- Sigsum-announce - Sigsum mailing lists

ANNOUNCE: sigsum ansible v1.3.0
by Elias Rudberg 08 May '25

08 May '25

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.3.0, succeeding the previous release v1.2.0. The release can be checked out from the git repository as git clone -b v1.3.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.3.0 This release adds a litebastion role in roles/litebastion based on the https://git.glasklar.is/sigsum/admin/litebastion repository which has now been archived. Changes: * Merged litebastion repo into roles/litebastion/ directory. * Added molecule test scenario for litebastion. * Changed the name litetlog to the new name of that repo which is torchwood. (https://github.com/FiloSottile/litetlog renamed to https://github.com/FiloSottile/torchwood) Using torchwood v0.5.0 for both litewitness and litebastion. * Changes to allow primary and secondary running on same machine. This involves the possibility of using different filenames for the config file and the tree-id file for primary and secondary, but the default filenames are the same as before so the change is backwards-compatible. * Added brief documentation in mariadb role. * Removed unused docs/ and renamed CHANGELOG.rst to NEWS. * Changes to automatically restart log after weekly suffix-list update. * Made it possible to run several litewitness instances in parallel. * Added support for non-sigsum logs in litewitness role. * Cleanup and fixes to avoid red output from molecule tests. * Changed debian repo url from ftp.acc.umu.se to deb.debian.org. * Bumped community.mysql version from 3.6.0 to 3.12.0 * Moved away from legacy /var/run to /run for sigsum-agent.socket file. See https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html

1 0

ANNOUNCE: log-go v0.15.2
by Niels Möller 25 Mar '25

25 Mar '25

The Sigsum team is happy to release a new version of the log-go log server software, version tag v0.15.2, succeeding the previous release v0.15.0. The source code for the release can be checked out from the git repository as git clone -b v0.15.2 https://git.glasklar.is/sigsum/core/log-go.git or installed using go install sigsum.org/log-go/cmd/...@v0.15.2 This is a bugfix release. The most important change is a correction to how the log server applies its configured rate limits. See NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the log-go repository: https://git.glasklar.is/sigsum/core/log-go/ The expectations and intended use of the log server software is documented in the log-go RELEASES file. You will also find more information about the overall release process there, see https://git.glasklar.is/sigsum/core/log-go/-/blob/main/RELEASES.md. / The Sigsum team NEWS for log-go v0.15.2 This is minor release fixing a few issues found since the previous release. Upgrading from the previous release is expected to work with no issues. This release has been tested to work together with: * Sigsum tools (most importantly sigsum-submit and sigsum-verify, as well as sigsum-witness) https://git.glasklar.is/sigsum/core/sigsum-go, tag v0.11.2. Improvements: * Fixed a bug in the rate-limit logic. The intended behavior is to only count the first add-leaf requests for a particular leaf, and not count retries for the same leaf. In v0.15.0, retries could exhaust the rate limit quota. * More relevant logging of witness errors. When a witness starts failing, and when it recovers, the error is logged at INFO level. Repeated errors are logged at DEBUG level. In v0.15.0, all errors were logged at DEBUG level, i.e., no errors logged by default. Incompatible changes: * The --max-range command-line option is now only available for the primary node. Before this change, there was a --max-range command-line option also for the secondary node but that option had no effect. Miscellaneous: * Increased max-range default value to 512. * Updated config.toml.example file and added a corresponding test to help ensure the example config stays up-to-date.

1 0

ANNOUNCE: sigsum-go v0.11.2
by Rasmus Dahlberg 21 Mar '25

21 Mar '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.11.2. The source code for the release can be checked out using git clone -b v0.11.2 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.11.2 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.11.2/NEWS or the excerpt below for the changes since v0.11.1. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team --- NEWS for Sigsum tools, v0.11.2 This release fixes yet another manpage date nit. Bug fixes: * Fix so that make doc works for signed git tags.

1 0

ANNOUNCE: sigsum-go v0.11.1
by Rasmus Dahlberg 13 Mar '25

13 Mar '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.11.1. The source code for the release can be checked out using git clone -b v0.11.1 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.11.1 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.11.1/NEWS or the excerpt below for the changes since v0.11.0. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team --- NEWS for Sigsum tools, v0.11.1 This release fixes manpage nits found during Debian packaging. Bug fixes: * Fix non-deterministic date in sigsum-tools manpage. * Fix invalid manpage NAME sections for all subcommands. * Fix typos in usage messages and manpages. * Fix s/--verbose/--quiet/ in NEWS entry for v0.11.0. Incompatible changes: * Move sigsum-tools manpage from section 5 to section 7.

