Update after 2.0.0-rc2 release

loosebazooka · loosebazooka · commit d434dcc9a7c5 · 2025-10-21T11:52:32.000-04:00
Signed-off-by: Appu Goundan &lt;appu@google.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,16 @@ All versions prior to 1.0.0 are untracked
 
 ## [Unreleased]
 
+# [2.0.0-rc2] - 2025-10-21
+
+## Fixed
+- Fix TUF snapshot version rollback case: https://github.com/sigstore/sigstore-java/pull/1061
+- Fix userAgent string in requests: https://github.com/sigstore/sigstore-java/pull/1066
+- Handle parsing/format failures: https://github.com/sigstore/sigstore-java/pull/1063, https://github.com/sigstore/sigstore-java/pull/1064, https://github.com/sigstore/sigstore-java/pull/1073, https://github.com/sigstore/sigstore-java/pull/1074, https://github.com/sigstore/sigstore-java/pull/1075
+
+## Changed
+- Remove oidc config from gradle plugin: https://github.com/sigstore/sigstore-java/pull/1076
+
 # [2.0.0-rc1] - 2025-08-14
 
 ## Added
diff --git a/build-logic/publishing/build.gradle.kts b/build-logic/publishing/build.gradle.kts
@@ -11,7 +11,7 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.0.0-rc1")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.0.0-rc2")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.3.1")
     implementation("com.gradleup.nmcp:com.gradleup.nmcp.gradle.plugin:1.0.3")
 }
diff --git a/examples/hello-world/build.gradle.kts b/examples/hello-world/build.gradle.kts
@@ -1,7 +1,7 @@
 plugins {
   `java-library`
   `maven-publish`
-  val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.0.0-rc1"
+  val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.0.0-rc2"
   id("dev.sigstore.sign") version "$sigstoreVersion"
   signing
 }
diff --git a/examples/hello-world/pom.xml b/examples/hello-world/pom.xml
@@ -16,7 +16,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <maven.compiler.release>11</maven.compiler.release>
-    <sigstore.version>2.0.0-rc1</sigstore.version>
+    <sigstore.version>2.0.0-rc2</sigstore.version>
   </properties>
 
   <build>
diff --git a/gradle.properties b/gradle.properties
@@ -4,7 +4,7 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m
 group=dev.sigstore
 
 # use the ./scripts/update_version.sh script to update all versions
-version=2.0.0-rc2
+version=2.0.0-rc3
 
 # Kotlin Dokka is experemental, and we want silence the build warning
 org.jetbrains.dokka.experimental.gradle.pluginMode=V2Enabled
diff --git a/sigstore-gradle/README.md b/sigstore-gradle/README.md
@@ -15,7 +15,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
 
 ```kotlin
 plugins {
-    id("dev.sigstore.sign") version "2.0.0-rc1"
+    id("dev.sigstore.sign") version "2.0.0-rc2"
 }
 
 // Automatically sign all Maven publications, using GitHub Actions OIDC when available,
@@ -47,28 +47,9 @@ plugins {
 }
 
 dependencies {
-    // Override sigstore-java clients
+    // Override sigstore-java clients, this may lead to unexpected behavior
     sigstoreClient("dev.sigstore:sigstore-java:<alternate-version>")
 }
-
-sigstoreSign {
-    oidcClient {
-        // oidcClient configuration should very rarely be configured, it should be
-        // inferred from a sigstore deployment's config obtained from a TUF repository
-        // with a default set of ambient credential providers
-        gitHub {
-            audience.set("sigstore")
-        }
-        web {
-            clientId.set("sigstore")
-            issuer.set("https://oauth2.sigstore.dev/auth")
-        }
-        // override the client config to a specific provider
-        client.set(web)
-        // or
-        client(web)
-    }
-}
 ```
 
 ## How to
@@ -147,13 +128,7 @@ Properties:
 Extensions:
 * `sigstoreSign`: `dev.sigstore.sign.SigstoreSignExtension`
 
-  Configures signing parameters
-
-  * `oidcClient`: `dev.sigstore.sign.OidcClientExtension`
-
-    Configures OIDC token source.
-
-    Supported sources: web browser, GitHub Actions.
+  An empty extension that may support configuration in the feature
 
 Configurations:
 * `sigstoreClient`
diff --git a/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt b/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt
@@ -46,7 +46,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("2.0.0-rc2")
+        sigstoreJavaVersion.convention("2.0.0-rc3")
     }
 
     fun sign(publications: DomainObjectCollection<Publication>) {
diff --git a/sigstore-maven-plugin/README.md b/sigstore-maven-plugin/README.md
@@ -17,7 +17,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
       <plugin>
         <groupId>dev.sigstore</groupId>
         <artifactId>sigstore-maven-plugin</artifactId>
-        <version>2.0.0-rc1</version>
+        <version>2.0.0-rc2</version>
         <executions>
           <execution>
             <id>sign</id>

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ dependencies {`
`11`	`11`	`implementation(project(":basics"))`
`12`	`12`	`implementation(project(":jvm"))`
`13`	`13`	`implementation("dev.sigstore.build-logic:gradle-plugin")`
`14`		`- implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.0.0-rc1")`
	`14`	`+ implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.0.0-rc2")`
`15`	`15`	`implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.3.1")`
`16`	`16`	`implementation("com.gradleup.nmcp:com.gradleup.nmcp.gradle.plugin:1.0.3")`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`plugins {`
`2`	`2`	`java-library`
`3`	`3`	`maven-publish`
`4`		`- val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.0.0-rc1"`
	`4`	`+ val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.0.0-rc2"`
`5`	`5`	`id("dev.sigstore.sign") version "$sigstoreVersion"`
`6`	`6`	`signing`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ abstract class SigstoreSignExtension(private val project: Project) {`
`46`	`46`	`abstract val sigstoreJavaVersion : Property<String>`
`47`	`47`
`48`	`48`	`init {`
`49`		`- sigstoreJavaVersion.convention("2.0.0-rc2")`
	`49`	`+ sigstoreJavaVersion.convention("2.0.0-rc3")`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`fun sign(publications: DomainObjectCollection<Publication>) {`