Go Tuf Versions Save

Go implementation of The Update Framework (TUF)

v0.7.0

5 months ago

Changelog

Breaking

Hello,

As a continuation of https://github.com/theupdateframework/go-tuf/issues/485, we are starting the process of deprecating the existing https://github.com/theupdateframework/go-tuf code base in favour of https://github.com/rdimitrov/go-tuf-metadata.

Reasoning:

  • The reasoning behind this is explained in https://github.com/theupdateframework/go-tuf/issues/485, but essentially the new code base is much simpler, easier to work with and last but not least, easier to maintain and contribute to. The last two have been longstanding issues for go-tuf and we are looking forward to address them with this change.
  • Deep thank you to all of the people that helped shaping this effort!

Details:

  • This will not happen straight away!
  • We'll continue to support this version in a separate branch(v0.7.0) until the migration process is considered as completed.
  • We advise all users to pin their dependencies of go-tuf to a certain release version (in case they haven't already) so they don't experience any inconveniences.
  • We'll continue to use the https://github.com/theupdateframework/go-tuf repository, but its content will be updated to accommodate the changes. We'll start introducing the go-tuf-metadata code base to the master branch of go-tuf, so technically there will be times where the master branch might be considered unstable (which is a general practice).
  • Even though go-tuf is pre-v1.0.0 and technically there are no API commitments to be followed, we won't release a v1.0.0 either with the new code base until it is well tested and we are sure of its stability.

Apologies for the disruption and thank you in advance for the understanding!

Yours, The go-tuf maintainers team.

Features

  • 14ed751bc4d0b6f8cab38c5e4906a70ec954fba1: feat: Add-Signature to support new formats of input (#538) (@ChevronTango)
  • 70d3a5483ff549b074d82df69c1dddccdfd30456: feat: #528 Add-Key to a role (#535) (@ChevronTango)
  • 6e07500a3e29340f34fbb800930616224590c435: feat: 536 Add Gitpod config to project (#537) (@ChevronTango)

Bug fixes

  • 9570146bb95f256f82aec3aedb7764b72197ef06: fix: Set sig to Array when empty (#533) (@ChevronTango)
  • 582126afaa0a08e17843e51d37efc61b0ef4297b: fix: add-signature to read from stdin (#534) (@ChevronTango)
  • 58f321a3484cb6a855e240948ba4ba0cc3fe8236: fix(localMeta): Ignore deleted delegated targets (#522) (@BaptisteFoy)

