This is an automated email from the ASF dual-hosted git repository.
cstamas pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-resolver.git
The following commit(s) were added to refs/heads/master by this push:
new 2b9058f3b Update to SigStore 2.0.0 (#1685)
2b9058f3b is described below
commit 2b9058f3b5b70083882e428ebf3e49bb92695761
Author: Tamas Cservenak <[email protected]>
AuthorDate: Mon Nov 24 15:03:52 2025 +0100
Update to SigStore 2.0.0 (#1685)
Bumps
[dev.sigstore:sigstore-java](https://github.com/sigstore/sigstore-java) from
1.3.0 to 2.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/sigstore-java/releases";>dev.sigstore:sigstore-java's
releases</a>.</em></p> <blockquote>
<h2>v2.0.0</h2>
<p>See <a
href="https://github.com/sigstore/sigstore-java/blob/main/CHANGELOG.md";>CHANGELOG.md</a>
for more details.</p> <h2>v2.0.0-rc2</h2>
<p>See <a
href="https://github.com/sigstore/sigstore-java/blob/main/CHANGELOG.md";>CHANGELOG.md</a>
for more details.</p> <h2>What's Changed</h2>
<ul>
<li>Updates after 2.0.0-rc1 release by <a
href="https://github.com/loosebazooka";><code>@loosebazooka</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1050";>sigstore/sigstore-java#1050</a></li>
<li>Update README.md by <a
href="https://github.com/loosebazooka";><code>@loosebazooka</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1051";>sigstore/sigstore-java#1051</a></li>
<li>Update google-github-actions/get-secretmanager-secre [...]
<li>tuf Updater: fix snapshot version rollback case by <a
href="https://github.com/jku";><code>@jku</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1061";>sigstore/sigstore-java#1061</a></li>
<li>cli: Add working directory and enable Rekor v2 by <a
href="https://github.com/aaronlew02";><code>@aaronlew02</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1062";>sigstore/sigstore-java#1062</a></li>
<li>Use HTTP server for TUF conformance testing by <a
href="https://github.com/aaronlew02";><code>@aaronlew02</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1045";>sigstore/sigstore-java#1045</a></li>
<li>ref: Simplify hashedrekord and DSSE parsing exceptions by <a
href="https://github.com/aaronlew02";><code>@aaronlew02</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1064";>sigstore/sigstore-java#1064</a></li>
<li>fix: Reject unsupported DSSE version by <a
href="https://github.com/aaronlew02";><code>@aaronlew02</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1063";>sigstore/sigstore-java#1063</a></li>
<li>Fix userAgent string in requests by <a
href="https://github.com/loosebazooka";><code>@loosebazooka</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1066";>sigstore/sigstore-java#1066</a></li>
<li>Add Rekor v2 types to RekorTypes by <a
href="https://github.com/aaronlew02";><code>@aaronlew02</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1073";>sigstore/sigstore-java#1073</a></li>
<li>Handle null inputs parsing rekor entry [...]
<li>chore(deps): update sigstore/community digest to d7264e2 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1067";>sigstore/sigstore-java#1067</a></li>
<li>chore(deps): update google-github-actions/auth action to v2.1.13 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1068";>sigstore/sigstore-java#1068</a></li>
<li>chore(deps): update gradle/actions action to v4.4.3 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1070";>sigstore/sigstore-java#1070</a></li>
<li>chore(deps): update google-github-actions/get-secretmanager-secrets
action to v2.2.5 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1069";>sigstore/sigstore-java#1069</a></li>
<li>chore(deps): update sigstore/sigstore-conformance action to v0.0.20 by
<a href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1071";>sigstore/sigstore-java#1071</a></li>
<li>fix(deps): update jetty monorepo to v11.0.26 - autoclosed by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1072";>sigstore/sigstore-java#1072</a></li>
<li>chore(deps): update sigstore/sigstore-conformance action to v0.0.21 by
<a href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1078";>sigstore/sigstore-java#1078</a></li>
<li>chore(deps): update sigstore/community digest to f539f57 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1077";>sigstore/sigstore-java#1077</a></li>
<li>fix(deps): update dependency com.google.code.gson:gson to v2.13.2 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1079";>sigstore/sigstore-java#1079</a></li>
<li>fix(deps): update dependency org.assertj:assertj-core to v3.27.6 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1080";>sigstore/sigstore-java#1080</a></li>
<li>chore(deps): update actions/checkout action to v4.3.0 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1081";>sigstore/sigstore-java#1081</a></li>
<li>chore(deps): update dependency go to 1.25.x by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1082";>sigstore/sigstore-java#1082</a></li>
