v8.0.0
Breaking Changes
The PGP implementation has been changed to github.com/ProtonMail/go-crypto/openpgp
. This was necessary due to the stdlib implementation being deprecated for some time, and also generating invalid PGP signatures which the gpg2 version in RHEL 9 has started rejecting entirely.
- If you are using relic to generate PGP-based signatures (i.e. RPM or DEB) with a RSA key then you don't need to do anything.
- PGP-based ECDSA signatures are broken for now as the underlying ProtonMail implementation does not support HSM-based keys for any type other than RSA. Hopefully this will be fixed eventually!
- If you are importing relic or rpmutils in your own projects to generate or verify PGP-based signatures you will need to adjust your imports correspondingly.
If you are verifying PGP-based signatures generated by other tools and systems, you may encounter an error parsing PGP v3 signatures which are found in many places despite being extremely obsolete:
basesystem-11-13.el9.noarch.rpm ERROR: openpgp: unsupported feature: signature packet version 3
In particular, CentOS 9 still contains some RPMs with v3 signatures, although newer builds seem to have been updated. If this is important to you, it is possible to use a soft-forked version of the openpgp library which adds backwards compatibility for v3 signatures:
go mod edit -replace github.com/ProtonMail/go-crypto=github.com/pgpkeys-eu/go-crypto@main
go build -tags pgp3
Note that relic has never generated v3 signatures.
What's Changed
- Switch to ProtonMail pgp implementation - fixes validation issues with RHEL 9
- Replace unlicensed qur/ar with blakesmith/ar by @samwestmoreland in #43
- Added file audit log sink
- Added OPA decision ID to audit log entry
- Deprecated AMQP audit log sink
Full Changelog: v7.6.2...v8.0.0