v3.6.5

Fixed

• Fixed verified time handling so that additional timestamps cannot break
  otherwise valid signature bundles (#1492)

Changed

• Added cryptography 45 to list of compatible cryptography releases
  (#1498)

v3.6.4

Fixed

• Bumped the rfc3161-client dependency to >=1.0.3 to fix a security
  vulnerability (#1451)

v3.6.3

A small bug fix release.

Fixed

• Verify: Avoid hard failure if trusted root contains unsupported keytypes (as verification may succeed without that key).
  #1425

v3.6.2

Fixed

• Fixed issue where a trust root with multiple rekor keys was not considered valid: Now any rekor key listed in the trust root is considered good to verify entries #1350

Changed

• Upgraded python-tuf dependency to 6.0: Connections to TUF repository now use system certificates (instead of certifi) and have automatic retries
• Updated the embedded TUF root to version 12

Full Changelog: v3.6.1...v3.6.2

v3.6.1

Fixed

• Relaxed the transitive dependency on cryptography to allow v43 and v44
  to be resolved
  (#1251)

v3.6.0

Added

• API: The DSSE Envelope class now performs automatic validation
  (#1211)

• API: Added signature property to Envelope class for accessing raw
  signature bytes (#1211)

• Signed timestamps embedded in bundles are now automatically verified
  against Timestamp Authorities provided within the Trusted Root ([#1206]
  (#1206))

• Bundles are now generated with signed timestamps when signing if the
  Trusted Root contains one or more Timestamp Authorities
  (#1216)

Removed

• Support for "detached" SCTs has been fully removed, aligning
  sigstore-python with other sigstore clients
  (#1236)

Fixed

• Fixed a CLI parsing bug introduced in 3.5.1 where a warning about
  verifying legacy bundles was never shown
  (#1198)

• Strengthened the requirement that an inclusion promise is present
  if no other source of signed time is present
  (#1247)

v3.5.3

Fixed

• Corrective release for [3.5.2]

v3.5.2

Fixed

• Pinned cryptography dependency strictly to prevent future breakage

v3.5.1

Fixed

• Fixed a CLI parsing bug introduced in 3.5.0 when attempting
  to suppress irrelevant warnings
  (#1192)

v3.5.0

Added

• CLI: The sigstore plumbing update-trust-root command has been added.
  Like other plumbing-level commands, this is considered unstable and
  changes are not subject to our semver policy until explicitly noted
  (#1174)

Fixed

• CLI: Fixed an incorrect warning when verifying detached .crt/.sig
  inputs (#1179)