Merge pull request #1206 from sigstore/post-2.2.0

Update after 2.2.0 release

Author: loosebazooka

CHANGELOG.md

@@ -10,6 +10,15 @@ All versions prior to 1.0.0 are untracked
 
 ## [Unreleased]
 
+# [2.2.0] - 2026-06-10
+
+## Added
+- Users can now use environment variable `SIGSTORE_JAVA_ID_TOKEN` to pass in a raw token to the signer: https://github.com/sigstore/sigstore-java/pull/1204
+- Support more signing algorithms from the registry: https://github.com/sigstore/sigstore-java/pull/1197, https://github.com/sigstore/sigstore-java/pull/1198
+
+## Changed
+- DSSE types logged with rekor v2 will use `hashedrekord` as the log entry type, the `dsse` log type is no longer in use for rekor v2: https://github.com/sigstore/sigstore-java/pull/1202
+
 # [2.1.0] - 2026-05-21
 
 ## Added

README.md

@@ -33,6 +33,12 @@ Bundle result = signer.signFile(testArtifact);
 String bundleJson = result.toJson();
 ```
 
+##### ID Token
+Signing will use identity tokens from these sources in the following order of priority:
+- `SIGSTORE_JAVA_ID_TOKEN`: a raw token provided as an environment variable
+- GitHub Actions: a token from github actions when the permission `idtoken: write` is set
+- Interactive Web Flow: an broswer based oidc flow requiring user input
+
 #### Artifact Verification
 
 ##### Get artifact and bundle

build-logic/publishing/build.gradle.kts

@@ -11,7 +11,7 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.1.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:2.2.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:2.0.0")
     implementation("com.gradleup.nmcp:com.gradleup.nmcp.gradle.plugin:1.4.0")
 }

examples/hello-world/build.gradle.kts

@@ -1,7 +1,7 @@
 plugins {
   `java-library`
   `maven-publish`
-  val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.1.0"
+  val sigstoreVersion = System.getProperty("sigstore.version") ?: "2.2.0"
   id("dev.sigstore.sign") version "$sigstoreVersion"
   signing
 }

examples/hello-world/pom.xml

@@ -16,7 +16,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <maven.compiler.release>11</maven.compiler.release>
-    <sigstore.version>2.1.0</sigstore.version>
+    <sigstore.version>2.2.0</sigstore.version>
   </properties>
 
   <build>

gradle.properties

@@ -4,7 +4,7 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m
 group=dev.sigstore
 
 # use the ./scripts/update_version.sh script to update all versions
-version=2.2.0
+version=2.3.0
 
 # Kotlin Dokka is experemental, and we want silence the build warning
 org.jetbrains.dokka.experimental.gradle.pluginMode=V2Enabled

sigstore-gradle/README.md

@@ -15,7 +15,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
 
 ```kotlin
 plugins {
-    id("dev.sigstore.sign") version "2.1.0"
+    id("dev.sigstore.sign") version "2.2.0"
 }
 
 // Automatically sign all Maven publications, using GitHub Actions OIDC when available,

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -46,7 +46,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("2.2.0")
+        sigstoreJavaVersion.convention("2.3.0")
     }
 
     fun sign(publications: DomainObjectCollection<Publication>) {

sigstore-maven-plugin/README.md

@@ -17,7 +17,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe
       <plugin>
         <groupId>dev.sigstore</groupId>
         <artifactId>sigstore-maven-plugin</artifactId>
-        <version>2.1.0</version>
+        <version>2.2.0</version>
         <executions>
           <execution>
             <id>sign</id>