Others

  • f205b79ba632d1d6459cbf964da8dad80e277196: chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (#542) (@dependabot[bot])
  • cdae812a22758827417a6d342cd25612d0d199f4: chore(deps): bump shogo82148/actions-goveralls from 1.7.0 to 1.8.0 (#544) (@dependabot[bot])
  • 3ff5aa787126eea883fc4fb42fc0478804a2b9c7: chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#543) (@dependabot[bot])
  • fe99435ce462ce95e870e335b4fced09ad3b36fc: chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#547) (@dependabot[bot])
  • 9099aaa3176a0ec5e6a14743ce5d9a3b884f3866: chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#548) (@dependabot[bot])
  • 3a5077742dec82b1a11063653098b473bcd62c5e: chore(deps): bump arnested/go-version-action from 1.1.12 to 1.1.13 (#549) (@dependabot[bot])
  • 308e63ed0af657f4cb7d2354146d6b12cb845cf4: chore(deps): bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#553) (@dependabot[bot])
  • 0107a7245924357c151994075db9ea3f793e7c5d: chore(deps): bump securesystemslib from 0.28.0 to 0.29.0 (#552) (@dependabot[bot])
  • 057cf1936f3ce703bc67f78edb2fdae8904d7f34: chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#550) (@dependabot[bot])
  • 1f8a2d8c5bfaec00060c7ab7c218e361ac0d4936: chore(deps): bump actions/checkout from 3 to 4 (#551) (@dependabot[bot])
  • 35c71e42cd12aeac00b6e323f7748f2daac90c59: chore(deps): bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (#554) (@dependabot[bot])
  • ca61fb042faf035861616f01a18253d635e337ad: chore(deps): bump securesystemslib from 0.29.0 to 0.30.0 (#557) (@dependabot[bot])
  • 257ce1ae07d7fc90c6cc8d08072ed8aaaf5642a0: chore(deps): bump golang.org/x/term from 0.12.0 to 0.13.0 (#559) (@dependabot[bot])
  • dde2ad4cc8f23abcc81fb39982ac47d606b4d1c0: chore(deps): bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#560) (@dependabot[bot])
  • c544d321dbba32c9b4e727a00670b43a0b1e7d3c: chore(deps): bump actions/setup-python from 4.7.0 to 4.7.1 (#561) (@dependabot[bot])
  • c9be819beae3cfc7651b55e5e5e95075ad16329b: chore(deps): bump amannn/action-semantic-pull-request from 5.2.0 to 5.3.0 (#555) (@dependabot[bot])
  • dfef2cad87297fed1da35a5d8903caeebebe1456: chore(deps): bump tuf from 3.0.0 to 3.1.0 (#562) (@dependabot[bot])
  • 2258ee127fcb521e8bfc224032013c8d2401b705: chore(deps): bump iso8601 from 2.0.0 to 2.1.0 (#558) (@dependabot[bot])
  • 9301e5aab2b742a3a040f7509422072cea626a35: chore(deps): bump amannn/action-semantic-pull-request from 5.3.0 to 5.4.0 (#563) (@dependabot[bot])
  • 17b62053f271db7fa991e3e50a94989fcbdf8179: chore(deps): bump arnested/go-version-action from 1.1.13 to 1.1.14 (#564) (@dependabot[bot])
  • beddac29b345cbde22f60b5cb00c4b68eedb361f: chore(deps): bump golang.org/x/term from 0.13.0 to 0.14.0 (#565) (@dependabot[bot])
  • 6ad7fe593e4042db3544c4b0fedbe66bac371c42: chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.16.0 (#568) (@dependabot[bot])

v0.6.1

9 months ago

Changelog

Bug fixes

  • ca0c316673ca2482fa188b36e44c3b49d4a8fd10: fix: fail to load deprecated ecdsa verifier (#541) (@rdimitrov)

Others

  • 8efd6cdb12ba7c28d10ede9fd00ba708ef71fa68: test: add python-tuf v3.0.0 support (#515) (@rdimitrov)
  • 7b85661d635d4be0a4add2336549141d45715c52: chore: add govulncheck and bump Go to 1.20 (#523) (@rdimitrov)
  • 4e4f7f3c2772bf637d0ff9c524ddda5e6dd8dc79: chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 (#519) (@dependabot[bot])
  • ad706edfd9d11977f71277ceddcaebd79b606dff: chore(deps): bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#539) (@dependabot[bot])

v0.6.0

9 months ago

Changelog

Breaking changes

  • 9774d7980aaec85ebcc7eaf8bd6d6e7c6747d2a3: feat!: add deprecating message for the encrypted package (#521) (@rdimitrov)

Features

  • 6aa3072403d1ee7e4030f3c7c9a0e2a22e194fc0: feat: increase scrypt parameters (#470) (@Zenithar)

Bug fixes

  • 5a019c3b0722884ecd77b0923b74e135427ef949: fix: golangci-lint failures when tested against Go 1.20 (#457) (@rdimitrov)
  • 6b93a5ad22c270245b218c295f51b24e543c19b8: fix: sign-payload shouldn't recanonicalize payload (#479) (@znewman01)
  • 2adcfe74e69d474d298a991d9643bed13da055d7: fix: Update the ecdsa key type to the latest spec (1.0.32). (#508) (@kommendorkapten)

Others

  • 2cea368d2bf2a7d4ea0ea368d26373ea2f977727: chore(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#453) (@dependabot[bot])
  • f0771105d2d374b71fb6a0b21bd70bbdcbdd4234: chore(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#451) (@dependabot[bot])
  • 0cd000c650894a80b4a5201e71f202812b8eae2f: chore(deps): bump arnested/go-version-action from 1.1.6 to 1.1.7 (#454) (@dependabot[bot])
  • fab805a8e00b5520c09855385b32761f41b67a6f: chore(deps): bump amannn/action-semantic-pull-request from 5.0.2 to 5.1.0 (#458) (@dependabot[bot])
  • 96a25a4f027707d283030a0b1b0948c4a86865a3: chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#466) (@dependabot[bot])
  • 075e800bd914b11d90b78eb3e352d88d24da29c2: chore(deps): bump golang.org/x/term from 0.0.0-20210927222741-03fcf44c2211 to 0.5.0 (#465) (@dependabot[bot])
  • 7b0f2490b8bbf8914182da1667e5153d2c9e0e00: chore(deps): bump golang.org/x/crypto from 0.0.0-20211117183948-ae814b36b871 to 0.6.0 (#464) (@dependabot[bot])
  • c386074f970f1ed4cabfb27bef838316b2398783: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.4.0 to 0.5.0 (#459) (@dependabot[bot])
  • ad9ad1068d9b85aec2da6afc7d2ae66266d06d45: chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#468) (@dependabot[bot])
  • ba794d1d5f4a1e0be5d1a7fc0c71502032963b4a: chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#469) (@dependabot[bot])
  • d271873280caf7a2dbc04b81626519dcd2294068: chore(deps): bump securesystemslib from 0.26.0 to 0.27.0 (#471) (@dependabot[bot])
  • 493ab6cae58942542e27093b1ec23095fe8e51bd: chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 (#472) (@dependabot[bot])
  • 7f231b3d8147d909d09ba4825e6c8a3924b67828: chore(deps): bump amannn/action-semantic-pull-request from 5.1.0 to 5.2.0 (#473) (@dependabot[bot])
  • 7cddf5836cb16160ef10b5bcb1be925eef5924e0: docs: Update install instructions in README (#474) (@haydentherapper)
  • 30b7aaeaef868981b90ce4c2b5313525093ec837: chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#477) (@dependabot[bot])
  • ab35782b35129e2247e05c337b62c937dbabcc81: chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#478) (@dependabot[bot])
  • c7d649bb18924696cd46e1d16b195335bd12f7a2: ci(build): Add arm64 to build (#463) (@udf2457)
  • 798677257321d3e9c527c1d56edfe2e14e479015: chore(deps): bump arnested/go-version-action from 1.1.7 to 1.1.8 (#480) (@dependabot[bot])
  • 7a57438b63ef093a93093ebb88ce97015052caed: chore(deps): bump securesystemslib from 0.27.0 to 0.28.0 (#481) (@dependabot[bot])
  • c79b5e65c76a80581a023e3d88818b1012cd8325: chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 (#482) (@dependabot[bot])
  • 8edc996a21302a73956dba64276d560392fa7979: chore(deps): bump shogo82148/actions-goveralls from 1.6.0 to 1.7.0 (#483) (@dependabot[bot])
  • e077a6808a51328e74b887e0e7de9aa34754fa79: chore(deps): bump requests from 2.28.2 to 2.29.0 (#484) (@dependabot[bot])
  • 39f588c46c5866a066b309bf936db4b1e59d682c: chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#487) (@dependabot[bot])
  • dfbd21a34f0bc34f21dc1949400bc45e1eb59a5d: chore(deps): bump requests from 2.29.0 to 2.30.0 (#488) (@dependabot[bot])
