Tuf

Changed

* ngclient: default user-agent was updated from "tuf/x.y.z" to "python-tuf/x.y.z" (2632)
* ngclient: max_root_rotations default value was bumped to 256 to prevent a too small value
from creating issues in actual deployments were the embedded root is not easily
updateable (2675)
* repository: do_snapshot() and do_timestamp() now always create new versions if current version
is not correctly signed (2650)
* Various infrastructure and documentation improvements

This release, most notably, marks stable securesystemslib v1.0.0 as minimum
requirement. The update causes a minor break in the new DSSE API (see below)
and affects users who also directly depend on securesystemslib. See the [securesystemslib release
notes](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md#securesystemslib-v100)
and the updated python-tuf `examples` (2617) for details. ngclient API remains
backwards-compatible.

Changed
* DSSE API: change `SimpleEnvelope.signatures` type to `dict`, remove
`SimpleEnvelope.signatures_dict` (2617)
* ngclient: support app-specific user-agents (2612)
* Various build, test and lint improvements

This release is a small API change for Metadata API users (see below).
ngclient API is compatible but optional DSSE support has been added.

Added
* Added optional DSSE support to Metadata API and ngclient (2436)

Changed
* Metadata API: Improved verification functionality for repository users (2551):
* This is an API change for Metadata API users (
`Root.get_verification_result()` and `Targets.get_verification_result()`
specifically)
* `Root.get_root_verification_result()` has been added to handle the special
case of root verification
* Started using UTC datetimes instead of naive datetimes internally (2573)
* Constrain securesystemslib dependency to <0.32.0 in preparation for future
securesystemslib API changes
* Various build, test and lint improvements

This is a security fix release to address advisory
GHSA-77hh-43cm-v8j6. The issue does **not** affect tuf.ngclient
users, but could affect tuf.api.metadata users.

Changed
* Added additional input validation to
`tuf.api.metadata.Targets.get_delegated_role()`

Added
* Metadata API: move verify_delegate() to Root/Targets (2378)
- *verify_delegate() on Metadata is now deprecated*
* Metadata API: add get_verification_result() as verbose alternative for
verify_delegate() (2481)
* Metadata API: add MetaFile.from_data() convenience factory (2273)

Changed
* Metadata API: change Root.roles type hint to Dict (2411)
* Various minor improvements in tests (2447, 2491), docs
(2390, 2392, 2474) and build (2389, 2453, 2479, 2488)

Removed
* build: Python 3.7 support (2460)

The notable change in this release is 2165: The tuf.api.metadata.Key
class implementation was moved to Securesystemslib with minor API
changes. These changes require no action in tuf.ngclient users but may
require small changes in tuf.api.metadata using repository
implementations that create keys.

As a result of these changes, both signing and verification are now
fully extensible, see Securesystemslib signer API for details.

tuf.repository remains an unstable module in 3.0.0.

Added
* Build: Use pydocstyle to lint docstrings (2283, 2281)
* Examples: Add Repository uploader/signer tool example (2241)
* Metadata API: Add TargetFile.get_prefixed_paths() (2166)
* ngclient: Export TargetFile (2279)
* repository: Add strictly typed accessors and context managers (2311)
* Release: Use PyPI Trusted Publishing
https://docs.pypi.org/trusted-publishers/ (#2371)

Changed
* Build: Various minor build and release infrastructure improvements,
dependency updates
* Metadata API: Key class is still part of the API but now comes from
Securesystemslib (2165):
* `Key.verify_signature()` method signature has changed
* `Key.from_securesystemslib_key()` was removed: Use
Securesystemslibs `SSlibKey.from_securesystemslib_key()` instead