v0.5.0

Important Changes

• Use TUF framework to obtain verification material

What's Changed

• Fuzzing: Add new fuzzers by @arthurscchan in #380
• Fuzzing: Add fuzzers for CertificateEntry and Serialization classes by @arthurscchan in #386
• doc: improve descriptions for Gradle Plugin Portal by @vlsi in #396
• Fix changelog link in GitHub release notes by @szpak in #395
• Exception handling: Wrap illegal state exception by @arthurscchan in #397
• Exception fixing: Add handling for possible empty content for PemObject by @arthurscchan in #394
• Update after 0.4.0 release by @loosebazooka in #393
  @renovate in #403
• Improve readme by @ljacomet in #408
• Allow updaters to init on existing repos by @loosebazooka in #409
• Fuzzing: Add fuzzer for DigitallySigned class by @arthurscchan in #407
• Force convention for URL for HttpMetaFetcher by @loosebazooka in #410
• Use spec-compliant persisted target filenames by @loosebazooka in #411
• Avoid failures on removal of published artifacts by @ljacomet in #416
• don't fail if fuzzOut isn't specified by @loosebazooka in #413
• update links to use CDN-backed endpoints by @bobcallaway in #418
• v1 tuf client by @loosebazooka in #415
• Add initial BYOB-based SLSA-generator by @AdamKorcz in #357
• Add pkix der encoded key parsing by @loosebazooka in #429
• Fix: Fix possible Null Pointer Exception by @arthurscchan in #406
• Add interfaces for sigstore trusted_root by @loosebazooka in #430
• Bump sigstore-conformance to 0.0.4 by @tetsuo-cpp in #436
• Add fuzzer for RekorTypes by @arthurscchan in #437
• Add fuzzer for RekorVerifier by @arthurscchan in #438
• Fixes: Add digest length checking by @arthurscchan in #405
• Fuzzing: Add fuzzer for dev.sigstore.bundle package by @arthurscchan in #431
• Add fuzzers for FulcioVerifier by @arthurscchan in #433
• Separate BundleFuzzer by @arthurscchan in #452
• Handle parse exceptions on raw rekor entry by @loosebazooka in #451
• Remove unused KeylessSigningFuzzer by @arthurscchan in #456
• Small update to the verify example by @jerolimov in #454
• use base google-http-client-bom by @hboutemy in #469
• Upgrade error_prone_core to 2.20.0 by @loosebazooka in #471
  java/pull/470
• Add accessors to trustroot by @loosebazooka in #432
• Fix fuzzing issues by @loosebazooka in #473
• Handle more uncaught runtime exceptions on rekor response by @loosebazooka in #474
• Add validity helpers by @loosebazooka in #476
• Updates before applying tuf to fulcio client by @loosebazooka in #477
• configure fulcio (v2 for now) with trustroot by @loosebazooka in #478
• configure rekor signer (v2 for now) with trustroot by @loosebazooka in #487
• configure rekor verifier (v2 for now) with trustroot by @loosebazooka in #488
• Use tuf cdn, add staging by @loosebazooka in #491
• Handle pkcs1 rsa keys in trsuted_root by @loosebazooka in #493
• fix(deps): update dependency com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin to v1.2.1 by @renovate in #481
• Use tuf to init signer and verifier by @loosebazooka in #492
• Combine all pico cli updates into single renovate PR by @loosebazooka in #503
• Update ValidFor for endpoint inclusion by @loosebazooka in #516
• Add RootProvider by @loosebazooka in #517
• Fix validate SCTs when cert chain is just leaf by @loosebazooka in #520
• Use new TUF based clients by @loosebazooka in #500
• Update conformance tests by @loosebazooka in #521
• Minor update to builder usage by @loosebazooka in #522
• Add some new helpers to Certificates by @loosebazooka in #524
• Add defaults to keylessverificationrequest by @loosebazooka in #526
• Enable tests to query fulcio cert chain by @loosebazooka in #525
• Update signing result to store leaf certs only by @loosebazooka in #523
• Ensure release script and stage-vote-release work by @loosebazooka in #529

New Contributors

• @ljacomet made their first contribution in #408
• @jerolimov made their first contribution in #454
• @hboutemy made their first contribution in #469

Full Changelog: v0.4.0...v0.5.0

v0.4.0

See CHANGELOG.md for more details.

v0.3.0

See CHANGELOG.md for more details.

