Tuf

This release is a small API change for Metadata API users (see below).
ngclient API is compatible but optional DSSE support has been added.

Added
* Added optional DSSE support to Metadata API and ngclient (2436)

Changed
* Metadata API: Improved verification functionality for repository users (2551):
* This is an API change for Metadata API users (
`Root.get_verification_result()` and `Targets.get_verification_result()`
specifically)
* `Root.get_root_verification_result()` has been added to handle the special
case of root verification
* Started using UTC datetimes instead of naive datetimes internally (2573)
* Constrain securesystemslib dependency to <0.32.0 in preparation for future
securesystemslib API changes
* Various build, test and lint improvements

This is a security fix release to address advisory
GHSA-77hh-43cm-v8j6. The issue does **not** affect tuf.ngclient
users, but could affect tuf.api.metadata users.

Changed
* Added additional input validation to
`tuf.api.metadata.Targets.get_delegated_role()`

Added
* Metadata API: move verify_delegate() to Root/Targets (2378)
- *verify_delegate() on Metadata is now deprecated*
* Metadata API: add get_verification_result() as verbose alternative for
verify_delegate() (2481)
* Metadata API: add MetaFile.from_data() convenience factory (2273)

Changed
* Metadata API: change Root.roles type hint to Dict (2411)
* Various minor improvements in tests (2447, 2491), docs
(2390, 2392, 2474) and build (2389, 2453, 2479, 2488)

Removed
* build: Python 3.7 support (2460)

The notable change in this release is 2165: The tuf.api.metadata.Key
class implementation was moved to Securesystemslib with minor API
changes. These changes require no action in tuf.ngclient users but may
require small changes in tuf.api.metadata using repository
implementations that create keys.

As a result of these changes, both signing and verification are now
fully extensible, see Securesystemslib signer API for details.

tuf.repository remains an unstable module in 3.0.0.

Added
* Build: Use pydocstyle to lint docstrings (2283, 2281)
* Examples: Add Repository uploader/signer tool example (2241)
* Metadata API: Add TargetFile.get_prefixed_paths() (2166)
* ngclient: Export TargetFile (2279)
* repository: Add strictly typed accessors and context managers (2311)
* Release: Use PyPI Trusted Publishing
https://docs.pypi.org/trusted-publishers/ (#2371)

Changed
* Build: Various minor build and release infrastructure improvements,
dependency updates
* Metadata API: Key class is still part of the API but now comes from
Securesystemslib (2165):
* `Key.verify_signature()` method signature has changed
* `Key.from_securesystemslib_key()` was removed: Use
Securesystemslibs `SSlibKey.from_securesystemslib_key()` instead

Added
* repo: experimental repository module and example (2193)
* ngclient: expose default requests fetcher (2277)
* workflow: OpenSSF scorecard (2190)
* build: Python 3.11 support (2157)
* docs: security policy (2098, 2178)
* blog: signer API (2276)
* blog: security audit (2155, 2156)

Changed
* Metadata API: bump specification version 1.0.31 (2119)
* Metadata API: allow zero length metadata files (2137)
* Metadata API: add default value for MetaFile version (2211)
* Metadata API, ngclient: decrease logger verbosity (2243)
* ngclient: define API explicitly (2233)
* ngclient: improve example client output (2194)
* ngclient: support URLs without host part (2075)
* ngclient: update metaclass syntax (2215)
* ngclient: fail gracefully on missing role (2197)
* ngclient: improve type annotations in TrustedMetadataSet (2250)
* doc: misc improvements (2097, 2130, 2183, 2185, 2201, 2208, 2230, 2278)
* build: misc improvements (2090, 2091, 2122, 2187, 2188, 2217, 2252)
* workflow: misc improvements (2001, 2092, 2147, 2159, 2173)

This release, most notably, adds support for [TAP 15] - succinct hash bin delegation,
which results in a few backwards-incompatible changes in the Metadata API.

**NOTE**: While TAP 15 has been accepted it is not yet part of the TUF specification.
Therefore, adopters should be prepared for potential changes to the implementation
in future and for a lack of support for TAP 15 in other TUF implementations.

[TAP 15]: https://github.com/theupdateframework/taps/blob/master/tap15.md

Added
* Metadata API: TAP 15 - succinct hash bin delegation (2010, 2031, 2038, 2039)
* build: CodeQL analysis action (1932)
* build: Dependency review action (1974)
* blog: ngclient design (1914)
* blog: tricky test cases (1941, 2027)

Changed
* Metadata API: **BREAKING CHANGES** in Root and Targets class (2010)
- Argument order changed in add_key() and remove_key()
- remove_key() renamed to revoke_key()
* Metadata API: Update supported spec version to 1.0.30 (2035)
* ngclient: Use trusted timestamp role if new timestamp has equal version (2024)
* docs: Misc improvements (1983, 2002, 2004, 2041, 2051, 2064)
* tests: Misc improvements (2017)
* tests: Stop using requests type annotations (1991)
* build: Pin hatchling version (1989)
* build: Tweak pip download in verify_release script (1982)
* build: Update pinned dependency versions

Fixes
* Metadata API: Check None instead of falsyness for some optional arguments (1975)
* ngclient: Prevent use of potentially undefined variable (2003)
* tests: Change git attributes for test data (2063)