v0.5.0

Important Changes

• Use TUF framework to obtain verification material

What's Changed

• Fuzzing: Add new fuzzers by @arthurscchan in #380
• Fuzzing: Add fuzzers for CertificateEntry and Serialization classes by @arthurscchan in #386
• doc: improve descriptions for Gradle Plugin Portal by @vlsi in #396
• Fix changelog link in GitHub release notes by @szpak in #395
• Exception handling: Wrap illegal state exception by @arthurscchan in #397
• Exception fixing: Add handling for possible empty content for PemObject by @arthurscchan in #394
• Update after 0.4.0 release by @loosebazooka in #393
  @renovate in #403
• Improve readme by @ljacomet in #408
• Allow updaters to init on existing repos by @loosebazooka in #409
• Fuzzing: Add fuzzer for DigitallySigned class by @arthurscchan in #407
• Force convention for URL for HttpMetaFetcher by @loosebazooka in #410
• Use spec-compliant persisted target filenames by @loosebazooka in #411
• Avoid failures on removal of published artifacts by @ljacomet in #416
• don't fail if fuzzOut isn't specified by @loosebazooka in #413
• update links to use CDN-backed endpoints by @bobcallaway in #418
• v1 tuf client by @loosebazooka in #415
• Add initial BYOB-based SLSA-generator by @AdamKorcz in #357
• Add pkix der encoded key parsing by @loosebazooka in #429
• Fix: Fix possible Null Pointer Exception by @arthurscchan in #406
• Add interfaces for sigstore trusted_root by @loosebazooka in #430
• Bump sigstore-conformance to 0.0.4 by @tetsuo-cpp in #436
• Add fuzzer for RekorTypes by @arthurscchan in #437
• Add fuzzer for RekorVerifier by @arthurscchan in #438
• Fixes: Add digest length checking by @arthurscchan in #405
• Fuzzing: Add fuzzer for dev.sigstore.bundle package by @arthurscchan in #431
• Add fuzzers for FulcioVerifier by @arthurscchan in #433
• Separate BundleFuzzer by @arthurscchan in #452
• Handle parse exceptions on raw rekor entry by @loosebazooka in #451
• Remove unused KeylessSigningFuzzer by @arthurscchan in #456
• Small update to the verify example by @jerolimov in #454
• use base google-http-client-bom by @hboutemy in #469
• Upgrade error_prone_core to 2.20.0 by @loosebazooka in #471
  java/pull/470
• Add accessors to trustroot by @loosebazooka in #432
• Fix fuzzing issues by @loosebazooka in #473
• Handle more uncaught runtime exceptions on rekor response by @loosebazooka in #474
• Add validity helpers by @loosebazooka in #476
• Updates before applying tuf to fulcio client by @loosebazooka in #477
• configure fulcio (v2 for now) with trustroot by @loosebazooka in #478
• configure rekor signer (v2 for now) with trustroot by @loosebazooka in #487
• configure rekor verifier (v2 for now) with trustroot by @loosebazooka in #488
• Use tuf cdn, add staging by @loosebazooka in #491
• Handle pkcs1 rsa keys in trsuted_root by @loosebazooka in #493
• fix(deps): update dependency com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin to v1.2.1 by @renovate in #481
• Use tuf to init signer and verifier by @loosebazooka in #492
• Combine all pico cli updates into single renovate PR by @loosebazooka in #503
• Update ValidFor for endpoint inclusion by @loosebazooka in #516
• Add RootProvider by @loosebazooka in #517
• Fix validate SCTs when cert chain is just leaf by @loosebazooka in #520
• Use new TUF based clients by @loosebazooka in #500
• Update conformance tests by @loosebazooka in #521
• Minor update to builder usage by @loosebazooka in #522
• Add some new helpers to Certificates by @loosebazooka in #524
• Add defaults to keylessverificationrequest by @loosebazooka in #526
• Enable tests to query fulcio cert chain by @loosebazooka in #525
• Update signing result to store leaf certs only by @loosebazooka in #523
• Ensure release script and stage-vote-release work by @loosebazooka in #529

New Contributors

• @ljacomet made their first contribution in #408
• @jerolimov made their first contribution in #454
• @hboutemy made their first contribution in #469

Full Changelog: v0.4.0...v0.5.0