v0.0.22

Changed

• The inspect subcommand now ignores inputs that don't match *.attestation,
  rather than failing on them
  (#93)

Added

• The CLI subcommand verify attestation now supports .slsa.attestation
  files. When verifying an artifact, both .publish.attestation and
  .slsa.attestation files are used (if present).
• The CLI subcommand verify pypi now supports a friendlier
  syntax to specify the artifact to verify. The artifact can now be
  specified with a pypi: prefix followed by the filename, e.g:
  pypi:sampleproject-1.0.0.tar.gz. The old way (passing
  the direct URL) is still supported.
• The CLI subcommand verify pypi now supports passing the local paths
  to the artifact and its provenance file, allowing the user to verify
  files already downloaded from PyPI. The artifact path is passed as
  usual, whereas the provenance file path is passed using the
  --provenance-file option.

v0.0.21

Changed

• The CLI entrypoint is now pypi-attestations
  (#82)
• The CLI verify subcommand has been changed to verify attestation,
  as in pypi-attestations verify attestation --identity ...
  (#82)

Added

• The CLI has a new subcommand verify pypi, which takes a URL to a
  PyPI distribution (either a wheel or a source distribution) and a
  GitHub/GitLab repository. The command verifies the distribution by
  downloading it and its provenance from PyPI, verifying them using
  sigstore and checking that the repository matches the one in the
  PyPI provenance file.
  (#82)

v0.0.20

Changed

• Explicitly support sigstore-python 3.6
  (#79)

v0.0.19

Fixed

• Corrective release for 0.0.18

v0.0.18

What's Changed

• Bump pydantic to 2.10.0 and remove Base64 workaround by @facutuesca in #73
• Add claims to Attestation by @DarkaMaul in #70
• Prepare version 0.0.18 by @DarkaMaul in #74

Full Changelog: v0.0.17...v0.0.18

v0.0.17

Fixed

• The GitLabPublisher policy now takes the workflow file path in order to
  verify attestations, rathen than assuming it will always be gitlab-ci.yml
  (#71).
• The GitLabPublisher now longer expects claims being passed during construction,
  rather the ref and sha claims are extracted from the certificate's extensions,
  similar to GitHubPublisher's behavior
  (#71).

Changed

• Publisher classes (GitLabPublisher and GitHubPublisher) no longer take a claims
  dictionary during construction
  (#72).

v0.0.16

Added

• Attestation.statement has been added as a convenience API for accessing
  the attestation's enveloped statement as a dictionary

v0.0.15

Full Changelog: v0.0.14...v0.0.15

v0.0.14

What's Changed

• build(deps): bump actions/checkout from 4.2.1 to 4.2.2 in the actions group by @dependabot in #66
• build(deps): bump actions/setup-python from 5.2.0 to 5.3.0 in the actions group by @dependabot in #67
• fix handling of zip sdists by @woodruffw in #68

Full Changelog: v0.0.13...v0.0.14

v0.0.13

Changed

• The minimum Python version required has been brought back to 3.9
  (#64).

• The Attestation.verify(...) API has been changed to remove the Verifier
  argument in favor of an optional staging: bool kwarg to select the
  Sigstore instance
  (#62)

• The Attestation.verify(...) API has been changed to accept both Publisher
  and VerificationPolicy objects as a policy. The publisher object is internally
  converted to an appropriate verification policy.

Fixed

• python -m pypi_attestations verify now handles inputs like dist/*
  gracefully, by pre-filtering any attestation paths from the inputs.

• python -m pypi_attestations verify now exits with a non-zero exit code
  if the verification step fails
  (#57)