Merge pull request #1050 from sigstore/post-200-rc1

Updates after 2.0.0-rc1 release

Author: loosebazooka

CHANGELOG.md

@@ -9,6 +9,22 @@ All versions prior to 1.0.0 are untracked
 
 ## [Unreleased]
 
+# [2.0.0-rc1] - 2025-08-14
+
+## Added
+- Add support for rekor v2 logs https://github.com/sigstore/sigstore-java/pull/990, https://github.com/sigstore/sigstore-java/pull/1016, https://github.com/sigstore/sigstore-java/pull/1017, https://github.com/sigstore/sigstore-java/pull/1008, https://github.com/sigstore/sigstore-java/pull/1031, https://github.com/sigstore/sigstore-java/pull/1040
+- Add support for timestamps https://github.com/sigstore/sigstore-java/pull/960, https://github.com/sigstore/sigstore-java/pull/975, https://github.com/sigstore/sigstore-java/pull/977, https://github.com/sigstore/sigstore-java/pull/978, https://github.com/sigstore/sigstore-java/pull/979
+- Library support for token string auth https://github.com/sigstore/sigstore-java/pull/925
+- ED25519 support in trusted\_root https://github.com/sigstore/sigstore-java/pull/983
+
+## Fixed
+- Fixed windows support https://github.com/sigstore/sigstore-java/pull/974
+- Parsing json with unknown fields https://github.com/sigstore/sigstore-java/pull/966
+
+## Changed
+- Users can no longer specify signer object in KeylessSigner, use Algorithm Registry instead https://github.com/sigstore/sigstore-java/pull/1027 
+- Users with custom sigstore infrastructure deployments must specify a SigningConfig to configure the KeylessSigner, individual urls for infrastructure pieces are removed https://github.com/sigstore/sigstore-java/pull/956, https://github.com/sigstore/sigstore-java/pull/965, https://github.com/sigstore/sigstore-java/pull/981
+
 # [1.3.0] - 2025-02-25
 
 ## Added

README.md

@@ -86,3 +86,17 @@ To build and view javadoc from the sources, use the following command:
 $ ./gradlew javadoc
 $ "my-favorite-browser" ./sigstore-java/build/docs/javadoc/index.html
 ```
+
+### Signing
+Sigstore Java and Sigstore Maven Plugin are signed with both PGP and sigstore.
+
+#### PGP
+| Version Range | Key Id           |
+| ------------- | ---------------- |
+| 1.X.X         | AC74A3385D0E3252 |
+| 2.X.X         | 00E008229F5DAF37 |
+
+#### Sigstore
+| Version Range | Issuer | Signer Id |
+| ------------- | --------- | ------ |
+| 1.X.X - 2.X.X | https://token.actions.githubusercontent.com | https://github.com/sigstore/sigstore-java/.github/workflows/release-sigstore-java-from-tag.yaml@refs/tags/X.X.X |

RELEASING.md

@@ -19,26 +19,25 @@ Tag the release at the version you wish (ex `v0.5.3`), this *MUST* match the pro
 Releasing to maven central is a **permanent** action, it cannot be reverted
 
 Release the bundle:
-1. Log into [sonatype (s01)](https://s01.oss.sonatype.org)
-1. Click "Staging Repositories" on the left navbar
-1. Select your artifact, "close" it to begin checks
-1. After all checks have passed, "release" it
-    1. If checks are failing, "drop" the bundle and fix the release process
-1. Releases show up on Maven Central roughly 1-2 hours after release
+1. Log into [maven central](https://central.sonatype.org)
+1. Click on your account icon in the top right and then "View Deployments" ([link](https://central.sonatype.com/publishing/deployments))
+1. Select your Deployment, wait for it to finish validation and then "Publish" it
+1. Releases show up on Maven Central roughly 0-2 hours after release
 
 ## Release `sigstore-gradle-plugin` to Gradle Plugin Portal
 
 - Use the "Release sigstore gradle plugins to Gradle Plugin Portal" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to the Gradle Plugin Portal
 - There is no follow up here, plugins are auto released on the plugin portal.## Reverting a failed release (Github only)
 
+## Revert a Release
 If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up
 any tags or releases built during the action
 1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases)
 2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags)
 
 ### Maven Central
 
-You can try to contact support but typically releases are permanent.
+If you accidentally publish something to maven central you didn't want to, you can try to contact support but typically releases are permanent.
 
 ### Gradle Plugin Portal
 

build-logic/publishing/build.gradle.kts

@@ -11,7 +11,7 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:1.3.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.0.0-rc1")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.3.1")
     implementation("com.gradleup.nmcp:com.gradleup.nmcp.gradle.plugin:1.0.2")
 }

build.gradle.kts

@@ -22,7 +22,7 @@ nmcpAggregation {
         username = providers.environmentVariable("CENTRAL_PORTAL_USERNAME")
         password = providers.environmentVariable("CENTRAL_PORTAL_PASSWORD")
         publishingType = "USER_MANAGED"
-        publicationName = "sigstore protobuf-specs $version"
+        publicationName = "sigstore java $version"
     }
 }
 

examples/hello-world/build.gradle.kts

@@ -1,7 +1,7 @@
 plugins {
   `java-library`
   `maven-publish`
-  val sigstoreVersion = System.getProperty("sigstore.version") ?: "1.3.0"
+  val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.0.0-rc1"
   id("dev.sigstore.sign") version "$sigstoreVersion"
   signing
 }

examples/hello-world/pom.xml

@@ -16,7 +16,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <maven.compiler.release>11</maven.compiler.release>
-    <sigstore.version>1.3.0</sigstore.version>
+    <sigstore.version>2.0.0-rc1</sigstore.version>
   </properties>
 
   <build>

gradle.properties

@@ -4,7 +4,7 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m
 group=dev.sigstore
 
 # use the ./scripts/update_version.sh script to update all versions
-version=2.0.0-rc1
+version=2.0.0-rc2
 
 # Kotlin Dokka is experemental, and we want silence the build warning
 org.jetbrains.dokka.experimental.gradle.pluginMode=V2Enabled

sigstore-gradle/README.md

@@ -15,7 +15,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
 
 ```kotlin
 plugins {
-    id("dev.sigstore.sign") version "1.3.0"
+    id("dev.sigstore.sign") version "2.0.0-rc1"
 }
 
 // Automatically sign all Maven publications, using GitHub Actions OIDC when available,

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -46,7 +46,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("2.0.0-rc1")
+        sigstoreJavaVersion.convention("2.0.0-rc2")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,