  • 56698a36ec66febfe2cdf44957bfa1d024bcc76e: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.5.0 to 0.6.0 (#486) (@dependabot[bot])
  • b4feccd966f4e275e48a6e0a39bcee801a661cb1: chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#489) (@dependabot[bot])
  • ed58d45ef6cebb3eef95153ba794e85c95d08b67: chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (#491) (@dependabot[bot])
  • e9da9a9a0cf1b74de045c248d491d2a0781f7570: chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#493) (@dependabot[bot])
  • d1450a59a5a6ad0f9ddc72b2dc6fc4d83b0140ac: chore: Bump spec version (#495) (@znewman01)
  • 401f689281d6beac2a09934a55b34f929f02ee32: chore(deps): bump requests from 2.30.0 to 2.31.0 (#496) (@dependabot[bot])
  • a41f2d25edc6ceec580459d86e99b619b0a94cbf: chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#497) (@dependabot[bot])
  • 1f98392022b459ca66386b19deca0eed16b499ce: chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#498) (@dependabot[bot])
  • 6e5284c5ecf6a5fe34c5944f0c828af0b8d6e796: chore(deps): bump arnested/go-version-action from 1.1.8 to 1.1.9 (#499) (@dependabot[bot])
  • c95b5534881824cadcf021bbf0e8e2e1f6cc5d11: chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#501) (@dependabot[bot])
  • 0bf668e1a68328aeb90da6ae03f4d899efc42415: ci: Disable daily checking for version but not security updates (#500) (@trishankatdatadog)
  • 44727bf6c0f6e94023122a9d5d3954a8ad67d7d8: chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#502) (@dependabot[bot])
  • 4e506c440e7492aa53f7d97d121dee324fc01ab3: chore(deps): bump iso8601 from 1.1.0 to 2.0.0 (#503) (@dependabot[bot])
  • c844873524cc9e30ba8fa468f00f148bde1b4eaa: docs: add go-tuf security assessment report (#504) (@rdimitrov)
  • 842dc878fe28f0edee2e49e6ef297213f1fcce87: chore(deps): bump golang.org/x/term from 0.8.0 to 0.9.0 (#505) (@dependabot[bot])
  • caa9677e16deade572f9e33e8c72f270f087af0b: chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#507) (@dependabot[bot])
  • f21355ba2c73dbbffc10b0a35b12f22a81fb780f: chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#506) (@dependabot[bot])
  • 31dbaeca867db1774c33929d1f93c4619cde23f4: docs: added myself (kommendorkapten) as a maintainer (#510) (@kommendorkapten)
  • 6adc1956b94aee72e57e877fbf79aea8652cbac7: chore(deps): bump arnested/go-version-action from 1.1.9 to 1.1.11 (#511) (@dependabot[bot])
  • 4b9fd323aeb3a51fe648bb14bc3127d1c11565b5: docs: add list with alternative implementations (#169) (@mnm678)
  • aa1a857496c35cd10492427c660ecd8834b5037c: chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 (#513) (@dependabot[bot])
  • 5ed62397581b953bacae5bf46b8c7dac4d85df1d: chore(deps): bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#514) (@dependabot[bot])
  • 030ef07acf6d98da518945f813d0f6648141b187: chore(deps): bump arnested/go-version-action from 1.1.11 to 1.1.12 (#520) (@dependabot[bot])
  • e2f53d95b2c961af2dbb48f3af7502fc308e48aa: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.6.0 to 0.7.0 (#518) (@dependabot[bot])

v0.5.2

1 year ago

Changelog

Features

  • 3890c1e7ace43d67622428187a85ba486c2528e5: feat: Add Filesystem based remote store to support airgap. (#397) (@vaikas)

Bug fixes

  • f75cbcc8550dfb9311c6723999fe7b1d3d2bc116: fix(cmd): fix logging of help message (#395) (@asraa)
  • adbdc7d5f6960d8c63e978f27860fb9f8953a9d2: fix(data): add back SnapshotFileMeta.Custom (#373) (@arbll)
  • 47058744075a884dd3f0b55b0d64017e71db34d6: fix: fix delegation null json value interoperability (#410) (@asraa)
  • 047cdb3be5f66afc9d69a157d6b2c53dc83601b6: fix: fix verification to continue on invalid sigs (#418) (@asraa)
  • 7e8644179b40943d37687d35bf5701efd6195261: fix(localMeta): Add delegated targets back to localMeta (#384) (@BaptisteFoy)

Others

  • 8a4aabfd6040b1337938bacae09845bb6be42ed4: test: update lint CI parameters (#394) (@znewman01)
  • 6ea14f5b38354cef05bbaf1c2c1b4971b0165dcd: chore: update TUF spec version to 1.0.31 (#393) (@znewman01)
  • e56ccf66a7f2fe1ae04c0994da2736d8c2d36681: chore(deps): bump amannn/action-semantic-pull-request from 4.5.0 to 4.6.0 (#398) (@dependabot[bot])
  • b611a26358a47179232a9ba3d909eb47798e3399: docs: fix broken link (#401) (@znewman01)
  • 4f55897602eacf9fc202b8a7f25236d21bfc800a: test: Do not fail-fast when CI runs. (#403) (@vaikas)
  • 22f95c0a789bde1f89f6319be8aa2bb8f6ccc025: chore(deps): bump iso8601 from 1.0.2 to 1.1.0 (#404) (@dependabot[bot])
  • 2541d68b83e92c9f78a1daa79e73e83d288a0b9f: docs: fix broken link (#405) (@abs007)
  • b4b954d5250b438b244ebaeed5fab56fec8f06b0: chore(deps): bump arnested/go-version-action from 1.1.5 to 1.1.6 (#408) (@dependabot[bot])
  • 14853e3bc59fe2ab3897f5b2c3ac5d224a7ee7b6: chore: update release notes breaking change regex (#409) (@znewman01)
  • 0f8d7fe3afaf22be46803f8da12b8b27953e2c65: docs: mention breaking changes in PR template (#413) (@znewman01)
  • 6f221460433f1b17829cfdb7d65814e46261edf7: chore(deps): bump actions/setup-python from 4.2.0 to 4.3.0 (#414) (@dependabot[bot])
  • b4c6f5aa03d33c7981eec4ba25bd52163cb3de22: chore(deps): bump amannn/action-semantic-pull-request from 4.6.0 to 5.0.0 (#415) (@dependabot[bot])
  • 3f725e21c467b2f6f0f522069682c03782b436b0: docs: add security.md (#412) (@asraa)
  • 39613e37d47494ada9c50c3a75136af5cfe90258: chore(deps): bump amannn/action-semantic-pull-request from 5.0.0 to 5.0.1 (#416) (@dependabot[bot])
  • 81884a3062498fae15b4e12f5dd84c73b1788bd3: chore(deps): bump amannn/action-semantic-pull-request from 5.0.1 to 5.0.2 (#419) (@dependabot[bot])
  • fff5e69bbaf9c7360a0b50d2aac6534aa2ec4d64: chore(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#421) (@dependabot[bot])
  • 680a077d4693bc851b41ee48621c4825cbca76e6: chore(deps): bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 (#420) (@dependabot[bot])
  • 7d83cf28176cfb9956ebdb4bb67563383f44d791: chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#423) (@dependabot[bot])
  • 64bd8051f80416e24c24b80e4d0584709f0178b4: chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#424) (@dependabot[bot])
  • cfd009dc71976e58d4d44a9cfd05c5d8ec2f38af: docs: Remove ethan-lowman-dd from maintainers (#428) (@ethan-lowman-dd)
  • 2ac63f72c7df4f90c9b2ebff73cfaa84b21d1f1b: docs: Update MAINTAINERS (#430) (@trishankatdatadog)
  • 901213da55cde30e096c093d4cae2609bbebbdc1: chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (#433) (@dependabot[bot])
  • 535756abf04956a76b2f1f3eb1989b7447b5c6a6: chore: Update interop tests for new python-tuf release 2.0.0 (#434) (@joshuagl)
  • 00e8129a6d462d7d06f1374dbfabe76f6c163231: docs: Use Github's vulnerability reporting (#432) (@mnm678)
  • c803c816c7061506db0791cc128ccf64d24e6226: chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#435) (@dependabot[bot])
  • 9cb61d6e65f5e63d17f2a628c94963bff6268498: chore: elevate GitHub token permissions for release.yml workflow (#437) (@rdimitrov)
  • 3889ddd0b8be629e3575fed738902ae58518ecc6: chore(deps): bump actions/setup-python from 4.3.0 to 4.4.0 (#443) (@dependabot[bot])
  • f310d5e92a713b1b392ee9314a494fe743311e67: chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#441) (@dependabot[bot])
  • a6e32beded459310bab509160bf2f93dd69edba0: chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#442) (@dependabot[bot])
  • 5f964cf3047426fc536e9d963e259fd9fcf79c9c: chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 (#445) (@dependabot[bot])
  • 8f585b5ce1b0fe5fb53163ce93199c1bd8944819: chore(deps): bump requests from 2.28.1 to 2.28.2 (#446) (@dependabot[bot])
  • 66a4473601c3c47985ea93cfa1d870062292cc5e: chore(deps): bump securesystemslib from 0.25.0 to 0.26.0 (#448) (@dependabot[bot])
  • 2b213572f6052571eb0d03a301812ce0e5f4daa9: chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#447) (@dependabot[bot])
  • 91c85a09b56850c90201fa919efac8433bf4f907: test: add tests for rollback protection on snapshot, targets, delegations (#450) (@asraa)

