Releases: sassoftware/relic
v7.2.2
v7.2.0
Features
- appmanifest: default to using RFC 3161 timestamps instead of the legacy type. The old behavior can be restored by appending --rfc3161-timestamp=false. (#4)
- Retry operations that fail due to network errors even if there is only one server
Bug Fixes
- appmanifest: Fixed incorrect xpath queries that broke in later versions of etree (#4)
API Changes
v7.1.1
Features
- Added client builds for linux on arm64 and ppc64le
Bug Fixes
- MSI: Fixed corrupt signatures on certain MSIs due to not updating an undocumented reserved field. Triggered by cases where adding a signature causes an additional page to be allocated to the directory stream.
v7.1.0
v7.0.2
v7.0.1
Features
- Added optional use of memcached for caching timestamp requests - config option
timestamp.memcache
- Added optional rate limiting of timestamp requests - config options
timestamp.ratelimit
andtimestamp.rateburst
- Improved behavior of the
/health
endpoint - The
/directory
API is now always available even ifserver.siblings
is not configured
Bug Fixes
- audit: fix missing
perf.elapsed.ms
and formatting of emptyclient.dn
API Changes
- The
Timestamper
interface has been changed to a single method with an options struct and moved tolib/pkcs9
- Many functions in the Go API now take a
context.Context
as the first argument. This enables cancellation of long-running timestamp requests.
6.0
Features
Server model
Introduced a new server model. Instead of spawning a subprocess for each package signed, relic maintains a persistent pool of one or more worker subprocesses for each configured token. The subprocess periodically monitors the token status, and if it fails a health check or a signing operation fails with an error indicative of token problems the subprocess exits and a new one starts. The main server process will retry several times before giving up.
PKI authentication
In addition to the existing fingerprint-based authentication, a PKI-based option is now available. Attaching a certificate to a configured client enables clients to authenticate using a certificate signed by the configured one. This enables the use of time-limited, job-specific and/or centrally-managed certificates from e.g. vault. The subject name of the certificate is also logged and can be used to trace the request to its original job.
Deprecations
- Windows service support has been removed. Command-line token use will continue to be supported, as well the pure-Go client-only executable.
- Removed the ability to "seal" audit log entries.
5.8
5.7
5.6.1
Changes since 5.3:
Features
- Added x509-sign command to perform simple Certificate Authority signatures
- x509-sign can also perform cross-signatures by providing an existing subject certificate and a new issuer.
- Added keyCertSign key usage type for x509 commands
- x509 commands now have an --interactive mode that displays the contents of the certificate before prompting whether to sign it
- Added token/open API to simplify opening tokens of various types
- Added support for RSA-PSS. No package signature type can meaningfully make use of RSA-PSS, but x509 commands can.
- When built with cgo disabled, relic now supports token types that do not require cgo (file, scdaemon) instead of disabling all token-related commands
Bug Fixes
- Fixed build errors on Go 1.9.4