Merge pull request #858 from sigstore/post1.1.0

Update versions and changelog

Author: loosebazooka

CHANGELOG.md

@@ -9,6 +9,25 @@ All versions prior to 1.0.0 are untracked
 
 ## [Unreleased]
 
+# [1.1.0] - 2024-11-22
+
+## Added
+- Update sigstore tuf roots to v10 for staging and public-good https://github.com/sigstore/sigstore-java/pull/848
+- Tuf conformance tests for tuf client spec conformance https://github.com/sigstore/sigstore-java/pull/838
+
+## Changed
+- Allow tuf updater to fetch meta without downloading targets https://github.com/sigstore/sigstore-java/pull/839
+- Allow tuf targets and metadata to be stored and fetched separately https://github.com/sigstore/sigstore-java/pull/827
+
+## Fixed
+- Fix handling of tuf targets in subdirectories https://github.com/sigstore/sigstore-java/pull/853
+- Fix tuf spec conformance for valid but duplicate signatures on a role https://github.com/sigstore/sigstore-java/pull/852
+- Fix handling of rsa-pss and ed25519 signatures in tuf metadata https://github.com/sigstore/sigstore-java/pull/849/files
+
+## Security
+- Ensure log entries in sigstore bundles are entries that correspond to the 
+  verification material (signature, artifact, public-key) provided to the 
+  verifier. https://github.com/sigstore/sigstore-java/pull/856
 
 # [1.0.0] - 2024-08-28
 

build-logic/publishing/build.gradle.kts

@@ -10,6 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:1.0.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:1.1.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.3.0")
 }

examples/hello-world/build.gradle.kts

@@ -1,7 +1,7 @@
 plugins {
   `java-library`
   `maven-publish`
-  val sigstoreVersion = System.getProperty("sigstore.version") ?: "1.0.0"
+  val sigstoreVersion = System.getProperty("sigstore.version") ?: "1.1.0"
   id("dev.sigstore.sign") version "$sigstoreVersion"
   signing
 }

examples/hello-world/pom.xml

@@ -16,7 +16,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <maven.compiler.release>11</maven.compiler.release>
-    <sigstore.version>1.0.0</sigstore.version>
+    <sigstore.version>1.1.0</sigstore.version>
   </properties>
 
   <build>

gradle.properties

@@ -5,4 +5,4 @@ systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true
 group=dev.sigstore
 
 # use the ./scripts/update_version.sh script to update all versions
-version=1.1.0
+version=1.2.0

sigstore-gradle/README.md

@@ -15,7 +15,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
 
 ```kotlin
 plugins {
-    id("dev.sigstore.sign") version "1.0.0"
+    id("dev.sigstore.sign") version "1.1.0"
 }
 
 // Automatically sign all Maven publications, using GitHub Actions OIDC when available,

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -44,7 +44,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("1.1.0")
+        sigstoreJavaVersion.convention("1.2.0")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,

sigstore-maven-plugin/README.md

@@ -17,7 +17,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
       <plugin>
         <groupId>dev.sigstore</groupId>
         <artifactId>sigstore-maven-plugin</artifactId>
-        <version>1.0.0</version>
+        <version>1.1.0</version>
         <executions>
           <execution>
             <id>sign</id>