secure-systems-lab · dependabot · Oct 13, 2025 · Oct 15, 2025
diff --git a/pyproject.toml b/pyproject.toml
@@ -50,7 +50,7 @@ azurekms = ["azure-identity", "azure-keyvault-keys", "cryptography>=40.0.0"]
 awskms = ["boto3", "botocore", "cryptography>=40.0.0"]
 hsm = ["asn1crypto", "cryptography>=40.0.0", "PyKCS11"]
 PySPX = ["PySPX>=0.5.0"]
-sigstore = ["sigstore~=3.0"]
+sigstore = ["sigstore>=4,<5"]
 vault = ["hvac", "cryptography>=40.0.0"]
 
 [tool.hatch.version]

diff --git a/requirements-aws.txt b/requirements-aws.txt
@@ -1,2 +1,2 @@
-boto3~=1.40.49
-botocore~=1.40.49
+boto3~=1.40.51
+botocore~=1.40.51
diff --git a/requirements-sigstore.txt b/requirements-sigstore.txt
@@ -1 +1 @@
-sigstore==3.6.6
+sigstore==4.1.0
diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py
@@ -156,6 +156,7 @@ def from_priv_key_uri(
         secrets_handler: SecretsHandler | None = None,
     ) -> SigstoreSigner:
         try:
+            from sigstore.models import ClientTrustConfig
             from sigstore.oidc import IdentityToken, Issuer, detect_credential
         except ImportError as e:
             raise UnsupportedLibraryError(IMPORT_ERROR) from e
@@ -174,7 +175,9 @@ def from_priv_key_uri(
         if not ambient:
             # TODO: Restrict oauth flow to use identity/issuer from public_key
             # TODO: Use secrets_handler for identity_token() secret arg
-            token = Issuer.production().identity_token()
+            trust_config = ClientTrustConfig.production()
+            issuer = Issuer(trust_config.signing_config.get_oidc_url())
+            token = issuer.identity_token()
         else:
             credential = detect_credential()
             if not credential:
@@ -233,12 +236,15 @@ def import_via_auth(cls) -> tuple[str, SigstoreKey]:
         key. This method always uses the interactive authentication.
         """
         try:
+            from sigstore.models import ClientTrustConfig
             from sigstore.oidc import Issuer
         except ImportError as e:
             raise UnsupportedLibraryError(IMPORT_ERROR) from e
 
         # authenticate to get the identity and issuer
-        token = Issuer.production().identity_token()
+        trust_config = ClientTrustConfig.production()
+        issuer = Issuer(trust_config.signing_config.get_oidc_url())
+        token = issuer.identity_token()
         return cls.import_(token.identity, token.federated_issuer, False)
 
     def sign(self, payload: bytes) -> Signature:
@@ -257,11 +263,12 @@ def sign(self, payload: bytes) -> Signature:
 
         """
         try:
+            from sigstore.models import ClientTrustConfig
             from sigstore.sign import SigningContext
         except ImportError as e:
             raise UnsupportedLibraryError(IMPORT_ERROR) from e
 
-        context = SigningContext.production()
+        context = SigningContext.from_trust_config(ClientTrustConfig.production())
         with context.signer(self._token) as sigstore_signer:
             bundle = sigstore_signer.sign_artifact(payload)
         # We want to access the actual signature, see