Skip to content

Bump sigstore from 4.0.0 to 4.2.0#338

Merged
hugovk merged 1 commit into
mainfrom
dependabot/pip/sigstore-4.2.0
Jul 7, 2026
Merged

Bump sigstore from 4.0.0 to 4.2.0#338
hugovk merged 1 commit into
mainfrom
dependabot/pip/sigstore-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 26, 2026

Copy link
Copy Markdown
Contributor

Bumps sigstore from 4.0.0 to 4.2.0.

Release notes

Sourced from sigstore's releases.

v4.2.0

This release fixes a minor security issue in OIDC authentication and a compatibility issue with Fulcio Signed Certificate Timestamps. All users are recommended to upgrade.

Fixed

  • Add state validation to OIDC flow to prevent Cross-site request forgery during OIDC authorization (GHSA-hm8f-75xx-w2vr)
  • verification now ensures that artifact digest documented in bundle and the real digest match (this is a bundle consistency check: bundle signature was always verified over real digest) (#1652)
  • Fix issue with Signed Certificate Timestamp parsing where extensions were not allowed by sigstore-python (1657, 1659)

Changed

  • Update supported public key algorithms (#1604)
  • trust: Update embedded TUF root (#1589)

Removed

  • Removed support for Python 3.9 as it is end-of-life (#1645)
  • Removed unused nonce in Oauth flow (#1649)

v4.1.0

Added

  • cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

  • Added cryptography 46 to list of compatible cryptography releases (#1544)
  • Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

  • cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553
Changelog

Sourced from sigstore's changelog.

[4.2.0]

Fixed

  • Add state validation to OIDC flow to prevent Cross-site request forgery during OIDC authorization (GHSA-hm8f-75xx-w2vr)
  • verification now ensures that artifact digest documented in bundle and the real digest match (this is a bundle consistency check: bundle signature was always verified over real digest) (#1652)
  • Fix issue with Signed Certificate Timestamp parsing where extensions were not allowed by sigstore-python (1657, 1659)

Changed

  • Update supported public key algorithms (#1604)
  • trust: Update embedded TUF root (#1589)

Removed

  • Removed support for Python 3.9 as it is end-of-life (#1645)
  • Removed unused nonce in Oauth flow (#1649)

[4.1.0]

Added

  • cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

  • Added cryptography 46 to list of compatible cryptography releases (#1544)
  • Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

  • cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553
Commits
  • 94818e4 Release 4.2 (#1670)
  • 5e77497 Merge commit from fork
  • ae9caa7 build(deps-dev): update ruff requirement from <0.14.14 to <0.14.15 (#1668)
  • b1e5095 build(deps): bump github/codeql-action in the actions group (#1669)
  • f5feace build(deps): bump the actions group with 2 updates (#1666)
  • 802f96b build(deps): bump sigstore/sigstore-conformance from 0.0.24 to 0.0.25 in the ...
  • 4ba9ca3 build(deps): bump pyasn1 from 0.6.1 to 0.6.2 (#1662)
  • 409fadb build(deps-dev): update ruff requirement from <0.14.13 to <0.14.14 (#1663)
  • b1ef51c build(deps-dev): update ruff requirement from <0.14.12 to <0.14.13 (#1658)
  • e6cc009 Include SCT extension in signature data (#1659)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jan 26, 2026
@hugovk

hugovk commented Jan 26, 2026

Copy link
Copy Markdown
Member

There's a 3.6.7 we could instead:

https://github.com/sigstore/sigstore-python/releases/tag/v3.6.7

@dependabot dependabot Bot force-pushed the dependabot/pip/sigstore-4.2.0 branch from 1f02cc5 to e484530 Compare January 27, 2026 08:41
@hugovk

hugovk commented Jan 27, 2026

Copy link
Copy Markdown
Member

@dependabot ignore this major version

@dependabot dependabot Bot closed this Jan 27, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jan 27, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you about version 4.x.x again, unless you re-open this PR.

@dependabot dependabot Bot deleted the dependabot/pip/sigstore-4.2.0 branch January 27, 2026 09:52
@hugovk hugovk mentioned this pull request Jan 27, 2026
@hugovk

hugovk commented Jul 7, 2026

Copy link
Copy Markdown
Member

@dependabot reopen

We've updated to sigstore 4.0 #289 and are ready for new ones, thank you.

@hugovk hugovk restored the dependabot/pip/sigstore-4.2.0 branch July 7, 2026 21:16
@hugovk hugovk reopened this Jul 7, 2026
@hugovk

hugovk commented Jul 7, 2026

Copy link
Copy Markdown
Member

@dependabot recreate

Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 4.0.0 to 4.2.0.
- [Release notes](https://github.com/sigstore/sigstore-python/releases)
- [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md)
- [Commits](sigstore/sigstore-python@v4.0.0...v4.2.0)

---
updated-dependencies:
- dependency-name: sigstore
  dependency-version: 4.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump sigstore from 3.6.5 to 4.2.0 Bump sigstore from 4.0.0 to 4.2.0 Jul 7, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/sigstore-4.2.0 branch from e484530 to 8772683 Compare July 7, 2026 21:17
@hugovk

hugovk commented Jul 7, 2026

Copy link
Copy Markdown
Member

sigstore 4.3.0 and 4.4.0 are also out, but the seven-day cooldown is doing its job 👍

https://pypi.org/project/sigstore/#history

@hugovk hugovk merged commit b7c5cd8 into main Jul 7, 2026
33 checks passed
@dependabot dependabot Bot deleted the dependabot/pip/sigstore-4.2.0 branch July 7, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants