Data

Tools

Indexes

Applications

Experiments

Open Source Science

Recent Releases of gittuf

gittuf - v0.11.0

This release includes improved documentation of various gittuf commands, new verification capabilities for gittuf's experimental multi-repository support, and more.

Changelog

Added

  • Added support for verifying policy status of repository's network for a controller
  • Added long descriptions for various gittuf CLI commands
  • Added support for shallow fetches in gitinterface
  • Added support for propagating specified subtree from upstream repository
  • Added CI workflow to verify repository's gittuf policy

Updated

  • Improved test coverage for GitHub attestations
  • Moved persistent caching out of developer mode
  • Updated security insights documentation with project's dependency policy
  • Updated documentation to indicate promotion to incubating status
  • Updated documentation to indicate Go setup requirements
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @vivekbisen04, @5ylani, @shivpratikhande, @patzielinski, and @adityasaky. Dependency updates are courtesy of @dependabot.

- Go
Published by github-actions[bot] 12 months ago

gittuf - v0.10.2

This is a patch release with an update to how gittuf handles the GitHub API client and the token required to authenticate with the API.

Changelog

Updated

  • Updated how GitHub API tokens are loaded to prevent issues with expiry
  • Updated release workflow to replace deprecated option

Contributors

This release includes work by @wlynch, @patzielinski, and @adityasaky.

- Go
Published by github-actions[bot] about 1 year ago

gittuf - v0.10.1

This is a patch release for the changes merged since our beta release.

Changelog

Added

  • Added a HasPolicy API to check if a repository has gittuf policy defined
  • Added documentation on how to inspect gittuf metadata
  • Added gittuf trust inspect-root to pretty-print repository's root of trust metadata
  • Added long documentation for some gittuf commands
  • Added global rules support to TUI

Updated

  • Updated tests and generic set implementation used internally
  • Updated documentation with typo fixes and Slack information
  • Updated release workflow to automatically bump gittuf's Winget package
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @yongjae354, @alanssitis, @zsun6, @Abhinav00077, @patzielinski, and @adityasaky. Dependency updates are courtesy of @dependabot.

- Go
Published by github-actions[bot] about 1 year ago

gittuf - v0.10.0

This is the first beta release of gittuf! While some sharp edges remain, a lot of work has gone into enabling policy schema changes in a backwards compatible way.

Changelog

Added

  • Added a sync workflow that updates gittuf metadata as needed before making policy changes
  • Added functionality to list and update global rules
  • Added support to the API for loading repositories in a specified directory
  • Added features and workflows to support deploying gittuf over multiple repositories
  • Added gittuf hooks, which enable support for user-defined checks in gittuf metadata that are run in a sandboxed lua environment

Updated

  • Set v02 of gittuf's metadata as the default
  • Made Fulcio support no longer restricted to developer mode
  • Updated the policy staging and apply workflows to now use the sync workflow
  • Updated gitinterface to now support systems with different locales than en_US
  • Updated gittuf's roadmap
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @Yasho-Bapat, @yongjae354, @fr0m-scratch, @Horiodino, @wlynch, @patzielinski, and @adityasaky. Dependency updates are courtesy of @dependabot.

- Go
Published by github-actions[bot] about 1 year ago

gittuf - v0.9.0

This release includes multiple quality-of-life improvements as well as changes to support gittuf policies that work across multiple repositories. This is possibly our last alpha minor version!

Changelog

Added

  • Added a terminal UI (TUI) to enable managing gittuf policy interactively
  • Added global rules to set thresholds and prohibit force pushes to help set security baselines in repositories with gittuf
  • Added workflows to support synchronizing/propagating policy and RSL changes across multiple repositories
  • Added local persistent cache functionality to reduce the time taken for verification of a repository after successful initial verification
  • Added functionality to set a repository's canonical location in gittuf metadata
  • Added a control for RSL recording to skip checking for duplicates
  • Added the gittuf Augmentation Process (GAP) for formalizing changes to gittuf
  • Added color output for various gittuf logging flows
  • Added functionality to discard currently staged changes to policy
  • Added functionality to remove principals and keys no longer used by rules in the metadata

Updated

  • Updated RSL printing to now use buffered output, improving performance
  • Improved testing coverage of gitinterface
  • Updated the design document for clarity and to reflect recent changes to gittuf
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @haotran-california, @fr0m-scratch, @yongjae354, @Raghava-Gatadi, @Horiodino, @patzielinski, @JustinCappos, and @adityasaky, with dependency updates courtesy of @dependabot.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.8.1

This is a quick patch release fixing how legacy ECDSA keys are loaded.

Changelog

  • Fixed loading of legacy ECDSA key format
  • Replaced show with rev-parse in some gitinterface APIs
  • Added gittuf/demo run to CI
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @vladkanatov, @patzielinski, @wlynch, and @adityasaky. As always, we've had dependency updates thanks to @dependabot.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.8.0

This release exposes a Go API for gittuf. It also includes various quality-of-life improvements such as support for "persons" in experimental v0.2 policy metadata and transport fixes.