v0.5.1

1 year ago

Changelog

Features

  • 7097fd8d6ee030104577c73b7d3c6d440137a168: feat: Adds a new raw file metadata storage for clients (#347) (@kommendorkapten)
  • f237d7ca5b42a20b380f0827687aa7c8804cbb54: feat: pass logger into repo and client (#385) (@asraa)

Bug fixes

  • a9ddd8963324a7ba011317e8403bc889df367df0: fix: fix IsTopLevelManifest calculation for versioned manifests (#381) (@asraa)
  • 040092c44a0845c3c92e48debd16c82910e94110: fix: abandon updates if timestamp.json isn't new (#387) (@znewman01)

Others

  • 13eff30efd6c61f165e1bf06e8c0e72f5a0e5703: chore(deps): bump securesystemslib from 0.22.0 to 0.24.0 (#383) (@dependabot[bot])
  • 0e33cdfd19658fc15d91f498e35b3a2633e28a2f: docs: Add docs for adding and rotating root keys (#389) (@mnm678)
  • 7f9beab143b1e5bfe25447c5504ea2f1e04803bb: chore: update TUF spec version (#392) (@znewman01)

v0.5.0

1 year ago

Changelog

Features

  • 61872a3ac6e6a475771c23bf1592a00c1773b3e7: feat: Support ecdsa and RSA keys (#270 with backwards compatibility) (#357) (@asraa)

v0.3.2

1 year ago

Changelog

Bug fixes

  • b6695e4ba6d0b98beb851054c0f187df8d54a639: fix(verify): backport "Fix a vulnerability in the verification of threshold si… (#375) (@znewman01)

v0.4.0

1 year ago

Changelog

Features

  • af3c7d6a7dff051e9ef4b965a1258df09249a13f: feat: Add new status command (#342) (@doanac)
  • 4febe4c81aa17b39a87c1bab1c6592b347ff4a56: feat(keys): JSON unmarshal hardening. (#275) (@Zenithar)

Bug fixes

  • 9020b3c884ca1456eaaa0656c3b2c25774a8d204: fix: Remove typo in Alternate signing flow (#344) (@elfotografo007)
  • 9334b3fef99a16358f59895a47563f3061733c87: fix: Redirect passphrase output to Standard error (#343) (@elfotografo007)
  • 2e6c62191fb27ac26b10dd7312d239ffd6c1e498: fix: require length and hashes for target metadata (#345) (@asraa)
  • 37601e1635fdcf696f3f7bd6ad4ffbfd3f4488be: fix: filesystemStore fails to prepend target file hashes on Windows (#274) (@torin-carey)
  • 2b415d0f0043dc434c63fb89321d3fa8638df78f: fix: update leveldb dependency (#350) (@mfmarche)
  • 1b070ee8b8b11c15e1d54a69786e110a1d409715: fix: add leveldb recover ability (#352) (@mfmarche)
  • 64ded1864de9e448e174d7270c66364d368eefe5: fix(verify): Fix a vulnerability in the verification of threshold signatures (due to handling of keys with multiple IDs) (#369) (@cedricvanrompay-datadog)

