Model signing 1.1.1

This release follows v1.1.0 to fix a significant API bug that was not caught in time for that release. Please make sure to also consult the release notes for v1.1.0

Fixed

• Fixed a bug where the API with default signing configuration results in an error due to a type confusion (#545)

Model signing 1.1.0

This release extends support for more signing methods and more hashing algorithms, makes the library and CLI more customizabile, with more informative errors. We also fix several cornercase bugs and add support for telemetry and minimal docker containers.

The release is also important due to migrating to sigstore-4.0.0, which has some breaking changes. There are no breaking changes in model-signing between 1.1.0 and 1.0.1, so we only bump the minor number.

Added

• Added support for signing with PKCS #11 devices (#411), as an optional dependency (#494).
• Added support for signing and verifying using private Sigstore instances via the --trust_config option (#460).
• Added support for the --oauth_force_oob option for the signing CLI flow (#471).
• Added support for specifying --client_id and --client_secret for OIDC authentication with custom OAuth clients (#475).
• Surfaced the --allow_symlinks option to the CLI and library API (#486).
• Implemented public key identifier hash matching for bundle verification (#493).
• Added warning for older verification material formats (e.g., raw public key bytes) during verification, recommending re-signing (#493).
• Added more informative signature mismatch errors: The ValueError raised during model verification when a signature mismatch occurs now includes detailed information about what caused the signature verification to fail (#495).
• Created a new, minimal container image. This variant excludes optional dependencies (like OTel and PKCS#11) to reduce footprint, focusing solely on core signing and verification mechanisms (#499).
• Added support for --ignore_unsigned_files option in CLI to ignore files that are not part of the manifest but are still present in the model directory (#501).
• Added support to trace sign and verify operations using OpenTelemetry (#503).
• The library was migrated to require at least v4.0.0 of sigstore due to breaking changes in that library (#532). There are no breaking changes within the library itself, as these changes should be transparent to the users.
• The sigstore_protobuf_specs dependency was replaced with sigstore_models due to the same changes in sigstore-4.0.0 (#533). These changes should also be transparent to the users.
• Added support for BLAKE3 hashing (#538).

Changed

• Adjusted model name when signing and verifying when model_path is current directory (#452).
• Recorded files in signature that were ignored when signature was created and added ability to automatically ignore those files when verifying signature (#462).
• The Sigstore signer was changed to be lazily initialized to avoid network calls when not using it (#467).
• Logging was migrated to only be enabled when the user asks to log the certificate fingerprints (#472).

Fixed

• Fixed bugs related to using model_path='.' in the signature, as well as other issues related to file paths (#452).
• Fixed handling of certificate that has no KeyUsage (#457).
• Fixed bug related to ignoring git files (#462).
• Fixed handling of ignored files in the sharded file hasher (#465).
• Fixed handling of path resulting from certificates returned from certify API (#468).
• Fixed deserialization bug related to optional values in protobuf API for keyid (#490).

Model signing 1.0.1

This patch release mainly solve a bug in CLI and adds back support for verifying experimental v0.2 style signatures that have gone to production systems, replicating existing bugs at the time these signatures were generated.

Added

• Added support for pre v1.0 signatures used in production. This is only provided for verification and replicates the experimental behavior at v0.2, bug for bug.
• Added support for displaying fingerprints of certificates when using signing certificates

Fixed

• Fix bug in CLI scripts where even if signature verification failed, the script would also output that verification passed and exit with success error code.
• Docker containers wrapping around the CLI have been changed to support the updated CLI

Full Changelog: v1.0.0...v1.0.1

Model signing 1.0

This is the first stable release of model_signing, with a stable, backwards compatible API, a clean CLI and a well defined signature scheme.

Demo notebook shows both the API and the CLI usage.

v0.3.1

Fixes a few bugs discovered while testing the API.

What's Changed

• Wrap the CLI around the API. by @mihaimaruseac in #417
• Fix type of signature that gets read. by @mihaimaruseac in #418
• Simplify ignoring git paths by @mihaimaruseac in #419
• Don't use ambient credentials by default. by @mihaimaruseac in #420
• Use os.PathLike instead of pathlib.Path in API by @mihaimaruseac in #423
• Auto-detect hashing configuration on verification. by @mihaimaruseac in #424
• Prepare for a patch version. by @mihaimaruseac in #421

Full Changelog: v0.3.0...v0.3.1

v0.3.0

This is a testing release before the 1.0 release.