Changelog

  • Added an experimental gittuf Go API
  • Added an experimental version (v0.2) of policy metadata, which adds support for "principals" in gittuf
  • Added an experimental flow to determine a feature ref's mergeability
  • Optimized some preprocessing flows in the policy package
  • Improved gittuf's design documentation
  • Improved testing coverage of gittuf and rsl
  • Fixed an internal issue with git-remote-gittuf and Go's builtin max
  • Fixed issue with git-remote-gittuf with server responses on push
  • Fixed issue with git-remote-gittuf when pushing to a remote repository without gittuf enabled
  • Fixed issue with git-remote-gittuf freezing upon failure to authenticate with the remote repository when using HTTP
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @yongjae354, @rishabhBudhouliya, @patzielinski, and @adityasaky. As always, we've had many dependency updates, courtesy of @dependabot.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.7.0

This release includes experimental support for signing gittuf metadata with Sigstore! To try it out, set GITTUF_DEV=1.

Changelog

  • Added support for metadata signing using Sigstore (currently GITTUF_DEV only)
  • Removed use of legacy custom securesystemslib key formats in gittuf's tests
  • Removed vendored signerverifier library
  • Unified SSH signature verification for Git commits and tags
  • Refactored policy and tuf packages to support versioning policy metadata
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @wlynch, @patzielinski, and @adityasaky. Dependency updates courtesy of @dependabot.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.6.2

This release adds git-remote-gittuf to the repository's release artifacts. Functionally, it is identical to v0.6.1.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.6.1

This release includes various fixes, especially to the git-remote-gittuf transport.

Changelog

  • Added a counter to RSL entries to support persistent caching
  • Added experimental support for signature extensions to vendored DSSE library
  • Refactored GetLatestReferenceEntry RSL API
  • Fixed Makefile build on Windows
  • Moved update-root-threshold and update-policy-threshold out of developer mode
  • Fixed issue with git-remote-gittuf using the wrong transport when fetching the RSL
  • Fixed issue with git-remote-gittuf when explicitly pushing the RSL
  • Fixed issue with git-remote-gittuf and curl fetches and pushes on Windows
  • Increased testing coverage of policy and gitinterface
  • Improved documentation for getting started with gittuf, especially on Windows platforms
  • Added copyright notices to code files
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @Yasho-Bapat, @patzielinski, and @adityasaky, with dependency updates courtesy of @dependabot.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.6.0

This release adds various improvements such as compatibility with older Git versions, a command to reorder policy rules, and an attestation predicate type for integrations with code review systems like GitHub pull requests.

Changelog

  • Added command to reorder policy rules
  • Added support for older Git versions
  • Added support for GitHub pull request approval attestations
  • Added support for using enterprise GitHub instances
  • Added caching for the RSL APIs GetEntry and GetParentForEntry
  • Added parallelization for some unit tests
  • Removed some deprecated flows such as FindPublicKeysForPath and refactored verification APIs
  • Added CodeQL scanning for the repository
  • Updated various dependencies and CI workflows

Contributors

This release includes work by @zsun6, @fr0m-scratch, @wlynch, @patzielinski, and @adityasaky. As always, we've had many dependency updates, courtesy of @dependabot.

- Go
Published by github-actions[bot] over 1 year ago

gittuf - v0.5.2

This release fixes bugs in the git-remote-gittuf transport and updates certain dependencies.

Changelog

  • Fixed issue with git-remote-gittuf when force pushing
  • Fixed issue with git-remote-gittuf not fetching RSL before adding new entries
  • Updated various dependencies

- Go
Published by github-actions[bot] almost 2 years ago

gittuf - v0.5.1

This release includes a fix for GoReleaser. Functionally, it is identical to v0.5.0.

- Go
Published by github-actions[bot] almost 2 years ago

gittuf - v0.5.0

This release of gittuf includes more under-the-hood improvements but also has a breaking change by dropping some verification workflows. Significantly, it includes an initial implementation of the gittuf transport, which implements the git remote-helper interface. Also, we welcome @patzielinski and @neilnaveen as maintainers of gittuf.

Note: this release does not include binaries created by GoReleaser due to a breaking change.

Changelog

  • Added support for ssh-keygen based signer and verifier
  • Added support for overriding reference name when local and remote reference names differ
  • Added initial (alpha) implementation of git-remote-gittuf
  • Added command to display RSL
  • Added support for automatically skipping RSL entries that point to rebased commits
  • Updated policy verification pattern matching to use fnmatch
  • Updated to use Git binary for various operations on underlying repository
  • Updated various dependencies and CI workflows
  • Updated docs to make command snippets easier to copy
  • Removed extraneous fields from gittuf policy metadata
  • Removed verify-commit and verify-tag workflows in favor of verify-ref (BREAKING CHANGE)
  • Governance: added Patrick Zielinski and Neil Naveen as gittuf maintainers

Contributors

This release includes work by @lukpueh, @flandweber, @hidde-jan, @patzielinski, @neilnaveen, @JustinCappos, and @adityasaky. Also, our customary shout out to @dependabot for many a dependency update!

