diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c0cd62b..e2c61080 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -82,6 +82,11 @@ All versions prior to 0.9.0 are untracked. have been re-homed under `sigstore.models` ([#990](https://github.com/sigstore/sigstore-python/pull/990)) +* API: `oidc.IdentityToken.expected_certificate_subject` has been renamed + to `oidc.IdentityToken.federated_issuer` to better describe what it actually + contains. No functional changes have been made to it + ([#1016](https://github.com/sigstore/sigstore-python/pull/1016)) + ## [2.1.5] ## Fixed diff --git a/sigstore/oidc.py b/sigstore/oidc.py index 66400a43..c3b07335 100644 --- a/sigstore/oidc.py +++ b/sigstore/oidc.py @@ -205,9 +205,9 @@ def issuer(self) -> str: return self._iss @property - def expected_certificate_subject(self) -> str: + def federated_issuer(self) -> str: """ - Returns a URL identifying the **expected** subject for any Sigstore + Returns a URL identifying the **federated** issuer for any Sigstore certificate issued against this identity token. The behavior of this field is slightly subtle: for non-federated @@ -218,7 +218,7 @@ def expected_certificate_subject(self) -> str: implementation-defined claim. This attribute exists so that clients who wish to inspect the expected - subject of their certificates can do so without relying on + underlying issuer of their certificates can do so without relying on implementation-specific behavior. """ if self._federated_issuer is not None: diff --git a/test/unit/test_oidc.py b/test/unit/test_oidc.py index 4ac7cc3f..eefd1c10 100644 --- a/test/unit/test_oidc.py +++ b/test/unit/test_oidc.py @@ -267,4 +267,4 @@ def test_ok(self, dummy_jwt, iss, identity_claim, identity_value, fed_iss): assert identity.in_validity_period() assert identity.identity == identity_value assert identity.issuer == iss - assert identity.expected_certificate_subject == iss if not fed_iss else fed_iss + assert identity.federated_issuer == iss if not fed_iss else fed_iss