-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
requirements: sigstore ~3.0 #140
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Looks good now. Key changes:
|
(NB: This doesn't enable the DSSE parts of sigstore-python, which are in 3.x. Enabling those with appropriate settings will probably require more design thought.) |
FTR, the 2.x stream prints out deprecation warnings that would be fixed in 3.x per my understanding: /home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
not_valid_after = self.__cached_signing_certificate.cert.not_valid_after
/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
not_valid_after = self.__cached_signing_certificate.cert.not_valid_after
/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
not_valid_after = self.__cached_signing_certificate.cert.not_valid_after Perhaps, mention this in the change log as well? |
Hmm, it's actually strange that those are in 2.x -- the 2.x series of sigstore-python should be using a sufficiently new version of But yeah, if you're seeing them with one but not the other, I'll include it in the release notes 🙂 |
I haven't tried. Just checked that you changed corresponding line in v3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
Thanks both! I'll prep the changelog and release today. (Longer-term, the value of this action is now a bit murky, since GitHub has attestation support directly built in with official actions. But that can be a separate discussion...) |
The 3.x series is out. Let's see what breaks!