588)
• AWS KMS as a new signing method (#609)
• CryptoSigner as a more featureful replacement for SSLibSigner (#604)
• Documentation that focuses on the signer API (#634, #622)

Changed

• SSLibSigner has been deprecated: Please use CryptoSigner instead (#604)
• keys module is not used for signature verification in signer API (#585)
• Various minor fixes, please see git log for details

New Contributors

• @malancas made their first contribution in #588
• @kommendorkapten made their first contribution in #597
• @ianhundere made their first contribution in #609

Full Changelog: v0.28.0...v0.29.0

v0.28.0

Added

• Signer: auto-keyid helper (#557)
• Signer: de/serialization helpers (#558)
• Signer: tests (#555, #556)
• Sigstore Signer: import methods (#535)

Changed

• HSMSigner: pre-hash data (#548)
• GCP Signer, HSM Signer: auto-keyid computation (#557)
• DSSE: serialize signature data as base64 for compliance (#565)

Removed

• Obsolete shebangs (#544, #545)
• Outdated schemes: md5, sha1 (#554)

Fixed

• Various test and CI fixes (#538, #541, #542, #543, #546)
• Minor SSlibKey.verify_signature error handling bug (#556)

v0.27.0

Added

• EXPERIMENTAL DSSE implementation (#487)
• EXPERIMENTAL sigstore signer and verifier (#522)
• Minimal TUF/in-toto spec-compliant GPG verifier (#488)
• API-typical 'import' and 'from URI' GPG signer methods (#488)

Changed

• Require public key in GPG signer and disallow subkey signatures (#488)
• Increase GPG subprocess timeout (#502)
• Rename default branch to 'main' (#523)
• Make HSM signer URI configurable (#526)
• Allow tox to skip virtual HSM tests (#528)
• Strip PEM keys to compute keyids consistently (#453)

Removed

• Internal GPG version utils (#504)
• Custom subprocess interface (#505)
• Vendored ssl module (#506)

Fixed

• Windows compatibility issues and re-enable Windows CI (#518)
• GPG subprocess timeout configurability (#502)

v0.26.0

Added

• Private key URI schemes for signer instantiation (#456)
• Public key container class for signature verification (#456)
• Post-quantum sphincs+ signing scheme (#427)
• Hardware Security Module (HSM) signing (#472)
• Google Cloud KMS signing (#442, #480)

Changed

• Use pyproject.toml for build configuration (#253)
• Use hatchling as build backend (#484)
• Auto-format and lint all code (#439, #490)
• Various CI and build improvements (#459, #460, #476, #493, #464)

Removed

• Drop colorama optional dependency and colorized output support (#443)

Fixed

• Don't shell out to gpg on import (#437)
• Fix metaclass definition (#473)
• Make GPGSigner signatures specification compliant (#486)