Merge pull request #909 from sigstore/post1.3.0

Update after v1.3.0 release

Author: loosebazooka

CHANGELOG.md

@@ -9,6 +9,11 @@ All versions prior to 1.0.0 are untracked
 
 ## [Unreleased]
 
+# [1.3.0] - 2025-02-25
+
+## Added
+- Add support for verifying dsse sigstore bundles https://github.com/sigstore/sigstore-java/pull/855
+
 # [1.2.0] - 2024-12-4
 
 ## Added

README.md

@@ -66,6 +66,14 @@ try {
 }
 ```
 
+#### Verifying DSSE Bundles
+
+sigstore-java doesn't create DSSE bundles yet, but it can verify the signatures over them with the same
+KeylessVerifier workflow detailed above. While sigstore-java inspects the [embedded payload](https://docs.sigstore.dev/about/bundle/#dsse)
+to ensure the provided artifact is a subject in the [in-toto statement](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md)
+it is not able to make any further assertions about the payload. Consumers of DSSE bundles should inspect
+the embedded payload to verify extended attestation data using tools like [slsa-verifier](https://github.com/slsa-framework/slsa-verifier).
+
 ### Exploring the API
 
 The public stable API is limited to [`dev.sigstore.KeylessSigner`](https://javadoc.io/doc/dev.sigstore/sigstore-java/latest/dev/sigstore/KeylessSigner.html) and [`dev.sigstore.KeylessVerifier`](https://javadoc.io/doc/dev.sigstore/sigstore-java/latest/dev/sigstore/KeylessVerifier.html) and the classes exposed by those APIs. Other classes in the library are subject to change without notice.

build-logic/publishing/build.gradle.kts

@@ -10,6 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:1.2.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:1.3.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.3.0")
 }

examples/hello-world/build.gradle.kts

@@ -1,7 +1,7 @@
 plugins {
   `java-library`
   `maven-publish`
-  val sigstoreVersion = System.getProperty("sigstore.version") ?: "1.2.0"
+  val sigstoreVersion = System.getProperty("sigstore.version") ?: "1.3.0"
   id("dev.sigstore.sign") version "$sigstoreVersion"
   signing
 }

examples/hello-world/pom.xml

@@ -16,7 +16,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <maven.compiler.release>11</maven.compiler.release>
-    <sigstore.version>1.2.0</sigstore.version>
+    <sigstore.version>1.3.0</sigstore.version>
   </properties>
 
   <build>

gradle.properties

@@ -5,4 +5,4 @@ systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true
 group=dev.sigstore
 
 # use the ./scripts/update_version.sh script to update all versions
-version=1.3.0
+version=1.4.0

sigstore-gradle/README.md

@@ -15,7 +15,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
 
 ```kotlin
 plugins {
-    id("dev.sigstore.sign") version "1.2.0"
+    id("dev.sigstore.sign") version "1.3.0"
 }
 
 // Automatically sign all Maven publications, using GitHub Actions OIDC when available,

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -44,7 +44,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("1.3.0")
+        sigstoreJavaVersion.convention("1.4.0")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,

sigstore-maven-plugin/README.md

@@ -17,7 +17,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
       <plugin>
         <groupId>dev.sigstore</groupId>
         <artifactId>sigstore-maven-plugin</artifactId>
-        <version>1.2.0</version>
+        <version>1.3.0</version>
         <executions>
           <execution>
             <id>sign</id>