requirements: sigstore ~3.0

[woodruffw]

The 3.x series is out. Let's see what breaks!

[woodruffw]

Looks good now. Key changes:

• The default suffix change from .sigstore to .sigstore.json has taken effect; we should communicate this as part of the (major) release notes for this change.
• The manual state options for Fulcio, Rekor, etc. instances have been fully removed. We could replace these with a new option for --trust-config, but there's been no user demand for it yet. So maybe in a subsequent release.

[woodruffw]

(NB: This doesn't enable the DSSE parts of sigstore-python, which are in 3.x. Enabling those with appropriate settings will probably require more design thought.)

[webknjaz]

FTR, the 2.x stream prints out deprecation warnings that would be fixed in 3.x per my understanding:

/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
  not_valid_after = self.__cached_signing_certificate.cert.not_valid_after
/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
  not_valid_after = self.__cached_signing_certificate.cert.not_valid_after
/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
  not_valid_after = self.__cached_signing_certificate.cert.not_valid_after

Perhaps, mention this in the change log as well?

[woodruffw]

Hmm, it's actually strange that those are in 2.x -- the 2.x series of sigstore-python should be using a sufficiently new version of cryptography as well.

But yeah, if you're seeing them with one but not the other, I'll include it in the release notes 🙂

[webknjaz]

I haven't tried. Just checked that you changed corresponding line in v3.

[jku]

+1

[woodruffw]

Thanks both! I'll prep the changelog and release today.

(Longer-term, the value of this action is now a bit murky, since GitHub has attestation support directly built in with official actions. But that can be a separate discussion...)