You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Added
The CLI has a new subcommand convert, which takes a Sigstore bundle
and converts it to a PEP 740 attestation.
Changed
The Attestation.verify(...) API has been changed to accept an offline
parameter that, when True, disables TUF refreshes.
The CLI verify commands now also accept an --offline flag that disables
TUF refreshes. Additionally, when used with the verify pypi subcommand, the --offline flag enforces that the distribution and provenance file arguments
must be local file paths.
Fixed
Fixed a bug where GitHubPublisher policy verification would fail
if the Source Repository Ref or Source Repository Digest claim
was missing from the attestation's certificate. We require at least
one of the two claims, but not necessarily both
(#109)