v0.2.0

What's Changed

• Move gha-oidc-tests to a separate workflow that is run repo branches only by @vlsi in #114
• Add .editorconfig for automatic editor configuration by @vlsi in #110
• Add sh and gradlew to .gitattributes as known-LF text files by @vlsi in #109
• Add build-logic to make adding new modules easier by @vlsi in #101
• Rename CI workflow: Java CI with Gradle -> Test by @vlsi in #121
• Add Maven Central and GitHub Actions CI badges by @vlsi in #120
• Update plugin com.google.protobuf to v0.8.19 by @renovate in #105
• Update dependency org.bouncycastle:bcpkix-jdk18on to v1.71.1 by @renovate in #103
• Update dependency com.google.cloud:libraries-bom to v24.4.0 by @renovate in #112
• Update dependency com.google.code.gson:gson to v2.9.1 by @renovate in #116
• Update dependency org.bouncycastle:bcutil-jdk18on to v1.71.1 by @renovate in #104
• Update dependency com.google.oauth-client:google-oauth-client-bom to v1.34.1 by @renovate in #117
• Update artifact by @renovate in #111
• Update gradle/gradle-build-action digest to 8d24725 by @renovate in #102
• Update actions/setup-go action to v3.3.0 by @renovate in #107
• Add dev.sigstore.sign Gradle plugin for signing artifacts in Sigstore by @vlsi in #98
• Remove com.fasterxml.jackson.core:jackson-databind from sigstore-java by @vlsi in #122
• Update dependency io.grpc:grpc-bom to v1.49.0 by @renovate in #127
• Update dependency com.squareup.okhttp3:mockwebserver to v4.10.0 by @renovate in #125
• Update dependency net.sourceforge.htmlunit:htmlunit to v2.64.0 by @renovate in #128
• Update dependency no.nav.security:mock-oauth2-server to v0.5.1 by @renovate in #129
• Update renovate.json by @loosebazooka in #136
• Update dependency com.google.cloud:libraries-bom to v26 by @renovate in #141
• Update plugin com.diffplug.spotless to v6.10.0 by @renovate in #134
• Update actions/github-script action to v6 by @renovate in #138
• Update actions/checkout action to v3 by @renovate in #137
• Update actions/setup-java action to v3 by @renovate in #140
• Update immutables version with code fixes by @loosebazooka in #142
• Set ci to not fail-fast by @loosebazooka in #143
• Remove conditional use of bouncy castle by @patflynn in #144
• Add cancel-in-progress so PR builds do not wait stale jobs by @vlsi in #108
• Update dependency gradle to v7.5.1 by @renovate in #126
• Add TUF Client root resource syncing. by @patflynn in #123
• Add the expected checksum for gradle distribution by @vlsi in #145
• add unit testing for tuf key verification. by @patflynn in #146
• Adds a Tuf local store abstraction and a file based implementation by @patflynn in #149
• Add sandbox for Gradle samples by @vlsi in #148
• Use @EnabledIfOidcExists instead of several Gradle test tasks by @vlsi in #147
• Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4 by @renovate in #124
• Pass org.gradle.jvmargs arguments to test instances of Gradle as well to fix OutOfMemoryError: Metaspace in CI by @vlsi in #150
• Fixup EnableIfOidcExistsCondition condition for running tests locally by @vlsi in #151
• Run ci.yaml for all the branches, not just main by @vlsi in #152
• Update artifact by @renovate in #154
• Update gradle/gradle-build-action digest to dd8493d by @renovate in #153
• refactor tuf file system store by @patflynn in #160
• Update plugin com.diffplug.spotless to v6.11.0 by @renovate in #157
• Delegate TUF resource fetching to MetaFetcher interface by @patflynn in #159
• add timetamp type. (missed this during the initial model setup by @patflynn in #165
• More generic fetcher by @patflynn in #163
• provide user-friendly verifyDelegate wrapper by @patflynn in #164
• Add Gradle precompiled script plugin sample by @vlsi in #158
• Update dependency org.junit:junit-bom to v5.9.1 by @renovate in #169
• Update plugin org.jsonschema2dataclass to v4.4.0 by @renovate in #171
• Update gradle/gradle-build-action action to v2.3.1 by @renovate in #170
• Update dependency io.grpc:grpc-bom to v1.49.1 by @renovate in #168
• Update dependency com.google.cloud:libraries-bom to v26.1.2 by @renovate in #167
• Update dependency org.eclipse.jetty:jetty-server to v11.0.12 by @renovate in #156
• Update bouncycastle to v1.72 by @renovate in #177
• Update gradle/gradle-build-action action to v2.3.2 by @renovate in #175
• Update dependency io.grpc:grpc-bom to v1.49.2 by @renovate in #176
• Update go version in CI by @loosebazooka in #184
• Update dependency com.google.cloud:libraries-bom to v26.1.3 by @renovate in #179
• Update dependency net.sourceforge.htmlunit:htmlunit to v2.65.1 by @renovate in #180
• Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 by @renovate in #182
• Update dependency io.grpc:grpc-bom to v1.50.0 by @renovate in #183
• Update artifact by @renovate in #174
• Update protobuf plugin by @loosebazooka in #185
• Fix unused and redundant deps by @loosebazooka in #186
• add community-wide reusable workflow for license/vuln scan by @bobcallaway in #187
• Update dependency no.nav.security:mock-oauth2-server to v0.5.6 by @renovate in #155
• chore: fix deprecated set-output call by @bobcallaway in #189
• Support multiple ctfe keys by @loosebazooka in #190
• Update sigstore/community digest to c84f69f by @renovate in #192
• Update actions/setup-go action to v3.3.1 by @renovate in #193
• Update actions/upload-artifact action to v3.1.1 by @renovate in #194
• Update artifact by @renovate in #195
• Update dependency io.grpc:grpc-bom to v1.50.2 by @renovate in #196
• Update slsa-framework/slsa-github-generator action to v1.2.1 by @renovate in #197
• Update plugin org.jsonschema2dataclass to v4.5.0 by @renovate in #198
• Update gradle/gradle-build-action action to v2.3.3 by @renovate in #199
• implement TUF timestamp resource update by @patflynn in #200
• refactor tufclient to updater (its true role) and pass metadata as ar… by @patflynn in #202
• add the raw bytes to fetcher result so that we can do things like che… by @patflynn in #203
• Update dependency com.google.code.gson:gson to v2.10 by @renovate in https://github.com/sigstore/sigstore-ja...

v0.1.0

See CHANGELOG.md for more details.