From a10a99788d129d20f8b54b5c61edc607f8380009 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 14 May 2026 11:21:25 +0300
Subject: [PATCH 1/3] Prepare 4.3.0 release

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 CHANGELOG.md         | 24 +++++++++++++++++-------
 sigstore/__init__.py |  2 +-
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a9cfd3336..f5fcaf077 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,18 +8,25 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [4.3.0]
+
 ### Added
 
-* `Issuer.identity_token` accepts an optional `redirect_port` argument to bind
-  the local OAuth redirect server to a fixed port, for OIDC providers that
-  require a pre-registered redirect URI without `localhost` port wildcards
+* `Issuer.identity_token` accepts an optional `redirect_port` argument to
+  accomodate OIDC providers that require pre-registered redirect URIs
   ([#1029](https://github.com/sigstore/sigstore-python/issues/1029))
 
 ### Fixed
 
-* Fixed ~60s hang after completing browser-based OIDC authentication.
-  The OIDC redirect server had incomplete HTTP responses and no connection
-  management, causing a keep-alive deadlock with the browser.
+* Fix ~60s keep-alive deadlock in browser-based OIDC authentication
+  ([#1693](https://github.com/sigstore/sigstore-python/pull/1693))
+* Avoid over-using connections when signing many artifacts: Use one connection
+  per thread ([#1732](https://github.com/sigstore/sigstore-python/pull/1732))
+
+### Changed
+
+* Added cryptography 47, 48 to list of compatible cryptography releases
+  ([#1773](https://github.com/sigstore/sigstore-python/pull/1773))
 
 ## [4.2.0]
 
@@ -777,10 +784,13 @@ This is a corrective release for [2.1.1].
 
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v4.2.0...HEAD
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v4.3.0...HEAD
+[4.3.0]: https://github.com/sigstore/sigstore-python/compare/v4.2.0...v4.3.0
 [4.2.0]: https://github.com/sigstore/sigstore-python/compare/v4.1.0...v4.2.0
 [4.1.0]: https://github.com/sigstore/sigstore-python/compare/v4.0.0...v4.1.0
 [4.0.0]: https://github.com/sigstore/sigstore-python/compare/v3.6.5...v4.0.0
+[3.6.7]: https://github.com/sigstore/sigstore-python/compare/v3.6.6...v3.6.7
+[3.6.6]: https://github.com/sigstore/sigstore-python/compare/v3.6.5...v3.6.6
 [3.6.5]: https://github.com/sigstore/sigstore-python/compare/v3.6.4...v3.6.5
 [3.6.4]: https://github.com/sigstore/sigstore-python/compare/v3.6.3...v3.6.4
 [3.6.3]: https://github.com/sigstore/sigstore-python/compare/v3.6.2...v3.6.3
diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index 00582bac5..88ca8c401 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "4.2.0"
+__version__ = "4.3.0"

From a4227467643299b5b6fb7b4260efaadfb5f16322 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Tue, 26 May 2026 18:43:53 +0300
Subject: [PATCH 2/3] CHANGELOG: Include #1176

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f5fcaf077..d4862e9ef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,10 @@ All versions prior to 0.9.0 are untracked.
 
 ### Changed
 
+* With Rekor v2 DSSE signing/verification now uses Hashedrekord log entries.
+  This is based on Rekor v2 spec change:
+  https://github.com/sigstore/architecture-docs/pull/63
+  ([#1776](https://github.com/sigstore/sigstore-python/pull/1776))
 * Added cryptography 47, 48 to list of compatible cryptography releases
   ([#1773](https://github.com/sigstore/sigstore-python/pull/1773))
 

From b3c1d787bef48700d139fd09050ef883d664e332 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Mon, 1 Jun 2026 10:14:41 +0300
Subject: [PATCH 3/3] CHANGELOG: Update to include recent PRs

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4862e9ef..ecdc57a6c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,8 +29,10 @@ All versions prior to 0.9.0 are untracked.
   This is based on Rekor v2 spec change:
   https://github.com/sigstore/architecture-docs/pull/63
   ([#1776](https://github.com/sigstore/sigstore-python/pull/1776))
-* Added cryptography 47, 48 to list of compatible cryptography releases
+* sigstore is now compatible with cryptography 48 and tuf 7
   ([#1773](https://github.com/sigstore/sigstore-python/pull/1773))
+* Embedded TUF metadata has been updated
+  ([#1785](https://github.com/sigstore/sigstore-python/pull/1785))
 
 ## [4.2.0]