Others

  • 529fccafdd0d27ca9741802ab8d5fb84f6c3476d: chore(deps): bump arnested/go-version-action from 1.1.3 to 1.1.4 (#334) (@dependabot[bot])
  • f5f12b16b4267ab3b6c957db6e868a5a4345cc71: docs: Misc. docs fixes (#337) (@znewman01)
  • 0f17236394883185030fd84d85c9bbb0af9cabe8: docs: Add release process info for maintainers (#336) (@znewman01)
  • 40b67d26c82534912ab45fd734d5be26a852c64a: chore(deps): bump actions/setup-python from 4.0.0 to 4.1.0 (#340) (@dependabot[bot])
  • 9d0031b6e8ba3115cdea083aad6f1398180659bf: chore(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (#339) (@dependabot[bot])
  • 768b63a553669a0f238c20fe532fc15a836b85ba: chore(deps): bump actions/setup-python from 4.1.0 to 4.2.0 (#351) (@dependabot[bot])
  • 8124e8ab6c862f978e48d83c2947b491f41a527d: chore!: Remove deprecated client Init() function (#353) (@znewman01)
  • 8b2d2abc064c267d218138b2cbb0c7fe301507e1: ci: Fix typo in Pull Request template (#355) (@znewman01)
  • f3a48f74a347ab1a01fca80c370be423620ff499: refactor!: rename "InitLocal" to "Init" (#354) (@znewman01)
  • ebbc6b8d12d861335a3fc6e7fd8c69a53acaa1e6: chore(deps): bump arnested/go-version-action from 1.1.4 to 1.1.5 (#359) (@dependabot[bot])
  • 9b6c5030165254dce97ff510f01026b8d8336242: chore(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (#361) (@dependabot[bot])
  • d7ff71b6b12ef371ab654c45c15bae8fe2d79d84: test: Update Python interop tests to python-tuf v1.0.0 (#228) (@znewman01)
  • ac7b5d7bce18cca5a84a28b021bd6372f450b35b: chore(deps): bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 (#366) (@dependabot[bot])
  • 06ed59941769f55b7d54158a0be85a16a7475fa7: build: Use Go 1.17 for golangci linting and update golangci/golangci-lint-action (#364) (@ethan-lowman-dd)

v0.3.1

1 year ago

Changelog

Features

  • 4bf58eb096f99647e7fd30447396c7a57202982f: feat: add payload and add-signature commands. (#214) (@znewman01)
  • 39c23cb5043ad2c0d873f7cc7191a7256f6a3cb6: feat: add workflow responsible for notifying of new TUF spec release (#287) (@rdimitrov)
  • 355e39cb2df220fc3961396a6d0e30bcf2c9ac12: feat: Implement TAP-12 support (#310) (@znewman01)

Bug fixes

  • 9a41055b8eee0fee60650c43037f35b919d72d7c: fix: check root metadata verification before snapshotting (#293) (@asraa)
  • e3efe988f0371d41c83686204dc6ae23285bf33c: fix: verify length and hashes of fetched bytes before parsing (#325) (@joshuagl)