<li>remove oidc config from gradle plugin by <a
href="https://github.com/loosebazooka";><code>@loosebazooka</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1076";>sigstore/sigstore-java#1076</a></li>
<li>fix(deps): update dependency com.google.guava:guava to v33.5.0-jre by
<a href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1090";>sigstore/sigstore-java#1090</a></li>
<li>fix(deps): update dependency com.google.errorprone:error_prone_core to
v2.42.0 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1089";>sigstore/sigstore-java#1089</a></li>
<li>fix(deps): update bouncycastle to v1.82 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1087";>sigstore/sigstore-java#1087</a></li>
<li>chore(deps): update sigstore/community digest to f09be1d by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1085";>sigstore/sigstore-java#1085</a></li>
<li>chore(deps): update gradle/actions action to v4.4.4 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1086";>sigstore/sigstore-java#1086</a></li>
<li>fix(deps): update dependency com.code-intelligence:jazzer-api to
v0.26.0 by <a
href="https://github.com/renovate";><code>@renovate</code></a>[bot] in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1088";>sigstore/sigstore-java#1088</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/jku";><code>@jku</code></a> made their
first contribution in <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1061";>sigstore/sigstore-java#1061</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/sigstore/sigstore-java/compare/v2.0.0-rc1...v2.0.0-rc2";>https://github.com/sigstore/sigstore-java/compare/v2.0.0-rc1...v2.0.0-rc2</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/sigstore-java/blob/main/CHANGELOG.md";>dev.sigstore:sigstore-java's
changelog</a>.</em></p> <blockquote>
<h1>Changelog</h1>
<p>All notable changes to <code>sigstore-java</code> will be documented in
this file.</p> <p>The format is based on <a
href="https://keepachangelog.com/en/1.0.0/";>Keep a Changelog</a>.</p> <p>All
versions prior to 1.0.0 are untracked</p>
<h2>[Unreleased]</h2>
<h1>[2.0.0-rc2] - 2025-10-21</h1>
<h2>Fixed</h2>
<ul>
<li>Fix TUF snapshot version rollback case: <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1061";>sigstore/sigstore-java#1061</a></li>
<li>Fix userAgent string in requests: <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1066";>sigstore/sigstore-java#1066</a></li>
<li>Handle parsing/format failures: <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1063";>sigstore/sigstore-java#1063</a>,
<a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1064";>sigstore/sigstore-java#1064</a>,
<a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1073";>sigstore/sigstore-java#1073</a>,
<a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1074";>sigstore/sigstore-java#1074</a>,
<a href="https://redirect.github.com/ [...]
</ul>
<h2>Changed</h2>
<ul>
<li>Remove oidc config from gradle plugin: <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1076";>sigstore/sigstore-java#1076</a></li>
</ul>
<h1>[2.0.0-rc1] - 2025-08-14</h1>
<h2>Added</h2>
<ul>
<li>Add support for rekor v2 logs <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/990";>sigstore/sigstore-java#990</a>,
<a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1016";>sigstore/sigstore-java#1016</a>,
<a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1017";>sigstore/sigstore-java#1017</a>,
<a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1008";>sigstore/sigstore-java#1008</a>,
<a href="https://redirect.github.com/sigs [...]
<h2>Fixed</h2>
<ul>
<li>Fixed windows support <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/974";>sigstore/sigstore-java#974</a></li>
<li>Parsing json with unknown fields <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/966";>sigstore/sigstore-java#966</a></li>
</ul>
<h2>Changed</h2>
<ul>
<li>Users can no longer specify signer object in KeylessSigner, use
Algorithm Registry instead <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/1027";>sigstore/sigstore-java#1027</a></li>
<li>Users with custom sigstore infrastructure deployments must specify a
SigningConfig to configure the KeylessSigner, individual urls for
infrastructure pieces are removed <a
href="https://redirect.github.com/sigstore/sigstore-java/pull/956";>sigstore/sigstore-java#956</a>,
<a href="ht [...]
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sigstore/sigstore-java/commit/411721f4879abebd95bd9ab6ed3724366b13cdce";><code>411721f</code></a>
Merge pull request <a
href="https://redirect.github.com/sigstore/sigstore-java/issues/1117";>#1117</a>
from sigstore/prep200</li> <li><a
href="https://github.com/sigstore/sigstore-java/commit/735ab1056e88f474579cc658ea74030bf530acb6";><code>735ab10</code></a>
Prepare for 2.0.0</li> <li><a
href="https://github.com/sigstore/sigstore-java/commit/69cbe67ce5db4c847 [...]