What's Changed

• add chunk size experiment by @spencerschrock in #341
• fix: forward args to containerized cli by @miyunari in #345
• fix: grant release job pkg write permission by @miyunari in #347
• change default chunk size to 1 MB by @spencerschrock in #342
• small bugfix do not indicate wrong results by @susperius in #348
• bench: return the intoto payload if requested by @spencerschrock in #349
• add shard benchmark experiment by @spencerschrock in #356
• change default shard size to 1GB by @spencerschrock in #357
• fix: ensure verify terminates on model validation failure by @miyunari in #352
• arg parsing bugfix by @susperius in #362
• PKI verifier behavior change and bugfix by @susperius in #365
• [cleanup] Remove obsolete TODO by @mihaimaruseac in #366
• remove _FileDigestTree from serialize_by_file.DigestSerializer by @spencerschrock in #364
• address zizmor findings in CI definitions by @bobcallaway in #369
• Make the package executable. by @mihaimaruseac in #375
• cli: Add support for ignoring paths when signing or verifying by @stefanberger in #373
• Remove duplicated conversions, use generic types. by @mihaimaruseac in #376
• Remove artifact signing, keep only DDSE/in-toto. by @mihaimaruseac in #377
• Make default Python version be 3.12 by @mihaimaruseac in #378
• Add a binary script for the CLI. by @mihaimaruseac in #380
• Fix typo, add space by @mihaimaruseac in #384
• Split the public API into three modules. by @mihaimaruseac in #381
• Don't ignore md files in CI for model signing. by @mihaimaruseac in #389
• README: Adjust examples to use -m model_signing now by @stefanberger in #387
• Make hashing private and with consistent comments. by @mihaimaruseac in #388
• ECKeySigner: Filter keys by supported curves and use their parameters by @stefanberger in #390
• Simplify manifest interface by @mihaimaruseac in #391
• Make manifest public again. by @mihaimaruseac in #392
• Simplify and make serialization private by @mihaimaruseac in #393
• Reduce verbosity in file hashing by @mihaimaruseac in #395
• Remove test-only dead code. by @mihaimaruseac in #396
• Remove one level of class hierarchy. by @mihaimaruseac in #397
• Remove unused intoto formats. by @mihaimaruseac in #398
• Fold payload classes up the class hierarchy by @mihaimaruseac in #399
• Only run SLSA CI for SLSA related changes. by @mihaimaruseac in #400
• codestyle: Reformat files with 'ruff format' by @stefanberger in #404
• cli: add --use_staging option to verify sigstore by @spencerschrock in #405
• Give descriptive names to test models. by @mihaimaruseac in #406
• setup workflow to sign and verify on different OS by @spencerschrock in #403
• Change to new format for the signing payload by @mihaimaruseac in #407
• Rename SigningPayload and remove static method by @mihaimaruseac in #408
• Simplify payload to manifest transformation by @mihaimaruseac in #409
• add round-trip test for intoto signature files by @spencerschrock in #412
• Merge signing and signature and fix multiple bugs with the traditional signing support by @mihaimaruseac in #413
• Renames to simplify the API by @mihaimaruseac in #415
• Minor bump to allow API testing in colab. by @mihaimaruseac in #394
• Make the API fully configurable by @mihaimaruseac in #416

New Contributors

• @stefanberger made their first contribution in #373

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

• Added sigstore signing integration test (#324)
• Created CLI containers (#329, #333, #334)
• Added support for Python 3.9 (#338)

New Contributors

• @miyunari made their first contribution in #329

Full Changelog: v0.1.1...v0.2.0

v0.1.1

What's Changed

• Fixes a concurrency bug from the v0.1.0 release (#326 )

Full Changelog: v0.1.0...v0.1.1

v0.1.0

What's Changed

• Added support to signing with Sigstore in CLI (#310)
• Added support for using an existing Sigstore OIDC token (#319, #320)
• Added support for Python 3.13, starting window of support for 4 latest Python versions (#313)
• Added a high level API with semver-based stability guarantees (#323)

New Contributors

• @font made their first contribution in #308

Full Changelog: v0.0.2a...v0.1.0