v0.4.0

This release of gittuf includes some significant changes under the hood. Most significantly, gittuf supports thresholds for protection rules as well as policy metadata via the policy-staging feature. This release also marks the start of our dogfooding of gittuf, which means this is the first release of gittuf you can verify the tag for using gittuf (gittuf verify-ref --verbose v0.4.0)!

Changelog

• Added support for policy-staging for sequential signing of metadata to meet a threshold
• Added support for minimum required signatures for rules
• Added support for profiling with pprof
• Added --from-entry to verify-ref
• Added debug statements for --verbose flag
• Added caching of verifiers for each verified namespace (reference or file path) to avoid repeated searches of the same policy state
• Added separated add-rule and update-rule workflows for policy
• Added dogfooding plan
• Added CI workflows for phase 1 of dogfooding
• Added OpenSSF Scorecard for the repository
• Updated policy to require each rule name to be unique across all rule files
• Updated file rules verification to use same policy as branch protection rules verification
• Update reference authorization attestations to use merge tree for the change being authorized
• Updated design document with definitions and a diagram
• Updated tag verification to check the tag's RSL entry points to either the tag object or the tag's target object
• Updated roadmap to indicate status for each item
• Updated minimum Go version to 1.22
• Updated pointer to gittuf community details
• Updated various dependencies and CI workflows

Contributors

This releases includes work by @neilnaveen, @naveensrinivasan, @patzielinski, @spectre10, @inosmeet, @webchick, @nealmcb, @JustinCappos, @wlynch, and @adityasaky. And of course, we've had many a dependency update courtesy of @dependabot.

v0.3.0

gittuf's third alpha release adds support for verifying SSH Git signatures among other things. Note that verify-ref has been updated with a breaking change. Now, it performs full verification by default.

Changelog

• Added check to prevent duplicate RSL entries for the same ref and target
• Added a formal developer mode for new early-stage gittuf features
• Added early support for attestations with one type for approving reference changes (developer mode only)
• Added support for gittuf-specific Git hooks with a pre-push hook to fetch / create / push RSL entries
• Updated verify-ref to perform full verification by default (BREAKING CHANGE)
• Updated identification of trusted keys in policy to support varying threshold values between delegations
• Added verification tests for delegated policies
• Added root key management commands to the CLI
• Added command to list rules in gittuf policy
• Added support for standard encoding of private and public keys
• Added support for verifying SSH Git commit and tag signatures
• Added check for cycles when walking policy graph during verification
• Added autogenerated CLI docs
• Removed file rule verification when no file rules exist in the policy for efficiency
• Added command to sign existing policy file with no other changes
• Added get started guide and gittuf logo to docs
• Removed CLI usage message for gittuf errors
• Updated various dependencies

Contributors

This release includes work by @datosh, @neilnaveen, @naveensrinivasan, @JustinCappos, @wlynch, and @adityasaky. We continue to be grateful to @dependabot for keeping our dependencies updated.

v0.2.0

gittuf remains in alpha with this release, so please do not use it a production repository or system.

Changelog

• Added support to RSL to find unskipped entries
• Added Get* functions to gitinterface to compartmentalize choice of Git library
• Added support in RSL and policy functions for RSL annotation entries
• Added recovery mode for policy verification workflow
• Added go fmt as Makefile target
• Updated length of refspecs slice to account for doubled entries
• Added support for merge commits in gitinterface
• Updated CLI to check if Git signing is viable to abort early
• Fixed bug in CLI that required an unnecessary signing key argument
• Fixed clone's ability to handle trailing slashes
• Improved testing for in policy verification for delegations
• Added plumbing for better logging
• Updated various dependencies
• Updated installation instructions to include Sigstore verification of binaries

Contributors

This release includes work by @neilnaveen, @patzielinski, @spectre10, @datosh, @JustinCappos, @wlynch, and @adityasaky. We are also grateful for @dependabot's benevolence.

v0.1.0

This is gittuf's first release! gittuf is still in alpha, so please do not use it a production repository or system.

Changelog

• Implemented reference state log (RSL)
• Added support for Git reference policies using RSL entry signatures
• Added support for file policies using commit signatures
• Added support for basic gittuf sync operations

Contributors

This release is possible because of the work by @wlynch, @JustinCappos, @reza-curtmola, @jsoref, @patzielinski, and @adityasaky. We also thank our bot overlord, @dependabot.