Merge branch 'main' into key-details

Author: ramonpetgrave64

CHANGELOG.md

@@ -78,6 +78,13 @@ All versions prior to 0.9.0 are untracked.
     Use `SigningContext.from_trust_config()` instead.
     [#1363](https://github.com/sigstore/sigstore-python/pull/1363)
 
+## [3.6.4]
+
+### Fixed
+
+* Bumped the `rfc3161-client` dependency to `>=1.0.3` to fix a security
+  vulnerability ([#1451](https://github.com/sigstore/sigstore-python/pull/1451))
+
 ## [3.6.3]
 
 ### Fixed
@@ -686,7 +693,8 @@ This is a corrective release for [2.1.1].
 
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.3...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.4...HEAD
+[3.6.4]: https://github.com/sigstore/sigstore-python/compare/v3.6.3...v3.6.4
 [3.6.3]: https://github.com/sigstore/sigstore-python/compare/v3.6.2...v3.6.3
 [3.6.2]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...v3.6.2
 [3.6.1]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1

install/requirements.in

@@ -1 +1 @@
-sigstore==3.6.3
+sigstore==3.6.4

install/requirements.txt

@@ -36,7 +36,7 @@ dependencies = [
   "requests",
   "rich >= 13,< 15",
   "rfc8785 ~= 0.1.2",
-  "rfc3161-client >= 1.0.2,< 1.1.0",
+  "rfc3161-client >= 1.0.3,< 1.1.0",
   # NOTE(ww): Both under active development, so strictly pinned.
   "sigstore-protobuf-specs == 0.4.3",
   "sigstore-rekor-types == 0.0.18",
@@ -62,7 +62,7 @@ lint = [
   "mypy ~= 1.1",
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.
-  "ruff < 0.11.14",
+  "ruff < 0.12.1",
   "types-requests",
   "types-pyOpenSSL",
 ]
@@ -124,7 +124,7 @@ exclude_dirs = ["./test"]
 [tool.ruff.lint]
 extend-select = ["I", "UP"]
 ignore = [
-  "UP007",  # https://github.com/pydantic/pydantic/issues/4146
+  "UP007", # https://github.com/pydantic/pydantic/issues/4146
   "UP011",
   "UP015",
 ]

pyproject.toml

@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "3.6.3"
+__version__ = "3.6.4"

sigstore/__init__.py

@@ -22,7 +22,7 @@
 import sys
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Any, NoReturn, Optional, TextIO, Union
+from typing import Any, NoReturn, TextIO, Union
 
 from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.x509 import load_pem_x509_certificate
@@ -76,9 +76,9 @@
 
 @dataclass(frozen=True)
 class SigningOutputs:
-    signature: Optional[Path] = None
-    certificate: Optional[Path] = None
-    bundle: Optional[Path] = None
+    signature: Path | None = None
+    certificate: Path | None = None
+    bundle: Path | None = None
 
 
 @dataclass(frozen=True)
@@ -1178,7 +1178,7 @@ def _get_trust_config(args: argparse.Namespace) -> ClientTrustConfig:
 
 def _get_identity(
     args: argparse.Namespace, trust_config: ClientTrustConfig
-) -> Optional[IdentityToken]:
+) -> IdentityToken | None:
     token = None
     if not args.oidc_disable_ambient_providers:
         token = detect_credential(args.oidc_client_id)

sigstore/_cli.py

@@ -27,7 +27,7 @@
 import urllib.parse
 import uuid
 from types import TracebackType
-from typing import Any, Optional, cast
+from typing import Any, cast
 
 from id import IdentityError
 
@@ -224,7 +224,7 @@ class _OAuthRedirectServer(http.server.HTTPServer):
     def __init__(self, client_id: str, client_secret: str, issuer: Issuer) -> None:
         super().__init__(("localhost", 0), _OAuthRedirectHandler)
         self.oauth_session = _OAuthSession(client_id, client_secret, issuer)
-        self.auth_response: Optional[dict[str, list[str]]] = None
+        self.auth_response: dict[str, list[str]] | None = None
         self._is_out_of_band = False
 
