Bump securesystemslib from 0.13.1 to 0.28.0

[dependabot]

Bumps securesystemslib from 0.13.1 to 0.28.0.

Release notes

Sourced from securesystemslib's releases.

v0.28.0

Added

• Signer: auto-keyid helper (#557)
• Signer: de/serialization helpers (#558)
• Signer: tests (#555, #556)
• Sigstore Signer: import methods (#535)

Changed

• HSMSigner: pre-hash data (#548)
• GCP Signer, HSM Signer: auto-keyid computation (#557)
• DSSE: serialize signature data as base64 for compliance (#565)

Removed

• Obsolete shebangs (#544, #545)
• Outdated schemes: md5, sha1 (#554)

Fixed

• Various test and CI fixes (#538, #541, #542, #543, #546)
• Minor SSlibKey.verify_signature error handling bug (#556)

v0.27.0

Added

• EXPERIMENTAL DSSE implementation (#487)
• EXPERIMENTAL sigstore signer and verifier (#522)
• Minimal TUF/in-toto spec-compliant GPG verifier (#488)
• API-typical 'import' and 'from URI' GPG signer methods (#488)

Changed

• Require public key in GPG signer and disallow subkey signatures (#488)
• Increase GPG subprocess timeout (#502)
• Rename default branch to 'main' (#523)
• Make HSM signer URI configurable (#526)
• Allow tox to skip virtual HSM tests (#528)
• Strip PEM keys to compute keyids consistently (#453)

Removed

• Internal GPG version utils (#504)
• Custom subprocess interface (#505)
• Vendored ssl module (#506)

Fixed

• Windows compatibility issues and re-enable Windows CI (#518)
• GPG subprocess timeout configurability (#502)

v0.26.0

Added

• Private key URI schemes for signer instantiation (#456)
• Public key container class for signature verification (#456)
• Post-quantum sphincs+ signing scheme (#427)
• Hardware Security Module (HSM) signing (#472)

... (truncated)

Changelog

Sourced from securesystemslib's changelog.

securesystemslib v0.28.0

Added

• Signer: auto-keyid helper (#557)
• Signer: de/serialization helpers (#558)
• Signer: tests (#555, #556)
• Sigstore Signer: import methods (#535)

Changed

• HSMSigner: pre-hash data (#548)
• GCP Signer, HSM Signer: auto-keyid computation (#557)
• DSSE: serialize signature data as base64 for compliance (#565)

Removed

• Obsolete shebangs (#544, #545)
• Outdated schemes: md5, sha1 (#554)

Fixed

• Various test and CI fixes (#538, #541, #542, #543, #546)
• Minor SSlibKey.verify_signature error handling bug (#556)

securesystemslib v0.27.0

Added

• EXPERIMENTAL DSSE implementation (#487)
• EXPERIMENTAL sigstore signer and verifier (#522)
• Minimal TUF/in-toto spec-compliant GPG verifier (#488)
• API-typical 'import' and 'from URI' GPG signer methods (#488)

Changed

• Require public key in GPG signer and disallow subkey signatures (#488)
• Increase GPG subprocess timeout (#502)
• Rename default branch to 'main' (#523)
• Make HSM signer URI configurable (#526)
• Allow tox to skip virtual HSM tests (#528)
• Strip PEM keys to compute keyids consistently (#453)

Removed

• Internal GPG version utils (#504)
• Custom subprocess interface (#505)
• Vendored ssl module (#506)

Fixed

• Windows compatibility issues and re-enable Windows CI (#518)
• GPG subprocess timeout configurability (#502)

securesystemslib v0.26.0

... (truncated)

Commits

• 88a3df2 Merge pull request #570 from lukpueh/bump_version_0.28.0
• 5817877 Prepare v0.28.0 release
• 7b36698 Merge pull request #569 from secure-systems-lab/dependabot/pip/cryptography-4...
• 11c301a Merge pull request #567 from secure-systems-lab/dependabot/github_actions/act...
• 996ecc4 build(deps): bump cryptography from 40.0.1 to 40.0.2
• b1b14eb Merge pull request #558 from lukpueh/base-de_serialization-helpers
• c28c6f0 Merge pull request #565 from PradyumnaKrishna/fix-dsse-signature
• 92e766f build(deps): bump actions/checkout from 3.5.1 to 3.5.2
• 048b38e Use bytes to encode/decode hex.
• 2bcf092 base64 encode raw signature in Envelope
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[jezdez]

@dependabot rebase

[beeankha]

pre-commit.ci autofix

[dbast]

https://github.com/dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[kenodegard]

@dependabot recreate

[dependabot]

Dependabot can't evaluate your Python dependency files. Because of this, Dependabot cannot update this pull request.