v0.0.16

Added

• Attestation.statement has been added as a convenience API for accessing
  the attestation's enveloped statement as a dictionary

v0.0.15

Full Changelog: v0.0.14...v0.0.15

v0.0.14

What's Changed

• build(deps): bump actions/checkout from 4.2.1 to 4.2.2 in the actions group by @dependabot in #66
• build(deps): bump actions/setup-python from 5.2.0 to 5.3.0 in the actions group by @dependabot in #67
• fix handling of zip sdists by @woodruffw in #68

Full Changelog: v0.0.13...v0.0.14

v0.0.13

Changed

• The minimum Python version required has been brought back to 3.9
  (#64).

• The Attestation.verify(...) API has been changed to remove the Verifier
  argument in favor of an optional staging: bool kwarg to select the
  Sigstore instance
  (#62)

• The Attestation.verify(...) API has been changed to accept both Publisher
  and VerificationPolicy objects as a policy. The publisher object is internally
  converted to an appropriate verification policy.

Fixed

• python -m pypi_attestations verify now handles inputs like dist/*
  gracefully, by pre-filtering any attestation paths from the inputs.

• python -m pypi_attestations verify now exits with a non-zero exit code
  if the verification step fails
  (#57)

v0.0.12

Fixed

• Base64-encoded bytes inside Attestation objects contained newline characters
  every 76 characters due to a bug in Pydantic's Base64Bytes type. Those
  newlines were also (incorrectly) ignored by Pydantic during decoding
  (#48).

v0.0.11

What's Changed

• workflows: hash-pin all workflows by @woodruffw in #40
• build(deps): bump actions/attest from c578ab5e377a70e30e1411d16a0eba675e5dc2e9 to 2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d in the actions group by @dependabot in #41
• Update CHANGELOG for version 0.0.10 by @DarkaMaul in #42
• Run mypy on tests by @woodruffw in #43
• build(deps): update sigstore requirement from ~=3.1.0 to >=3.1,<3.3 in the python group by @dependabot in #45

Full Changelog: v0.0.10...v0.0.11

v0.0.10

Changed

• The minimum Python version required has been bumped to 3.11
  (#37)

Added

• The Provenance, Publisher, GitHubPublisher, GitLabPublisher, and
  AttestationBundle types have been added
  (#36).

v0.0.9

Added

• The Distribution type and APIs have been added, allowing a user to supply
  a pre-computed digest instead of performing I/O
  (#34)

Changed

• sign and verify no longer perform I/O
  (#34)

Fixed

• verify: catch another leaky error case
  (#32)

v0.0.8

Fixed

• AttestationType is now re-exported at the top-level as a public API
  (#31)

v0.0.7

Added

• AttestationType has been added, as an enumeration of all currently known
  attestation types (by URL)
  (#29)

Changed

• Attestation.verify now checks the attestation's type against
  AttestationType before returning it
  (#29)

Fixed

• Attestation.sign now only returns AttestationError when failing to sign a
  distribution file
  (#28)