Skip to content

Releases: sassoftware/relic

v8.1.1

31 Oct 18:22
v8.1.1
9b4549b
Compare
Choose a tag to compare

fixed: include the root CA in Apple signature types to avoid AMFI problems

Also expand on macos.md with all the steps to format the certificate chain.

Full Changelog: v8.1.0...v8.1.1

v8.1.0

29 Oct 22:24
v8.1.0
52391ee
Compare
Choose a tag to compare

What's Changed

  • Add option to select a different timestamping service per key
  • Apple: Enable hardened-runtime by default when signing executables. Can be disabled with --hardened-runtime=false
  • Azure tokens: switch to new SDK, removing deprecated autorest and ADAL
  • Google Cloud tokens: do not cancel gcp client context by @hodbn in #45

CI changes:

  • macos binaries are now built on macos-12 (was: macos-11)
  • macos binaries are separated by architecture instead of bundled together.

Full Changelog: v8.0.1...v8.1.0

v8.0.1

14 May 22:05
v8.0.1
Compare
Choose a tag to compare
  • fix(auth): pass client cert chain to OPA

Full Changelog: v8.0.0...v8.0.1

v8.0.0

08 May 18:54
v8.0.0
Compare
Choose a tag to compare

Breaking Changes

The PGP implementation has been changed to github.com/ProtonMail/go-crypto/openpgp. This was necessary due to the stdlib implementation being deprecated for some time, and also generating invalid PGP signatures which the gpg2 version in RHEL 9 has started rejecting entirely.

  • If you are using relic to generate PGP-based signatures (i.e. RPM or DEB) with a RSA key then you don't need to do anything.
  • PGP-based ECDSA signatures are broken for now as the underlying ProtonMail implementation does not support HSM-based keys for any type other than RSA. Hopefully this will be fixed eventually!
  • If you are importing relic or rpmutils in your own projects to generate or verify PGP-based signatures you will need to adjust your imports correspondingly.

If you are verifying PGP-based signatures generated by other tools and systems, you may encounter an error parsing PGP v3 signatures which are found in many places despite being extremely obsolete:

basesystem-11-13.el9.noarch.rpm ERROR: openpgp: unsupported feature: signature packet version 3

In particular, CentOS 9 still contains some RPMs with v3 signatures, although newer builds seem to have been updated. If this is important to you, it is possible to use a soft-forked version of the openpgp library which adds backwards compatibility for v3 signatures:

go mod edit -replace github.com/ProtonMail/go-crypto=github.com/pgpkeys-eu/go-crypto@main
go build -tags pgp3

Note that relic has never generated v3 signatures.

What's Changed

  • Switch to ProtonMail pgp implementation - fixes validation issues with RHEL 9
  • Replace unlicensed qur/ar with blakesmith/ar by @samwestmoreland in #43
  • Added file audit log sink
  • Added OPA decision ID to audit log entry
  • Deprecated AMQP audit log sink

Full Changelog: v7.6.2...v8.0.0

v7.6.2

05 Feb 23:12
v7.6.2
Compare
Choose a tag to compare
  • fix: only set dir sector count for v4 MSIs -- fixes Advanced Installer and other MSIs being treated as corrupt (#33)
  • fix: update rpmutils to v0.3.0 to handle RPMs without legacy digests (#35)
  • chore: update MSAL auth to latest version (#39)
  • ci: update github actions

Full Changelog: v7.6.1...v7.6.2

v7.6.1

22 Aug 18:46
Compare
Choose a tag to compare

What's Changed

  • fix(cab): accept cabinets with reserved padding

Full Changelog: v7.6.0...v7.6.1

v7.6.0

16 Aug 21:46
Compare
Choose a tag to compare

What's Changed

  • Add --no-timestamp option to sign commands
  • Add an optional rate limit for token operations
  • Added relic-client-freebsd-amd64 to releases
  • fix(pecoff): page hashes used incorrect page size (#32) - thanks to @dragon-dreamer for finding this issue!
  • fix: report correct version when built from a go module
  • fix: suppress stale health check error on startup

Full Changelog: v7.5.9...v7.6.0

v7.5.9

09 Aug 21:46
Compare
Choose a tag to compare

What's Changed

  • fix(jar): be even more tolerant of missing line endings

Full Changelog: v7.5.8...v7.5.9

v7.5.8

09 Aug 18:52
Compare
Choose a tag to compare

What's Changed

  • fix(jar): non-signature files in META-INF should be signed

Previously, files in subdirectories were signed, but not non-signature files directly under META-INF.

Full Changelog: v7.5.7...v7.5.8

v7.5.7

09 Aug 18:18
Compare
Choose a tag to compare

What's Changed

  • fix(jar): allow a missing final newline in case of only one section
  • fix(pkcs9): don't retry timestamping if context is canceled
  • fix: metrics not updating for plain Sign method

Full Changelog: v7.5.6...v7.5.7