Skip to content

Releases: sigstore/sigstore-js

v1.1.0

14 Mar 16:36
@github-actions github-actions
v1.1.0
8831102
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.0

Minor Changes

  • 49709fc: Exposes new tufMirrorURL and tufRootPath options to the verify function
  • 49709fc: Relocates the TUF cache to a platform-specific app data directory

Patch Changes

  • 6b75981: Consume the trusted_root.json target from the Sigstore TUF repository
Assets 2
Loading

v1.0.0

09 Feb 17:54
@bdehamer bdehamer
v1.0.0
0652899
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0

What's New

The 1.0.0 release 🎉

  • Complete offline Bundle verification
  • Refactor of public interface (#291)
  • Refactor error handling (#281)
  • Integration with Sigstore TUF repository (#274)
  • Bump make-fetch-happen from 11.0.2 to 11.0.3 (#283)
Assets 2
Loading

v1.0.0-beta.1

08 Feb 16:57
@bdehamer bdehamer
v1.0.0-beta.1
1e3b0bd
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-beta.1 Pre-release
Pre-release

What's New

Preparing for the 1.0.0 release:

  • Complete offline Bundle verification
  • Refactor of public interface (#291)
  • Refactor error handling (#281)
  • Integration with Sigstore TUF repository (#274)
  • Bump make-fetch-happen from 11.0.2 to 11.0.3 (#283)
Assets 2
Loading

v0.4.0

11 Jan 17:30
@bdehamer bdehamer
v0.4.0
8a2ee2f
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.4.0

What's New

  • Support for latest Sigstore bundle format
Assets 2
Loading

v0.3.0

05 Jan 19:21
@bdehamer bdehamer
v0.3.0
867975e
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.3.0

What's Changed

  • fetch-on-conflict option when adding Rekor entries (#225)
  • adds lots of plumbing in support of Fulcio certificate verification
Assets 2
Loading

v0.2.0

08 Dec 16:18
@bdehamer bdehamer
v0.2.0
83811fe
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.2.0

What's Changed

  • chore: bump tsconfig from node12 to node14
  • publish package with provenance
Assets 2
Loading

v0.1.1

01 Dec 17:14
@bdehamer bdehamer
v0.1.1
39c77ab
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.1.1

What's Changed

  • Fixed issue w/ Rekor type definitions missing in published package
Assets 2
Loading

v0.1.0

30 Nov 18:39
@bdehamer bdehamer
v0.1.0
d62881b
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.1.0

Working toward the 1.0.0 release!

  • OpenID Connect support
    • Interactive OIDC token retrieval via OAuth
    • Automatic OIDC token retrieval when running in GitHub Actions
  • Keyless signing using Fulcio-issued signing certificates bound to OIDC identities
  • Signing
    • Blob signing
    • Signing of DSSE-wrapped attestations
  • Record of signatures posted to Rekor transparency log
  • Support for the Sigstore Bundle format
  • Offline bundle verification
    • Signature verification
    • Transparency log entry verification

Before we get to the 1.0.0 release we'll have complete offline bundle verification including Fulcio certificate chain verification and integration with the Sigstore TUF root for retrieving the Fulcio root certificate and Rekor public key.

Assets 2
Loading

Release 0.0.1-alpha.5

15 Nov 18:15
@bdehamer bdehamer
v0.0.1-alpha.5
505f944
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 0.0.1-alpha.5 Pre-release
Pre-release

What's Changed

  • Support for new Sigstore bundle format
  • Offline verification of Rekor entry
Assets 2
Loading