<li><a
href="https://github.com/sigstore/sigstore-java/commit/0ffa58e20401d1a54fac65b4882fc9ad062621a0";><code>0ffa58e</code></a>
docs: Update Maven Central badge URL in README</li>
<li><a
href="https://github.com/sigstore/sigstore-java/commit/da48db2ef95a79b7a174a1fb2b2570eb21f7a632";><code>da48db2</code></a>
Merge pull request <a
href="https://redirect.github.com/sigstore/sigstore-java/issues/1109";>#1109</a>
from jku/run-tuf-conformance-in-parallel</li>
<li><a
href="https://github.com/sigstore/sigstore-java/commit/6c1941340c1707ff491f22777c23fa8758686c68";><code>6c19413</code></a>
workflows: Run conformance in parallel</li>
<li><a
href="https://github.com/sigstore/sigstore-java/commit/11c2d22773705dc89d8fb2a1346e5e6fff113abd";><code>11c2d22</code></a>
Merge pull request <a
href="https://redirect.github.com/sigstore/sigstore-java/issues/1111";>#1111</a>
from sigstore/jetty-12</li> <li>Additional commits viewable in <a
href="https://github.com/sigstore/sigstore-java/compare/v1.3.0...v2.0.0";>compare
view</a></li> </ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary> <br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that
have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your
CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and
block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it.
You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of
the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen the PR
or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen the PR
or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the PR or
upgrade to it yourself)
</details>
---
maven-resolver-generator-sigstore/pom.xml | 2 +-
.../generator/sigstore/SigstoreSignatureArtifactGenerator.java | 3 +++
.../aether/generator/sigstore/SigstoreSignerFactoryTest.java | 7 ++++---
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/maven-resolver-generator-sigstore/pom.xml
b/maven-resolver-generator-sigstore/pom.xml
index f1b72c2dd..65441d28b 100644
--- a/maven-resolver-generator-sigstore/pom.xml
+++ b/maven-resolver-generator-sigstore/pom.xml
@@ -33,7 +33,7 @@
<properties>
<javaVersion>17</javaVersion>
- <sigstoreVersion>1.3.0</sigstoreVersion>
+ <sigstoreVersion>2.0.0</sigstoreVersion>
</properties>
<dependencies>
diff --git
a/maven-resolver-generator-sigstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java
b/maven-resolver-generator-sigstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java
index e5c8ae295..4634c81f9 100644
---
a/maven-resolver-generator-sigstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java
+++
b/maven-resolver-generator-sigstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java
@@ -34,6 +34,7 @@ import dev.sigstore.KeylessSigner;
import dev.sigstore.KeylessSignerException;
import dev.sigstore.bundle.Bundle;
import dev.sigstore.encryption.certificates.Certificates;
+import dev.sigstore.trustroot.SigstoreConfigurationException;
import org.eclipse.aether.artifact.Artifact;
import org.eclipse.aether.generator.sigstore.internal.FulcioOidHelper;
import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
@@ -134,6 +135,8 @@ final class SigstoreSignatureArtifactGenerator implements
ArtifactGenerator {
}
logger.info("Signed {} artifacts with Sigstore", result.size());
return result;
+ } catch (SigstoreConfigurationException e) {
+ throw new IllegalArgumentException("Configuration problem", e);
} catch (GeneralSecurityException e) {
throw new IllegalArgumentException("Preparation problem", e);
} catch (KeylessSignerException e) {
diff --git
a/maven-resolver-generator-sigstore/src/test/java/org/eclipse/aether/generator/sigstore/SigstoreSignerFactoryTest.java
b/maven-resolver-generator-sigstore/src/test/java/org/eclipse/aether/generator/sigstore/SigstoreSignerFactoryTest.java
index 30423db6d..5a32427be 100644
---
a/maven-resolver-generator-sigstore/src/test/java/org/eclipse/aether/generator/sigstore/SigstoreSignerFactoryTest.java
+++
b/maven-resolver-generator-sigstore/src/test/java/org/eclipse/aether/generator/sigstore/SigstoreSignerFactoryTest.java
@@ -64,6 +64,7 @@ public class SigstoreSignerFactoryTest {
private RepositorySystemSession createSession() {
DefaultRepositorySystemSession session = TestUtils.newSession();
session.setConfigProperty(SigstoreConfigurationKeys.CONFIG_PROP_ENABLED,
Boolean.TRUE);
+
session.setConfigProperty(SigstoreConfigurationKeys.CONFIG_PROP_PUBLIC_STAGING,
Boolean.TRUE);
return session;
}
@@ -99,11 +100,11 @@ public class SigstoreSignerFactoryTest {
assertEquals(3, signatures.size());
assertTrue(signatures.stream()
- .anyMatch(a -> "".equals(a.getClassifier()) &&
"jar.asc".equals(a.getExtension())));
+ .anyMatch(a -> "".equals(a.getClassifier()) &&
"jar.sigstore.json".equals(a.getExtension())));
assertTrue(signatures.stream()
- .anyMatch(a -> "source".equals(a.getClassifier()) &&
"jar.asc".equals(a.getExtension())));
+ .anyMatch(a -> "source".equals(a.getClassifier()) &&
"jar.sigstore.json".equals(a.getExtension())));
assertTrue(signatures.stream()
- .anyMatch(a -> "".equals(a.getClassifier()) &&
"foo.asc".equals(a.getExtension())));
+ .anyMatch(a -> "".equals(a.getClassifier()) &&
"foo.sigstore.json".equals(a.getExtension())));
}
}
