v3.0.0

See CHANGELOG.md for details.

v2.3.0

See CHANGELOG.md for details.

v2.2.0

See CHANGELOG.md for details.

v2.1.1

Changed

• Default type for CLI arg --run-timeout to avoid type mismatch (#626)
• Dependency update (#627)

v2.1.0

Added

• CLI argument to control command execution timeout (#605)
• ITE-4 resolver for directories ("dirHash", #590)

Changed

• Lint configuration (#602)
• Output stream cleanup to address flaky tests on Windows (#597)
• Layout expiry condition (#616)
• Dependency updates (#604, #607, #608, #609, #617, #618, #619, #620, #622,
  #623)

Removed

• AppVeyor test configuration (#598)

v2.0.0

This release includes breaking changes such as the removal of the user_settings module and changes to exceptions raised during artifact recording. Additionally, it incorporates changes for issues captured in security advisories GHSA-p86f-xmg6-9q4x, GHSA-jjgp-whrp-gq8m, and GHSA-wc64-c5rv-32pf, the last of which has been assigned CVE-2023-32076.

Added

• Generic interface for ITE-4 resolvers (#584)
• ITE-4 resolver for OSTree repositories (#585)
• Warning when --bits is used with non RSA keys in in-toto-keygen (#588)
• Support for GitHub's security reporting feature (#567)
• Tool to check local artifacts against in-toto link metadata
  (#589, GHSA-p86f-xmg6-9q4x)
• Testing in CI for Python 3.11 (#594)

Changed

• Recording of file hashes to use ITE-4 file resolver (#584)
• Exceptions returned to Python defaults when recording file artifacts (#592)
• Documentation about in-toto governance to reflect project changes (#591)
• Code style to use black + isort, includes update to codebase to conform (#593)
• Verification documentation to reflect how PGP trust model is used
  (GHSA-jjgp-whrp-gq8m)

Removed

• Support for user_settings module that enabled configuring in-toto via RC files
  and environment variables (GHSA-wc64-c5rv-32pf)

v1.4.0

Added

• Support for DSSE in metadata generation tools (#503, #577)
• Ability to set command, byproducts, environment in the in_toto_record APIs (#564)

Changed

• Various dependency updates and dependabot changes
• Simplified link threshold check (#573)

v1.3.2

Added

• Moved subprocess execution wrapper to in-toto from securesystemslib (#544)
• Support for in-toto flavoured GPGSigner and GPGKey for use with securesystemlib's new signer API (#538)
• Acknowledgement to Purdue University (#526)

Changed

• Invocation of bandit linter (#541)
• Link to in-toto specification in README (#551)
• Dependency updates (#543, #549)

v1.3.1

Fixed

• Includes tests in source distribution

v1.3.0

Added

• ECDSA key type in CLI (#520)
• Windows builds in GitHub Actions CI (#513)
• Dependabot version monitoring for GitHub Actions (#498)

Changed

• Build is now reproducible, thanks to hatchling (#490)
• Misc test updates (#487, #500, #529)
• Misc docs updates (#499, #512, #516, #515, #530)

Removed

• Obsolete test dependency (#521)