This release includes experimental support for signing gittuf metadata with Sigstore! To try it out, set GITTUF_DEV=1.

Changelog

• Added support for metadata signing using Sigstore (currently GITTUF_DEV only)
• Removed use of legacy custom securesystemslib key formats in gittuf's tests
• Removed vendored signerverifier library
• Unified SSH signature verification for Git commits and tags
• Refactored policy and tuf packages to support versioning policy metadata
• Updated various dependencies and CI workflows

Contributors

This release includes work by @wlynch, @patzielinski, and @adityasaky. Dependency updates courtesy of @dependabot.