     @property

sigstore/_internal/oidc/oauth.py

@@ -23,7 +23,7 @@
 import logging
 from abc import ABC
 from dataclasses import dataclass
-from typing import Any, Optional
+from typing import Any
 
 import rekor_types
 import requests
@@ -108,9 +108,7 @@ class RekorEntries(_Endpoint):
     Represents the individual log entry endpoints on a Rekor instance.
     """
 
-    def get(
-        self, *, uuid: Optional[str] = None, log_index: Optional[int] = None
-    ) -> LogEntry:
+    def get(self, *, uuid: str | None = None, log_index: int | None = None) -> LogEntry:
         """
         Retrieve a specific log entry, either by UUID or by log index.
 
@@ -168,7 +166,7 @@ class RekorEntriesRetrieve(_Endpoint):
     def post(
         self,
         expected_entry: rekor_types.Hashedrekord | rekor_types.Dsse,
-    ) -> Optional[LogEntry]:
+    ) -> LogEntry | None:
         """
         Retrieves an extant Rekor entry, identified by its artifact signature,
         artifact hash, and signing certificate.
@@ -192,7 +190,7 @@ def post(
         # We select the oldest entry for our actual return value,
         # since a malicious actor could conceivably spam the log with
         # newer duplicate entries.
-        oldest_entry: Optional[LogEntry] = None
+        oldest_entry: LogEntry | None = None
         for result in results:
             entry = LogEntry._from_response(result)
             if (

sigstore/_internal/rekor/client.py

@@ -25,7 +25,7 @@
 from datetime import datetime, timezone
 from enum import Enum
 from pathlib import Path
-from typing import ClassVar, NewType, Optional
+from typing import ClassVar, NewType
 
 import cryptography.hazmat.primitives.asymmetric.padding as padding
 from cryptography.exceptions import InvalidSignature
@@ -109,7 +109,7 @@ class Key:
     Represents a key in a `Keyring`.
     """
 
-    hash_algorithm: Optional[hashes.HashAlgorithm]
+    hash_algorithm: hashes.HashAlgorithm | None
     key: PublicKey
     key_id: KeyID
 
@@ -136,7 +136,7 @@ def __init__(self, public_key: _PublicKey) -> None:
         if not public_key.raw_bytes:
             raise VerificationError("public key is empty")
 
-        hash_algorithm: Optional[hashes.HashAlgorithm]
+        hash_algorithm: hashes.HashAlgorithm | None
         if public_key.key_details in self._RSA_SHA_256_DETAILS:
             hash_algorithm = hashes.SHA256()
             key = load_der_public_key(public_key.raw_bytes, types=(rsa.RSAPublicKey,))

sigstore/_internal/trust.py

@@ -54,7 +54,7 @@ class Subject(BaseModel):
     A single in-toto statement subject.
     """
 
-    name: Optional[StrictStr]
+    name: Optional[StrictStr]  # noqa: UP045
     digest: DigestSet = Field(...)
 
 
@@ -68,7 +68,7 @@ class _Statement(BaseModel):
     type_: Literal["https://in-toto.io/Statement/v1"] = Field(..., alias="_type")
     subjects: list[Subject] = Field(..., min_length=1, alias="subject")
     predicate_type: StrictStr = Field(..., alias="predicateType")
-    predicate: Optional[dict[str, Any]] = Field(None, alias="predicate")
+    predicate: Optional[dict[str, Any]] = Field(None, alias="predicate")  # noqa: UP045
 
 
 class Statement:
@@ -134,9 +134,9 @@ class StatementBuilder:
 
     def __init__(
         self,
-        subjects: Optional[list[Subject]] = None,
-        predicate_type: Optional[str] = None,
-        predicate: Optional[dict[str, Any]] = None,
+        subjects: list[Subject] | None = None,
+        predicate_type: str | None = None,
+        predicate: dict[str, Any] | None = None,
     ):
         """
         Create a new `StatementBuilder`.