v0.23.0

Fixed

• Race condition in gpg test cleanup function (#397)

Changed

• Consistently raise custom FormatError in keys.verify_signature() (#391)
• Bumped dependencies: cryptography (#396), ed25519 (#394, #398)
• Updated Debian packaging metadata (#392)

v0.22.0

Fixed

• Removed broken Dependabot badge in README (#377)

Added

• Python 3.10 support (#380)
• __eq__ method for Signature objects (#383)
• unrecognized_fields attribute for Signature objects (#387)

Changed

• Bumped dependencies: cffi (#373), cryptography (#376, #379), ed25519 (#378,
  #390), pycparser (#375), pynacl (#382)
• Misc docstring improvements (#380, #381, #384)

Removed

• Python 3.6 support (#385)

v0.21.0

NOTE: This is the first release of securesystemslib to require Python 3.6
or newer.

Fixed

• Clarified licensing and copyright notices with regards to code that is
  derived from Thandy (#366)

Added

• Added machinery for static type checking with mypy, including type annotation
  of the util module (#361)
• Added type annotations to storage module (#362)

Changed

• Bumped dependencies: six (#350), cffi (#364), ed25519 (#356),
  cryptography (#369)

Removed

• Removed support for Python 2.7 (#352) and the use of future and six modules
  which were required to support code running on both Python 2 and 3 (#359)

v0.20.1

NOTE: this will be the final release of securesystemslib that supports Python 2.7.
This is because Python 2.7 was marked end-of-life in January of 2020, and since then several of securesystemslib's direct and transitive dependencies have stopped supporting Python 2.7. securesystemslib's major users, the Python implementations of tuf (v0.167.0) and in-toto (v1.1.0), have already dropped support for Python 2.7.

Changed

• Switched to GitHub-native Dependabot (#349)
• Updated Debian packaging metadata (#343)
• Bump cryptography dependency (#346)

Fixed

• Fix the Signer abstract base class's method signature to include self (#348)

v0.20.0

Added

• Add signing abstraction to facilitate custom implementations (#319)

Changed

• Refactor imports to allow vendoring for pip (#316)
• Limit GitHub Actions to avoid duplicate Dependabot builds (#335)
• Enhance GitHub Action reporting for ed25519 upstream check (#338)
• Bump dependencies: cryptography (#336)

Fixed

• Pad OpenPGP EdDSA signatures to avoid sporadic verification failures (#340)

v0.19.0

Added

• Enable setting which GPG client to use through an environment variable (#315)

Changed

• Dropped support for EOL Python 3.5 and add support for Python 3.9 (#314)
• Converted the default local storage backend, FilesystemBackend, to be a
  singleton (#302)
• Migrated CI from travis-ci.org to travis-ci.com (#303) then later to GitHub
  Actions (#324)
• Bump dependencies: cffi (#306, #329), cryptography (#322, #333). NOTE: the
  latest version of cryptography is no longer used on Python 2, as that is not
  supported.
• Updated Debian packaging metadata (#313 & #318)
• Improved messaging for issues automatically filed on upstream changes to our
  vendored ed25519 dependency (#317)
• Updated the ed25519 tracking script for upstream's branch name change (#331)

Fixed

• Empty lists should not be used as the default argument for a function (#304)

v0.18.0

Added

• interface.generate_and_write_unencrypted_{rsa,ed25519,ecdsa}_keypair (#288)
• interface.generate_and_write_{rsa,ed25519,ecdsa}_keypair_with_prompt (#288)
• interface.import_privatekey_from_file(#288)
• GitHub Action to auto-check upstream changes for vendored ed25519 (#294)

Changed

• interface.generate_and_write_{rsa,ed25519,ecdsa}_keypair require a password
  as first positional argument (#288)
• interface.import_{rsa,ed25519,ecdsa}_privatekey_from_file do not error on
  empty password, but pass it on to lower level decryption routines (#288)
• interface.import_ecdsa_privatekey_from_file supports loading unencrypted
  private keys (#288)
• Revise interface and gpg.functions docstrings, and example snippets, and
  use Sphinx compatible Google Style docstring format (#288, #300)
• Linter-flagged cosmetic changes (#292, #295, #296)
• Bump dependencies: cryptography (#291, #293)
• Bump vendor copy of ed25519 (#299)

v0.17.0

Added

• Add interface.import_publickeys_from_file() convenience function (#278, #285)
• Add gpg.export_pubkeys() convenience function (#277)
• Add support to hash module for blake2b-256 algorithm (#283)

Changed

• Use ecdsa as keytype for ECDSA keys to better distinguish between keytype
  and scheme (#267)
• Bump dependencies: cffi (#266, #273), cryptography (#269, #274),
  and colorama (#284)
• Removed python-dateutil dependency (#268)
• Prepare Debian downstream releases (#198)
• Remove unused helper (_prompt) and global (SUPPORTED_KEY_TYPES) from
  interface module (#276)
• Refactored and extended interface tests (#279, #287)

v0.16.0

Added

• Added new, self-explanatory, AnyNonEmptyString schema (#244)
• Separate functions for getting a file's length, util.get_file_length(), and
  a file's hashes, util.get_file_hashes() (#259)

Changed

• Improved documentation for abstract storage interface (#240)
• Change PATHS_SCHEMA to be any non-empty string (#244)
• Updated keys.format_metadata_to_key() to take an optional list of hashing
  algorithms rather than requiring users modify settings.HASH_ALGORITHMS to
  change this behaviour (#227)
• Rather than silently ignoring empty paths, throw an exception on empty file
  path in storage.FileSystemBackend.create_folder (#252)

Fixed

• Proper tearing down of storage tests (#249)
• Handle empty directories in util.ensure_parent_dir() (#260)
• Fix tests to work with newer versions (3.0 or newer) of the cryptography
  module (#264)

v0.15.0

• Allow Blake (blake2s and blake2b) hashing algorithms (#218)
• new features
  • Add nistp384 signature verification support (#228)
  • Allow callers to provide a default keyid in format_metadata_to_key, rather than using the default keyid value of a hash of the canonical JSON of the key metadata (#225)
  • Implement files and directories abstraction as an abstract base class; StorageBackendInterface, with a concrete implementation for local filesystems; FilesystemBackend (#232). This enables users, such as tuf, to support non-local/non-traditional filesystems, so long as they provide an object implementing securesystemslib.storage.StorageBackendInterface. All functions which take a StorageBackendInterface default to creating a filesystemBackend object for local filesystem interaction when an object isn't provided. This means that behaviour remains the same as in prior (0.14.x) releases of securesystemslib, only instead of throwing exceptions rom the Python standard library a custom, generic, error is thrown: securesystemslib.exceptions.StorageError
• removed features
  • Remove support for gzipped files in load_json_file (#230)