sigstore: Bump to v0.7.0

Signed-off-by: Alex Cameron <asc@tetsuo.sh>

.github/workflows/selftest.yml

@@ -84,7 +84,7 @@ jobs:
   #       id: sigstore-python
   #       with:
   #         inputs: ./test/artifact.txt
-  #         verify-cert-email: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+  #         verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
   #         staging: true
 
   selftest-verify-issuer:

README.md

@@ -264,11 +264,11 @@ Example:
     verify: false
 ```
 
-### `verify-cert-email`
+### `verify-cert-identity`
 
 **Default**: Empty
 
-The `verify-cert-email` setting controls whether to verify the Subject Alternative Name (SAN) of the
+The `verify-cert-identity` setting controls whether to verify the Subject Alternative Name (SAN) of the
 signing certificate after signing has taken place. If it is set, `sigstore-python` will compare the
 certificate's SAN against the provided value.
 
@@ -278,7 +278,7 @@ This setting only applies if `verify` is set to `true`.
 - uses: sigstore/gh-action-sigstore-python@v0.0.10
   with:
     inputs: file.txt
-    verify-cert-email: john.smith@example.com
+    verify-cert-identity: john.smith@example.com
 ```
 
 ### `verify-oidc-issuer`

action.py

@@ -141,9 +141,9 @@ def _fatal_help(msg):
 if os.getenv("GHA_SIGSTORE_PYTHON_VERIFY", "false") == "false":
     enable_verify = False
 
-verify_cert_email = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL")
-if verify_cert_email != "":
-    sigstore_verify_args.extend(["--cert-email", verify_cert_email])
+verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
+if verify_cert_identity != "":
+    sigstore_verify_args.extend(["--cert-identity", verify_cert_identity])
 
 verify_oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER")
 if verify_oidc_issuer != "":

action.yml

@@ -64,8 +64,8 @@ inputs:
     description: "verify the generated signatures after signing"
     required: false
     default: true
-  verify-cert-email:
-    description: "verify the email address to in the signing certificate's Subject Alternative Name (only applies when `verify` is on)"
+  verify-cert-identity:
+    description: "verify the identity in the signing certificate's Subject Alternative Name (only applies when `verify` is on)"
     required: false
     default: ""
   verify-oidc-issuer:
@@ -110,7 +110,7 @@ runs:
         GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}"
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
-        GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL: "${{ inputs.verify-cert-email }}"
+        GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash

requirements.txt

@@ -1 +1 @@
-sigstore==0.6.8
+sigstore==0.7.0