Releases: sassoftware/relic
v8.1.1
v8.1.0
What's Changed
- Add option to select a different timestamping service per key
- Apple: Enable hardened-runtime by default when signing executables. Can be disabled with
--hardened-runtime=false
- Azure tokens: switch to new SDK, removing deprecated autorest and ADAL
- Google Cloud tokens: do not cancel gcp client context by @hodbn in #45
CI changes:
- macos binaries are now built on macos-12 (was: macos-11)
- macos binaries are separated by architecture instead of bundled together.
Full Changelog: v8.0.1...v8.1.0
v8.0.1
- fix(auth): pass client cert chain to OPA
Full Changelog: v8.0.0...v8.0.1
v8.0.0
Breaking Changes
The PGP implementation has been changed to github.com/ProtonMail/go-crypto/openpgp
. This was necessary due to the stdlib implementation being deprecated for some time, and also generating invalid PGP signatures which the gpg2 version in RHEL 9 has started rejecting entirely.
- If you are using relic to generate PGP-based signatures (i.e. RPM or DEB) with a RSA key then you don't need to do anything.
- PGP-based ECDSA signatures are broken for now as the underlying ProtonMail implementation does not support HSM-based keys for any type other than RSA. Hopefully this will be fixed eventually!
- If you are importing relic or rpmutils in your own projects to generate or verify PGP-based signatures you will need to adjust your imports correspondingly.
If you are verifying PGP-based signatures generated by other tools and systems, you may encounter an error parsing PGP v3 signatures which are found in many places despite being extremely obsolete:
basesystem-11-13.el9.noarch.rpm ERROR: openpgp: unsupported feature: signature packet version 3
In particular, CentOS 9 still contains some RPMs with v3 signatures, although newer builds seem to have been updated. If this is important to you, it is possible to use a soft-forked version of the openpgp library which adds backwards compatibility for v3 signatures:
go mod edit -replace github.com/ProtonMail/go-crypto=github.com/pgpkeys-eu/go-crypto@main
go build -tags pgp3
Note that relic has never generated v3 signatures.
What's Changed
- Switch to ProtonMail pgp implementation - fixes validation issues with RHEL 9
- Replace unlicensed qur/ar with blakesmith/ar by @samwestmoreland in #43
- Added file audit log sink
- Added OPA decision ID to audit log entry
- Deprecated AMQP audit log sink
Full Changelog: v7.6.2...v8.0.0
v7.6.2
- fix: only set dir sector count for v4 MSIs -- fixes Advanced Installer and other MSIs being treated as corrupt (#33)
- fix: update rpmutils to v0.3.0 to handle RPMs without legacy digests (#35)
- chore: update MSAL auth to latest version (#39)
- ci: update github actions
Full Changelog: v7.6.1...v7.6.2
v7.6.1
v7.6.0
What's Changed
- Add
--no-timestamp
option to sign commands - Add an optional rate limit for token operations
- Added
relic-client-freebsd-amd64
to releases - fix(pecoff): page hashes used incorrect page size (#32) - thanks to @dragon-dreamer for finding this issue!
- fix: report correct version when built from a go module
- fix: suppress stale health check error on startup
Full Changelog: v7.5.9...v7.6.0
v7.5.9
What's Changed
- fix(jar): be even more tolerant of missing line endings
Full Changelog: v7.5.8...v7.5.9
v7.5.8
What's Changed
- fix(jar): non-signature files in META-INF should be signed
Previously, files in subdirectories were signed, but not non-signature files directly under META-INF.
Full Changelog: v7.5.7...v7.5.8
v7.5.7
What's Changed
- fix(jar): allow a missing final newline in case of only one section
- fix(pkcs9): don't retry timestamping if context is canceled
- fix: metrics not updating for plain Sign method
Full Changelog: v7.5.6...v7.5.7