Others

  • ea0f98a4e1b72d7486e4e86baf7fd9a3ec1fc844: chore(deps): bump arnested/go-version-action from 1.0.67 to 1.0.69 (#288) (@dependabot[bot])
  • 6722937104a3178b2b899c5ce1799de129ddb294: chore(deps): bump golangci/golangci-lint-action from 2.5.2 to 3.2.0 (#289) (@dependabot[bot])
  • e2594e68bf2239a0b60c576c47b5ede7ac8c8fe4: chore(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (#290) (@dependabot[bot])
  • 580db1958c1e16ee73d53055eb9793fde1110d8e: chore(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3 (#294) (@dependabot[bot])
  • 5884dab97151c7fd314ee34ac71bf0cf6167e21c: chore(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (#295) (@dependabot[bot])
  • 3b26aedfe985198bc88a9dda7525938c575ca046: chore(deps): bump arnested/go-version-action from 1.0.69 to 1.0.70 (#297) (@dependabot[bot])
  • 041e818016131ec500c78ed8eb20fed9a5668861: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#298) (@dependabot[bot])
  • ad96eca0239ec2cc9b6e408fbe42b2f9e9d6b1dd: chore(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#299) (@dependabot[bot])
  • 36633af8d7a2162664a58f3fb1fe36a74e10428e: chore(deps): bump arnested/go-version-action from 1.0.70 to 1.1.0 (#300) (@dependabot[bot])
  • e24b175b00960136ecacb8111d9887d15ce47c6d: chore(deps): bump actions/setup-python from 3.1.2 to 4 (#311) (@dependabot[bot])
  • 1684c680105f90a054f04e05b0f8ac540c4ef885: docs: Update CONTRIBUTING.md, add MAINTAINERS.md (#309) (@znewman01)
  • 4139c85cd7632c659bf00f4b2810c37eb8d71a2c: chore(deps): bump arnested/go-version-action from 1.1.0 to 1.1.3 (#316) (@dependabot[bot])
  • 36a29309b2531255fc7d374c4055dcfab0fd04e8: build: update go version to 1.18 (#314) (@asraa)
  • ae904d2bb977a54e6a5527513c4d398c8d9cc285: docs: Add DCO instructions (#319) (@znewman01)
  • 81cd9b36a8023d6e943f0f3cacfe664603fa3177: chore(deps): bump Python from 3.6 to 3.10 (#318) (@rdimitrov)
  • 986a4c5a492be020d0ab16a5ea13b9963bf7af1f: chore(deps): bump requests from 2.27.1 to 2.28.0 (#317) (@dependabot[bot])
  • 439ce47c43c772ad225101494db8307e97f869c3: chore(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#324) (@dependabot[bot])
  • 3bb077e8c246429db8acafc78761de71cc4d6b62: chore(deps): bump requests from 2.28.0 to 2.28.1 (#332) (@dependabot[bot])
  • eed9e6c4d8eac821593800fd053d8cca5ee56137: chore(deps): bump github.com/stretchr/testify from 1.7.4 to 1.8.0 (#331) (@dependabot[bot])
  • 0d40b25637fa35e4e546a0bafebaa7ee4591e172: test: fix flakey util test (#333) (@asraa)

v0.3.0

2 years ago

Changelog

Security

  • ed6788e710fc3093a7ecc2d078bf734c0f200d8d: security: implement protection against rollback attacks for roles other than root / Merge pull request from GHSA-66x3-6cw3-v5gj (@rdimitrov)

Features

  • fd8ac04979553e40795536c5c95e31696e9343fd: feat: Support delegated targets roles in repo writer (#175) (@mnm678)
  • ce6509c54f1ac7e6f21250766b066dfff1db8666: feat: propose adding Zach Newman to list of maintainers (#271) (@trishankatdatadog)

Bug fixes

  • 82f192908876b7c8c43aadb9a6e82ae5e1d45392: fix: Fix JSON canonicalisation (#247) (@toby-jn)

Others

  • 507e038d7afe3a4504f571b28ee006537aae3326: user int64 for version (#240) (@arbll)
  • 5b81b7e5604bfae2f0dcecd041e2e44f0128c992: ci: Check PR title instead of commits for conventional format (#264) (@ethan-lowman-dd)
  • e2fb0aed0d57f75893b931db571db8c315462d64: chore: add rdimitrov as maintainer (#268) (@asraa)
  • 3dfbeb242bfcf3964f4ccf3327d36e165b3c2384: chore(deps): bump actions/checkout from 2 to 3 (#253) (@dependabot[bot])
  • 3f1f3d747820fd799f653ef345e7db52aebe332e: chore(deps): bump amannn/action-semantic-pull-request (#276) (@dependabot[bot])
  • 520db05cc719e04198504ad9086f480dcbb50706: chore(deps): bump github/codeql-action from 1 to 2 (#277) (@dependabot[bot])
  • f42dfb3c9668d01d505663c8a8b31c703295fd63: chore: bump golangci-lint timeout (#280) (@znewman01)
  • 0fa25371d476eb359e4590546827923fda4d36e3: chore(deps): bump actions/setup-python from 2.3.2 to 3.1.2 (#267) (@dependabot[bot])
  • 57b9f1e86c4ff48551d43a76be6bec81669a7833: chore: remove GITHUB_TOKEN from arnested/go-version-action (#259) (@arnested)
  • 5bbaae319eae1a8b13f284265c118f84b6969292: chore(deps): bump arnested/go-version-action from 1.0.65 to 1.0.67 (#281) (@dependabot[bot])
  • 90f34f07cce1bd127b8d307fd5614fe1baa8bb0b: chore(deps): bump amannn/action-semantic-pull-request (#284) (@dependabot[bot])