What's Changed

Added a simple Apple notarization tool

This tool is suitable for submitting bundles of standalone executable files to App Store Connect for notarization.

For more information see the instructions in macos.md

Full Changelog: v8.1.1...v8.2.0

fixed: include the root CA in Apple signature types to avoid AMFI problems

Also expand on macos.md with all the steps to format the certificate chain.

Full Changelog: v8.1.0...v8.1.1

What's Changed

• Add option to select a different timestamping service per key
• Apple: Enable hardened-runtime by default when signing executables. Can be disabled with --hardened-runtime=false
• Azure tokens: switch to new SDK, removing deprecated autorest and ADAL
• Google Cloud tokens: do not cancel gcp client context by @hodbn in #45

CI changes:

• macos binaries are now built on macos-12 (was: macos-11)
• macos binaries are separated by architecture instead of bundled together.

Full Changelog: v8.0.1...v8.1.0

• fix(auth): pass client cert chain to OPA

Full Changelog: v8.0.0...v8.0.1

Breaking Changes

The PGP implementation has been changed to github.com/ProtonMail/go-crypto/openpgp. This was necessary due to the stdlib implementation being deprecated for some time, and also generating invalid PGP signatures which the gpg2 version in RHEL 9 has started rejecting entirely.

• If you are using relic to generate PGP-based signatures (i.e. RPM or DEB) with a RSA key then you don't need to do anything.
• PGP-based ECDSA signatures are broken for now as the underlying ProtonMail implementation does not support HSM-based keys for any type other than RSA. Hopefully this will be fixed eventually!
• If you are importing relic or rpmutils in your own projects to generate or verify PGP-based signatures you will need to adjust your imports correspondingly.

If you are verifying PGP-based signatures generated by other tools and systems, you may encounter an error parsing PGP v3 signatures which are found in many places despite being extremely obsolete:

basesystem-11-13.el9.noarch.rpm ERROR: openpgp: unsupported feature: signature packet version 3

In particular, CentOS 9 still contains some RPMs with v3 signatures, although newer builds seem to have been updated. If this is important to you, it is possible to use a soft-forked version of the openpgp library which adds backwards compatibility for v3 signatures:

go mod edit -replace github.com/ProtonMail/go-crypto=github.com/pgpkeys-eu/go-crypto@main
go build -tags pgp3

Note that relic has never generated v3 signatures.

What's Changed

• Switch to ProtonMail pgp implementation - fixes validation issues with RHEL 9
• Replace unlicensed qur/ar with blakesmith/ar by @samwestmoreland in #43
• Added file audit log sink
• Added OPA decision ID to audit log entry
• Deprecated AMQP audit log sink

Full Changelog: v7.6.2...v8.0.0

• fix: only set dir sector count for v4 MSIs -- fixes Advanced Installer and other MSIs being treated as corrupt (#33)
• fix: update rpmutils to v0.3.0 to handle RPMs without legacy digests (#35)
• chore: update MSAL auth to latest version (#39)
• ci: update github actions

Full Changelog: v7.6.1...v7.6.2

What's Changed

• fix(cab): accept cabinets with reserved padding

Full Changelog: v7.6.0...v7.6.1

What's Changed

• Add --no-timestamp option to sign commands
• Add an optional rate limit for token operations
• Added relic-client-freebsd-amd64 to releases
• fix(pecoff): page hashes used incorrect page size (#32) - thanks to @dragon-dreamer for finding this issue!
• fix: report correct version when built from a go module
• fix: suppress stale health check error on startup

Full Changelog: v7.5.9...v7.6.0

What's Changed

• fix(jar): be even more tolerant of missing line endings

Full Changelog: v7.5.8...v7.5.9

What's Changed

• fix(jar): non-signature files in META-INF should be signed

Previously, files in subdirectories were signed, but not non-signature files directly under META-INF.

Full Changelog: v7.5.7...v7.5.8