build(deps): bump sigstore from 1.1.2 to 2.0.0

[dependabot]

Bumps sigstore from 1.1.2 to 2.0.0.

Release notes

Sourced from sigstore's releases.

v2.0.0

Added

• CLI: sigstore sign and sigstore get-identity-token now support the --oauth-force-oob option; which has the same behavior as the preexisting SIGSTORE_OAUTH_FORCE_OOB environment variable (#667)

• Version 0.2 of the Sigstore bundle format is now supported (#705)

• API addition: VerificationMaterials.to_bundle() is a new public API for producing a standard Sigstore bundle from sigstore-python's internal representation (#719)

• API addition: New method sign.SigningResult.to_bundle() allows signing applications to serialize to the bundle format that is already usable in verification with verify.VerificationMaterials.from_bundle() (#765)

Changed

• sigstore verify now performs additional verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints (#634)

• A cached copy of the trust bundle is now included with the distribution (#611)

• Stopped emitting .sig and .crt signing outputs by default in sigstore sign. Sigstore bundles are now preferred (#614)

• Trust root configuration now assumes that the TUF repository contains a trust bundle, rather than falling back to deprecated individual targets (#626)

• API change: the sigstore.oidc.IdentityToken API has been stabilized as a wrapper for OIDC tokens (#635)

• API change: Signer.sign now takes a sigstore.oidc.IdentityToken for its identity argument, rather than a "raw" OIDC token (#635)

• API change: Issuer.identity_token now returns a sigstore.oidc.IdentityToken, rather than a "raw" OIDC token (#635)

• sigstore verify is not longer a backwards-compatible alias for

... (truncated)

Changelog

Sourced from sigstore's changelog.

[2.0.0]

Added

• CLI: sigstore sign and sigstore get-identity-token now support the --oauth-force-oob option; which has the same behavior as the preexisting SIGSTORE_OAUTH_FORCE_OOB environment variable (#667)

• Version 0.2 of the Sigstore bundle format is now supported (#705)

• API addition: VerificationMaterials.to_bundle() is a new public API for producing a standard Sigstore bundle from sigstore-python's internal representation (#719)

• API addition: New method sign.SigningResult.to_bundle() allows signing applications to serialize to the bundle format that is already usable in verification with verify.VerificationMaterials.from_bundle() (#765)

Changed

• sigstore verify now performs additional verification of Rekor's inclusion proofs by cross-checking them against signed checkpoints (#634)

• A cached copy of the trust bundle is now included with the distribution (#611)

• Stopped emitting .sig and .crt signing outputs by default in sigstore sign. Sigstore bundles are now preferred (#614)

• Trust root configuration now assumes that the TUF repository contains a trust bundle, rather than falling back to deprecated individual targets (#626)

• API change: the sigstore.oidc.IdentityToken API has been stabilized as a wrapper for OIDC tokens (#635)

• API change: Signer.sign now takes a sigstore.oidc.IdentityToken for its identity argument, rather than a "raw" OIDC token (#635)

• API change: Issuer.identity_token now returns a sigstore.oidc.IdentityToken, rather than a "raw" OIDC token (#635)

... (truncated)

Commits

• 6c7069e Prep 2.0.0 (#778)
• 9255024 build(deps): bump actions/checkout from 4.0.0 to 4.1.0 (#776)
• ecf6d55 build(deps-dev): update ruff requirement from <0.0.291 to <0.0.292 (#777)
• 106b5f1 build(deps): bump cryptography from 41.0.3 to 41.0.4 in /install (#775)
• 1491ab1 build(deps-dev): update ruff requirement from <0.0.290 to <0.0.291 (#773)
• 2444b28 build(deps-dev): update ruff requirement from <0.0.289 to <0.0.290 (#772)
• 87681a9 sigstore: 2.0.0rc3 (#768)
• f87cb8f build(deps-dev): update ruff requirement from <0.0.288 to <0.0.289 (#769)
• c338354 pyproject: bump id (#767)
• 68aa69a sign: Make SigningResult._to_bundle() public (#765)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jku]

I'll handle this in #630

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.