Securesystemslib

Securesystemslib API is now considered stable. The core functionality is
provided in the _Signer_ interface and the half a dozen integrated _Signer_
implementations that can be found in the `signer` module. Smaller helper
modules `dsse`, `formats`, `hash` and `storage` are also part of the API.
Several legacy modules have been removed.

Added
* Signer: add public_key attribute to interface (756)
* VaultSigner: Signer implementation for HashiCorp Vault (800)
* CryptoSigner: support ecdsa keytype that is no longer in spec (711)
* CryptoSigner: add private_bytes property (799)
* CryptoSigner: add `"file2"` signer uri (759)
* test: use localstack to test AWSSigner (777)

Removed
* CryptoSigner: remove `"file"` signer uri (759)
* migration script for legacy keys (770)
* `SSlibSigner` class and `*_securesystemslib_key` methods (771)
* legacy key `key*`, `interface`, `util` and `schema` modules (772, 773, 776)
* unused functions in `hash`, and `formats` module (774, 776)
* unused global key constants (806)

Changed
* SSlibKey: strengthen input validation (780, 795)
* AWSSigner: support default scheme and add stronger input validation (724, 778)
* dsse: change Envelope.signatures type to dict (743)
* vendor: update ed25519 copy (793)
* docs: improve user and contributor docs (744, 745, 746, 749, 759, 796)
* test: improve and temporarily disable SigstoreSigner test (779, 785)
* ci: use dependabot groups, update weekly (735)
* ci: test macOS and Windows on latest Python only (797)
* Make securessystemslib.gpg internal (792)

Fixed
* Fix check-upstream-ed25519 workflow permission (706)
* SSlibKey: fix default scheme and test for ecdsa nistp384 key (763 794)

Added
* CryptoSigner: create from `cryptography` private key with new constructor (675)
* SSlibKey: create from `cryptography` public key with new `from_crypto` method (678)
* Release: auto-release with PyPI Trusted Publishing (683)
* Docs to migrate legacy key files (658)

Removed
* Removed `SSlibKey.from_pem` factory method in favor of `from_crypto` (678)

This release contains improved Sigstore support.

Changed

* SigstoreSigner adapted to sigstore-python 2.0 API: This allows
improved UX where a new signing identity can be defined using
interactive credentials (browser login):
`SigstoreSigner.import_via_auth()`
* Documentation improvements

Removed

* Python 3.7 is no longer supported

This release is reaping the rewards of the new signer API with four(!) new
signing methods: Two cloud based KMSs, post-quantum crypto support and a
"keyless" signing system.

Advance notice to folks using the `keys`, `ecdsa_keys`, `rsa_keys` and
`ed25519_keys` modules: these modules are headed for deprecation. Please have
a look at the `signer` API and get in touch if the functionality you need
isn't there (or if more documentation is needed).

Added
* Sigstore as a new experimental signing method (552)
* SPHINCS+ as a new experimental signing method (568)
* Azure Key Vault as a new signing method (588)
* AWS KMS as a new signing method (609)
* `CryptoSigner` as a more featureful replacement for `SSLibSigner` (604)
* Documentation that focuses on the signer API (634, 622)

Changed
* `SSLibSigner` has been deprecated: Please use `CryptoSigner` instead (604)
* `keys` module is not used for signature verification in `signer` API (585)
* Various minor fixes, please see git log for details

Added
* Signer: auto-keyid helper (557)
* Signer: de/serialization helpers (558)
* Signer: tests (555, 556)
* Sigstore Signer: import methods (535)

Changed
* HSMSigner: pre-hash data (548)
* GCP Signer, HSM Signer: auto-keyid computation (557)
* DSSE: serialize signature data as base64 for compliance (565)

Removed
* Obsolete shebangs (544, 545)
* Outdated schemes: md5, sha1 (554)

Fixed
* Various test and CI fixes (538, 541, 542, 543, 546)
* Minor SSlibKey.verify_signature error handling bug (556)

Added
* EXPERIMENTAL DSSE implementation (487)
* EXPERIMENTAL sigstore signer and verifier (522)
* Minimal TUF/in-toto spec-compliant GPG verifier (488)
* API-typical 'import' and 'from URI' GPG signer methods (488)

Changed
* Require public key in GPG signer and disallow subkey signatures (488)
* Increase GPG subprocess timeout (502)
* Rename default branch to 'main' (523)
* Make HSM signer URI configurable (526)
* Allow tox to skip virtual HSM tests (528)
* Strip PEM keys to compute keyids consistently (453)

Removed
* Internal GPG version utils (504)
* Custom subprocess interface (505)
* Vendored ssl module (506)

Fixed
* Windows compatibility issues and re-enable Windows CI (518)
* GPG subprocess timeout configurability (502)