Skip to content

Releases: sassoftware/relic

v7.2.2

31 Jul 19:41
Compare
Choose a tag to compare

Bug Fixes

  • Fix PE-COFF checksum calculation for files with an odd number of bytes
  • Fix a potential crash when the input is not a regular file

Other

  • Update dependencies and switch to go modules

v7.2.0

09 Apr 21:02
Compare
Choose a tag to compare

Features

  • appmanifest: default to using RFC 3161 timestamps instead of the legacy type. The old behavior can be restored by appending --rfc3161-timestamp=false. (#4)
  • Retry operations that fail due to network errors even if there is only one server

Bug Fixes

  • appmanifest: Fixed incorrect xpath queries that broke in later versions of etree (#4)

API Changes

v7.1.1

18 Feb 17:52
Compare
Choose a tag to compare

Features

  • Added client builds for linux on arm64 and ppc64le

Bug Fixes

  • MSI: Fixed corrupt signatures on certain MSIs due to not updating an undocumented reserved field. Triggered by cases where adding a signature causes an additional page to be allocated to the directory stream.

v7.1.0

14 Aug 19:54
Compare
Choose a tag to compare

Features

  • Added --if-unsigned option to "relic sign" and "relic remote sign". Files that already have a signature will be skipped.

v7.0.2

05 Jul 17:10
Compare
Choose a tag to compare

Bug Fixes

  • Fixed excessive CPU usage due to health check running constantly.

v7.0.1

03 Jul 17:54
Compare
Choose a tag to compare

Features

  • Added optional use of memcached for caching timestamp requests - config option timestamp.memcache
  • Added optional rate limiting of timestamp requests - config options timestamp.ratelimit and timestamp.rateburst
  • Improved behavior of the /health endpoint
  • The /directory API is now always available even if server.siblings is not configured

Bug Fixes

  • audit: fix missing perf.elapsed.ms and formatting of empty client.dn

API Changes

  • The Timestamper interface has been changed to a single method with an options struct and moved to lib/pkcs9
  • Many functions in the Go API now take a context.Context as the first argument. This enables cancellation of long-running timestamp requests.

6.0

21 May 14:59
Compare
Choose a tag to compare
6.0

Features

Server model

Introduced a new server model. Instead of spawning a subprocess for each package signed, relic maintains a persistent pool of one or more worker subprocesses for each configured token. The subprocess periodically monitors the token status, and if it fails a health check or a signing operation fails with an error indicative of token problems the subprocess exits and a new one starts. The main server process will retry several times before giving up.

PKI authentication

In addition to the existing fingerprint-based authentication, a PKI-based option is now available. Attaching a certificate to a configured client enables clients to authenticate using a certificate signed by the configured one. This enables the use of time-limited, job-specific and/or centrally-managed certificates from e.g. vault. The subject name of the certificate is also logged and can be used to trace the request to its original job.

Deprecations

  • Windows service support has been removed. Command-line token use will continue to be supported, as well the pure-Go client-only executable.
  • Removed the ability to "seal" audit log entries.

5.8

02 May 15:45
Compare
Choose a tag to compare
5.8

Bug Fixes

  • When generating RSA keys, try CKM_RSA_X9_31_KEY_PAIR_GEN before CKM_RSA_PKCS_KEY_PAIR_GEN. Fixes key generation on Amazon CloudHSM.
  • MSI: Don't change the revision of the CDF container. Fixes certain MSIs not being recognized as signed.

5.7

23 Apr 21:28
Compare
Choose a tag to compare
5.7

Features

  • Added PGP signed messages (i.e. non-detached signatures)
  • Build/release scripts are now part of the git repository

5.6.1

20 Apr 16:10
Compare
Choose a tag to compare

Changes since 5.3:

Features

  • Added x509-sign command to perform simple Certificate Authority signatures
  • x509-sign can also perform cross-signatures by providing an existing subject certificate and a new issuer.
  • Added keyCertSign key usage type for x509 commands
  • x509 commands now have an --interactive mode that displays the contents of the certificate before prompting whether to sign it
  • Added token/open API to simplify opening tokens of various types
  • Added support for RSA-PSS. No package signature type can meaningfully make use of RSA-PSS, but x509 commands can.
  • When built with cgo disabled, relic now supports token types that do not require cgo (file, scdaemon) instead of disabling all token-related commands

Bug Fixes

  • Fixed build errors on Go 1.9.4