1 0

ANNOUNCE: sigsum-go v0.11.0
by Rasmus Dahlberg 12 Mar '25

12 Mar '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.11.0. The source code for the release can be checked out using git clone -b v0.11.0 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.11.0 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.11.0/NEWS or the excerpt below for the changes since v0.10.1. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team --- NEWS for Sigsum tools, v0.11.0 The main changes in this version are more efficient batch submissions as well as improved documentation for all tools. New features: * sigsum-submit: batch submissions are done more efficiently underneath the hood (the UI of passing >1 input is the same). * sigsum tools: some short and long option names have been added, e.g., "-a" is now the short option for "--token-signing-key". Bug fixes: * Fix so that the --quiet option cannot crash sigsum-token. Documentation improvements: * sigsum tools: all usage messages have been brushed up. * man pages: can be generated with `make doc`. Depends on help2man (cmd/*) and pandoc (doc/tools.md) being installed. Incompatible changes: * sigsum-submit: increase timeout from 45s to 10m. There is a builtin shorter timeout for individual log queries that is not configurable.

1 0

ANNOUNCE: sigsum-go v0.10.1
by Niels Möller 24 Jan '25

24 Jan '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.10.1. The source code for the release can be checked out using git clone -b v0.10.1 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.10.1 See NEWS file (https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.10.1/NEWS, excerpt below) for the changes since v0.9.1. For documentation and project information, see https://www.sigsum.org/. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the sigsum-go repository: https://git.glasklar.is/sigsum/core/sigsum-go/ / The Sigsum team NEWS for Sigsum tools, v0.10.1 The main changes in this version are support for the vkey format and an update of the Sigsum proof format. For details, see the updated documentation in doc/tools.md and doc/sigsum-proof.md, and the corresponding proposals: https://git.glasklar.is/sigsum/project/documentation/-/blob/main/proposals/… https://git.glasklar.is/sigsum/project/documentation/-/blob/main/proposals/… Incompatible changes: * sigsum-key: Subcommands have been renamed, as follows: "gen" --> "generate" "hash" --> "to-hash" "hex" --> "to-hex" "hex-to-pub" --> "from-hex" * sigsum-witness: Delete support for the old non-checkpoint witness protocol. * sigsum-submit: Sigsum proof format updated to version 2. New features: * sigsum-key: New subcommands to-vkey and from-vkey. * sigsum-verify: Add support for the version 2 Sigsum proof format. For backwards compatibility, support for version 1 is kept.

1 0

ANNOUNCE: log-go v0.15.0
by Niels Möller 04 Oct '24

04 Oct '24

The Sigsum team is happy to release a new version of the log-go log server software, version tag v0.15.0, succeeding the previous release v0.14.1. The source code for the release can be checked out from the git repository as git clone -b v0.15.0 https://git.glasklar.is/sigsum/core/log-go.git or installed using go install sigsum.org/log-go/cmd/...@v0.15.0 This release updates the log to use a new witness protocol, replacing the interim witness protocol of the previous release. See NEWS file for details on changes and how to upgrade, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the log-go repository: https://git.glasklar.is/sigsum/core/log-go/ The expectations and intended use of the log server software is documented in the log-go RELEASES file. You will also find more information about the overall release process there, see https://git.glasklar.is/sigsum/core/log-go/-/blob/main/RELEASES.md. / The Sigsum team NEWS for log-go v0.15.0 This release of the Sigsum log server uses a new interoperable protocol [1] for interacting with the log's witnesses. This change affects operators of logs and witnesses. The log protocol itself [2], i.e., the protocol used for querying a Sigsum log and submitting new entries, is stable and unchanged. This release has been tested to work together with: * Sigsum tools (most importantly sigsum-submit and sigsum-verify, as well as sigsum-witness) https://git.glasklar.is/sigsum/core/sigsum-go, tag v0.9.1. New features: * Implemented the new witness protocol [1], agreed together with other parties interested in witness cosigning of transparency logs. By using this common protocol, the log-go server interoperates with witnesses intended to support a diverse set of transparency log designs. * Added a --version option, where the value is populated automatically at build time based on go module version or git revision. The old way of setting the gitCommit variable using linker flags has no effect. * The log server now responds to GET requests at / or /<Prefix>/, providing a basic HTML page with information about the log server, in particular, the software version and the hash of the log's public key. Incompatible changes: * Support for the previous, interrim, witness protocol has been removed. Witnesses that interoperated with log-go v0.14.1 will need updating to support the new protocol. * The minimum go version required for building is now go-1.22. Notes on upgrading: * An upgraded log will not be able to obtain and publish any witness cosignatures until its witnesses have been updated to support the new protocol. There are no other expected complications on upgrade. * When upgrading, you may want to also upgrade the Trillian daemons used for the log's backend storage. Upgrading Trillian from v1.5.1 to v1.6.0 (the latest release that still supports go-1.22) has been tested, with no issues.

1 0

2025

2024

Sigsum-announce

2025

2024

Sigsum-announce ----- 2025 ----- May 2025 April 2025 March 2025 February 2025 January 2025 ----- 2024 ----- December 2024 November 2024 October 2024

Sigsum-announce