Skip to content

v8.0.0

Compare
Choose a tag to compare
@mtharp mtharp released this 08 May 18:54
· 8 commits to master since this release
v8.0.0

Breaking Changes

The PGP implementation has been changed to github.com/ProtonMail/go-crypto/openpgp. This was necessary due to the stdlib implementation being deprecated for some time, and also generating invalid PGP signatures which the gpg2 version in RHEL 9 has started rejecting entirely.

  • If you are using relic to generate PGP-based signatures (i.e. RPM or DEB) with a RSA key then you don't need to do anything.
  • PGP-based ECDSA signatures are broken for now as the underlying ProtonMail implementation does not support HSM-based keys for any type other than RSA. Hopefully this will be fixed eventually!
  • If you are importing relic or rpmutils in your own projects to generate or verify PGP-based signatures you will need to adjust your imports correspondingly.

If you are verifying PGP-based signatures generated by other tools and systems, you may encounter an error parsing PGP v3 signatures which are found in many places despite being extremely obsolete:

basesystem-11-13.el9.noarch.rpm ERROR: openpgp: unsupported feature: signature packet version 3

In particular, CentOS 9 still contains some RPMs with v3 signatures, although newer builds seem to have been updated. If this is important to you, it is possible to use a soft-forked version of the openpgp library which adds backwards compatibility for v3 signatures:

go mod edit -replace github.com/ProtonMail/go-crypto=github.com/pgpkeys-eu/go-crypto@main
go build -tags pgp3

Note that relic has never generated v3 signatures.

What's Changed

  • Switch to ProtonMail pgp implementation - fixes validation issues with RHEL 9
  • Replace unlicensed qur/ar with blakesmith/ar by @samwestmoreland in #43
  • Added file audit log sink
  • Added OPA decision ID to audit log entry
  • Deprecated AMQP audit log sink

Full Changelog: v7.6.2...v8.0.0