- Go
Published by adityasaky almost 2 years ago

gittuf - v0.4.0

This release of gittuf includes some significant changes under the hood. Most significantly, gittuf supports thresholds for protection rules as well as policy metadata via the policy-staging feature. This release also marks the start of our dogfooding of gittuf, which means this is the first release of gittuf you can verify the tag for using gittuf (gittuf verify-ref --verbose v0.4.0)!

Changelog

  • Added support for policy-staging for sequential signing of metadata to meet a threshold
  • Added support for minimum required signatures for rules
  • Added support for profiling with pprof
  • Added --from-entry to verify-ref
  • Added debug statements for --verbose flag
  • Added caching of verifiers for each verified namespace (reference or file path) to avoid repeated searches of the same policy state
  • Added separated add-rule and update-rule workflows for policy
  • Added dogfooding plan
  • Added CI workflows for phase 1 of dogfooding
  • Added OpenSSF Scorecard for the repository
  • Updated policy to require each rule name to be unique across all rule files
  • Updated file rules verification to use same policy as branch protection rules verification
  • Update reference authorization attestations to use merge tree for the change being authorized
  • Updated design document with definitions and a diagram
  • Updated tag verification to check the tag's RSL entry points to either the tag object or the tag's target object
  • Updated roadmap to indicate status for each item
  • Updated minimum Go version to 1.22
  • Updated pointer to gittuf community details
  • Updated various dependencies and CI workflows

Contributors

This releases includes work by @neilnaveen, @naveensrinivasan, @patzielinski, @spectre10, @inosmeet, @webchick, @nealmcb, @JustinCappos, @wlynch, and @adityasaky. And of course, we've had many a dependency update courtesy of @dependabot.

- Go
Published by github-actions[bot] about 2 years ago

gittuf - v0.3.0

gittuf's third alpha release adds support for verifying SSH Git signatures among other things. Note that verify-ref has been updated with a breaking change. Now, it performs full verification by default.

Changelog

  • Added check to prevent duplicate RSL entries for the same ref and target
  • Added a formal developer mode for new early-stage gittuf features
  • Added early support for attestations with one type for approving reference changes (developer mode only)
  • Added support for gittuf-specific Git hooks with a pre-push hook to fetch / create / push RSL entries
  • Updated verify-ref to perform full verification by default (BREAKING CHANGE)
  • Updated identification of trusted keys in policy to support varying threshold values between delegations
  • Added verification tests for delegated policies
  • Added root key management commands to the CLI
  • Added command to list rules in gittuf policy
  • Added support for standard encoding of private and public keys
  • Added support for verifying SSH Git commit and tag signatures
  • Added check for cycles when walking policy graph during verification
  • Added autogenerated CLI docs
  • Removed file rule verification when no file rules exist in the policy for efficiency
  • Added command to sign existing policy file with no other changes
  • Added get started guide and gittuf logo to docs
  • Removed CLI usage message for gittuf errors
  • Updated various dependencies

Contributors

This release includes work by @datosh, @neilnaveen, @naveensrinivasan, @JustinCappos, @wlynch, and @adityasaky. We continue to be grateful to @dependabot for keeping our dependencies updated.

- Go
Published by github-actions[bot] over 2 years ago

gittuf - v0.2.0

gittuf remains in alpha with this release, so please do not use it a production repository or system.

Changelog

  • Added support to RSL to find unskipped entries
  • Added Get* functions to gitinterface to compartmentalize choice of Git library
  • Added support in RSL and policy functions for RSL annotation entries
  • Added recovery mode for policy verification workflow
  • Added go fmt as Makefile target
  • Updated length of refspecs slice to account for doubled entries
  • Added support for merge commits in gitinterface
  • Updated CLI to check if Git signing is viable to abort early
  • Fixed bug in CLI that required an unnecessary signing key argument
  • Fixed clone's ability to handle trailing slashes
  • Improved testing for in policy verification for delegations
  • Added plumbing for better logging
  • Updated various dependencies
  • Updated installation instructions to include Sigstore verification of binaries

Contributors

This release includes work by @neilnaveen, @patzielinski, @spectre10, @datosh, @JustinCappos, @wlynch, and @adityasaky. We are also grateful for @dependabot's benevolence.

- Go
Published by github-actions[bot] over 2 years ago

gittuf - v0.1.0

This is gittuf's first release! gittuf is still in alpha, so please do not use it a production repository or system.

Changelog

  • Implemented reference state log (RSL)
  • Added support for Git reference policies using RSL entry signatures
  • Added support for file policies using commit signatures
  • Added support for basic gittuf sync operations

Contributors

This release is possible because of the work by @wlynch, @JustinCappos, @reza-curtmola, @jsoref, @patzielinski, and @adityasaky. We also thank our bot overlord, @dependabot.

- Go
Published by github-actions[bot] over 2 years ago