- Sigsum-announce - Sigsum mailing lists

ANNOUNCE: sigsum-go v0.14.1
by Niels Möller 09 Jun '26

09 Jun '26

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.14.1. The source code for the release can be checked out using git clone -b v0.14.1 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.14.1 The v0.14.1 tag is signed using the key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/xZ+v5e435605MS4BYE89PLcgk8DT5PvuoM2oASnuk This is the same release key also published for nisse(a)glasklarteknik.se at https://www.system-transparency.org/keys/allowed-ST-release-signers. See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.14.1/NEWS or the excerpt below for the changes since v0.13.1. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.14.1 This release fixes bugs and adds a few new library features. Incompatible changes: * Building now requires go version 1.25 or later. * In Sigsum policy files, the special name "none" can no longer be used as a group member. See https://git.glasklar.is/sigsum/core/sigsum-go/-/work_items/170. Bug fixes: * sigsum-monitor: Fix handling of DeadlineExceeded errors, see https://git.glasklar.is/sigsum/core/sigsum-go/-/work_items/179. * Fix panic when parsing certain invalid public key files. See https://git.glasklar.is/sigsum/core/sigsum-go/-/merge_requests/301. * Fix broken handling of i/o errors when reading policy files and for sigsum-submit --leaf-hash. New features: * pkg/key: New functions ParsePublicKeys and ParsePublicKeysWithPolicy. * pkg/policy: New method Policy.ProcessQuorum, for depth-first processing of the groups and witnesses defining the quorum.

1 0

ANNOUNCE: Sigsum C Library version 1.0.0
by Niels Möller 22 May '26

22 May '26

The Sigsum team is happy to announce the initial release of the Sigsum C Library (aka sigsum-c or libsigsum), version 1.0.0. See NEWS file, appended below, for a summary of features. Library documentation is included in the package and online at https://git.glasklar.is/sigsum/core/sigsum-c/-/blob/main/doc/sigsum-c.md. The release source code can be downloaded using git clone -b v1.0.0 https://git.glasklar.is/sigsum/core/sigsum-c.git The v1.0.0 tag is signed using the key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/xZ+v5e435605MS4BYE89PLcgk8DT5PvuoM2oASnuko This is the same release key also published for nisse(a)glasklarteknik.se at https://www.system-transparency.org/keys/allowed-ST-release-signers. /The Sigsum team NEWS for the sigsum-c 1.0.0 release This is the initial release of the sigsum-c library. For API documentation, see doc/sigsum-c.md, for build instructions, see README.md. When building a shared library from this release, the library name is libsigsum.so.0.0, with soname libsigsum.so.0. Main features: * Support for parsing the ASCII representation of Sigsum policy files, Sigsum proofs, and OpenSSH public key files. * Support for verifying Sigsum proofs. The main verification functions are written with constrained embedded systems in mind. They work with a bytecode representation of the policy's quorum rule, and do not require use of the ASCII representation. * A command line tool sigsum-c-verify, intended to be compatible with the sigsum-verify tool from the sigsum-go package (the main missing feature in sigsum-c-verify is support for named policies).

1 0

ANNOUNCE: sigsum ansible v1.7.0
by Elias Rudberg 30 Mar '26

30 Mar '26

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.7.0, succeeding the previous release v1.6.0. The release can be checked out from the git repository as git clone -b v1.7.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for upcoming sigsum ansible v1.7.0 Changes between v1.6.0 and v1.7.0: * Support for installing yubihsm-connector through a .deb file was added. * /etc/yubihsm-connector.yaml is now under Ansible control. Those with local changes to this file will have to adapt the Ansible template to meet their needs. * Bumped community.mysql version from 4.0.1 to 4.2.0

1 0

ANNOUNCE: sigsum ansible v1.6.0
by Elias Rudberg 23 Mar '26

23 Mar '26

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.6.0, succeeding the previous release v1.5.0. The release can be checked out from the git repository as git clone -b v1.6.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.6.0 With this release, all users should upgrade to torchwood v0.9.0 due to bugs in earlier versions of witnessctl and litebastion. Changes between v1.5.0 and v1.6.0: * Added support for per-log bastions. * Added support for periodically pulling logs to witness from a centrally managed list (e.g., https://testing.witness-network.org/log-list.1) * Added support for using externally managed TLS certificates for litebastion. This is useful when using challenge methods other than TLS-ALPN-01, such as DNS-01. * Added support for litewitness -no-listen flag, which prevents litewitness from opening any listening sockets. This should only be used when relying solely on per-log bastions. * Added support for toggling debug endpoints such as /logz for litewitness and litebastion. Debug endpoints are disabled by default. * Deprecated the variables litewitness_sigsum_log_keys and litewitness_vkey_log_keys in favor of litewitness_logs. The old variables will remain supported for now but will be removed in a future release. * Deprecated the variables litebastion_host and litebastion_email in favor of litebastion_acme_host and litebastion_acme_email. The old variables will remain supported for now but will be removed in a future release. * Removed the litebastion_h2v variable as the corresponding flag was removed in litebastion v0.4.0. * Bumped the default version of torchwood for litewitness and litebastion from v0.7.0 to v0.9.0. * Bumped community.mysql version from 3.12.0 to 4.0.1 * Moved molecule tests to extensions directory. * Fixed various warnings in molecule tests.

