New release(s)

[jku]

sigstore.dev would like to start using TesseraCT as the fulcio CT log... Unfortunately sigstore-python had a bug that makes sigstore-python not accept the SCTs from TesseraCT.

• issue was using extension data in SCT (something that is allowed by the spec): sigstore-python did not accept extensions and did not include the extension in the signed payload
• This was fixed in Remove suspicion of extension bytes #1657, Include SCT extension in signature data #1659
• there is no timeline yet for the sigstore.dev change but staging will switch to TesseraCT in the near future

I'd like to do a new release ASAP to maximize the time from the client fix to the CT upgrade on sigstore.dev.

I'll have a look at backport options (4.0.x and 3.6.x): this should be an easy backport and might make sense considering the API changes in 4.0

[woodruffw]

I'd like to do a new release ASAP to maximize the time from the client fix to the CT upgrade on sigstore.dev.

I'll have a look at backport options (4.0.x and 3.6.x): this should be an easy backport and might make sense considering the API changes in 4.0

I'm personally okay with us picking one backport target here (either 4.0 or 3.6) -- I don't think we have an official backport policy yet, and I think extending further back will disincentivize people from doing major upgrades over the long term. But ultimately your call if you want to do two backports 🙂

(Once we release this in 4.1.x, I'll make the corresponding changes to gh-action-pypi-publish to ensure we're live and released in that ecosystem before compatibility becomes a concern.)

[jku]

Current changelog for main (note to self) :

Fixed

• verify: Ensure that artifact digest documented in bundle and the real digest match
  (this is a bundle consistency check: bundle signature was always verified over real digest)
  (#1652)
• Fix issue with Signed Certificate Timestamp parsing where extensions
  were not allowed by sigstore-python
  (1656)

Changed

• Update supported public key algorithms
  (#1604)
• trust: Update embedded TUF root
  (#1589)

Removed

• Removed support for Python 3.9 as it is end-of-life
  (#1645)
• Removed unused nonce in Oauth flow
  (#1649)