In-toto

Added
* in-toto-verify CLI: `--inspection-timeout` arg (695)

Changed
* Improve Dependabot config (701)
* Constrain securesystemslib dependency to <0.32.0 in preparation for future
securesystemslib API changes (726)

Removed
* Obsolete six dependency in debian/control (687)

__NOTE:__ This release, fully integrates the new [securesystemslib Signer API
](https://python-securesystemslib.readthedocs.io/en/latest/signer.html).
Most notably, runlib API methods receive a new optional argument to sign
the resulting metadata with a securesystemslib `Signer` (see securesystemslib
for available implementations). In addition, the in-toto CLI provides new
arguments to read consistent standard key file formats for signing (PEM/PKCS8)
and signature verification (PEM/subjectPublicKeyInfo).

Related legacy key arguments are deprecated and will be removed in the next
major release. securesystemslib provides a script to [migrate key files
](https://github.com/secure-systems-lab/securesystemslib#legacy-key-migration).

Added
- in-toto-run/record CLI: `--signing-key` arg (649, 651)
- in-toto-verify CLI: `--verification-keys` arg (652)
- runlib API: `signer` arg (612)
- Release automation with PyPI Trusted Publishers (674)

Changed
- Update key file formats in internal in-toto-sign CLI (654)
- Refactor model methods to use modern Signer API (653, 660)
- Refactor model and input validation (665)
- Misc CI improvements (635, 636, 637, 650)
- Misc docs improvements (641, 664)
- Misc test improvements (655, 656, 668)

Deprecated
- in-toto-run/record CLI: `-k`, `--key` arg (649, 651)
- in-toto-verify CLI: `-k`, `--layout-keys` arg (674)
- runlib API: `signing_key` arg (612)
- model API: `Metablock.sign()` method (659)

Removed
- Python 3.7 support (634)
- in-toto-keygen CLI (657)

Changed
* Default type for CLI arg `--run-timeout` to avoid type mismatch (626)
* Dependency update (627)

Added
* CLI argument to control command execution timeout (605)
* ITE-4 resolver for directories ("dirHash", 590)

Changed
* Lint configuration (602)
* Output stream cleanup to address flaky tests on Windows (597)
* Layout expiry condition (616)
* Dependency updates (604, 607, 608, 609, 617, 618, 619, 620, 622,
623)

Removed
* AppVeyor test configuration (598)

This release includes breaking changes such as the removal of the user_settings
module and changes to exceptions raised during artifact recording. Additionally,
it incorporates changes for issues captured in security advisories
[GHSA-p86f-xmg6-9q4x](https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x),
[GHSA-jjgp-whrp-gq8m](https://github.com/in-toto/in-toto/security/advisories/GHSA-jjgp-whrp-gq8m),
and
[GHSA-wc64-c5rv-32pf](https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf),
the last of which has been assigned
[CVE-2023-32076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32076).

Added
* Generic interface for ITE-4 resolvers (584)
* ITE-4 resolver for OSTree repositories (585)
* Warning when `--bits` is used with non RSA keys in `in-toto-keygen` (588)
* Support for GitHub's security reporting feature (567)
* Tool to check local artifacts against in-toto link metadata
(589, GHSA-p86f-xmg6-9q4x)
* Testing in CI for Python 3.11 (594)

Changed
* Recording of file hashes to use ITE-4 file resolver (584)
* Exceptions returned to Python defaults when recording file artifacts (592)
* Documentation about in-toto governance to reflect project changes (591)
* Code style to use black + isort, includes update to codebase to conform (593)
* Verification documentation to reflect how PGP trust model is used
(GHSA-jjgp-whrp-gq8m)

Removed
* Support for user_settings module that enabled configuring in-toto via RC files
and environment variables (GHSA-wc64-c5rv-32pf)

Added
* Support for DSSE in metadata generation tools (503, 577)
* Ability to set command, byproducts, environment in the in_toto_record APIs (564)

Changed
* Various dependency updates and dependabot changes
* Simplified link threshold check (573)