1 0

ANNOUNCE: Bug fix release v1.0.1 of the Sigsum Log Server Protocol
by Niels Möller 19 Mar '26

19 Mar '26

This is a minor bugfix release, see NEWS below. The updated version is available at https://git.glasklar.is/sigsum/project/documentation/-/blob/log.md-release-… Publication on https://www.sigsum.org/ will be updated shortly. /The Sigsum team NEWS for log.md, version v1.0.1 This release includes only minor bugfixes to the Sigsum Log Server Protocol, i.e., the file log.md. Bug fixes: * Correct description of the get-leaves response. The fields on each leaf line are ordered: checksum, signature, keyhash. This is the same order as when serialized for the computation of the leaf hash, and the order used by all known implementations. * Correct table-of-contents links, to work with gitlab's html rendering.

1 0

ANNOUNCE: sigsum-go v0.13.1
by Elias Rudberg 08 Dec '25

08 Dec '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.13.1. The source code for the release can be checked out using git clone -b v0.13.1 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.13.1 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.13.1/NEWS or the excerpt below for the changes since v0.13.0. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.13.1 This is a bug fix release. Bug fixes: * Fix go.mod and go.sum files as needed after versions of x/net and x/text dependencies were changed.

1 0

ANNOUNCE: sigsum-go v0.13.0
by Niels Möller 08 Dec '25

08 Dec '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.13.0. The source code for the release can be checked out using git clone -b v0.13.0 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.13.0 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.13.0/NEWS or the excerpt below for the changes since v0.12.0. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.13.0 This release makes policy file format a bit stricter, and includes a first builtin policy using production logs and witnesses. Incompatible changes: * The Sigsum policy format has been made a bit stricter, rejecting duplicates, rejecting control characters, and requiring that comments start at the beginning of a line. See updated doc/sigsum-proof.md. For motivation, see https://git.glasklar.is/sigsum/project/documentation/-/blob/main/proposals/… New policies: * This version includes a new builtin trust policy named "sigsum-generic-2025-1". This is the first builtin policy that uses production logs and witnesses. For a description of the procedure used maintain builtin named policies, see https://git.glasklar.is/sigsum/project/documentation/-/blob/main/policy-mai… Bug fixes: * Make Endpoint.Path not produce request URLs with double '/' separators. See https://git.glasklar.is/sigsum/core/log-go/-/issues/129. Miscellaneous: * The primary supported go toolchain version is now 1.24. Using go-1.23 is still supported and tested. Using later versions is also expected to work, but is not tested.

1 0

ANNOUNCE: sigsum-go v0.12.0
by Niels Möller 03 Nov '25

03 Nov '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.12.0. The source code for the release can be checked out using git clone -b v0.12.0 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.12.0 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.12.0/NEWS or the excerpt below for the changes since v0.11.2. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.12.0 The main change in this release is support for named policies. New features: * Support for named policies. This means that the user can optionally specify a policy name (using the -P option or directly in submitter key file) instead of specifying a policy file. * Support for builtin policies. In this version there are two builtin policies called "sigsum-test1-2025" and "sigsum-test2-2025". * New tool "sigsum-policy" that can be used to list and show available named policies. Documentation improvements: * In doc/sigsum-proof.md, document the correct keyword "size", https://git.glasklar.is/sigsum/core/sigsum-go/-/issues/135, and clarify the description of how to compute the leaf hash. Incompatible changes: * Building now requires go version 1.23 or later.

1 0

ANNOUNCE: sigsum ansible v1.5.0
by Elias Rudberg 05 Sep '25

05 Sep '25

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.5.0, succeeding the previous release v1.4.0. The release can be checked out from the git repository as git clone -b v1.5.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.5.0 Changes between v1.4.0 and v1.5.0: * Support for monitoring the presence of a YubiHSM device with a particular serial number was added. * Refactoring regarding lists of go tools in sigsum and litewitness roles, avoiding problems when running ansible in debian trixie. * Fix in when clause in golang and yubihsm_connector roles, avoiding problems when running ansible in debian trixie. * Changed naming of cronjob for weekly public suffix list update, to handle the special case when primary and secondary are on the same machine. * Cleanup and fixes in molecule tests.

1 0

ANNOUNCE: sigsum ansible v1.4.0
by Elias Rudberg 04 Jul '25

04 Jul '25

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.4.0, succeeding the previous release v1.3.0. The release can be checked out from the git repository as git clone -b v1.4.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.4.0 Changes between v1.3.0 and v1.4.0: * The sigsum role had its cronjob for weekly refreshing of the public suffix list changed to make it work also for the secondary node. * galaxy.yml was updated to clarify that this repo contains roles for not only transparency logs but also for witnesses. * The version of sigsum-agent used by default changed from v0.2.3 to v0.2.5. * A bug was fixed where a sigsum-agent using a YubiHSM wouldn't start if it was being started before the yubihsm-connector was properly ready (#73). * A bug making log lines from sigsum-agent not show up in the journal was fixed (#72). * Restarting the agent service was fixed, making restarts made by Ansible work well too (#70).

1 0