- Sigsum-announce - Sigsum mailing lists

ANNOUNCE: sigsum-go v0.13.1
by Elias Rudberg 08 Dec '25

08 Dec '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.13.1. The source code for the release can be checked out using git clone -b v0.13.1 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.13.1 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.13.1/NEWS or the excerpt below for the changes since v0.13.0. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.13.1 This is a bug fix release. Bug fixes: * Fix go.mod and go.sum files as needed after versions of x/net and x/text dependencies were changed.

1 0

ANNOUNCE: sigsum-go v0.13.0
by Niels Möller 08 Dec '25

08 Dec '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.13.0. The source code for the release can be checked out using git clone -b v0.13.0 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.13.0 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.13.0/NEWS or the excerpt below for the changes since v0.12.0. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.13.0 This release makes policy file format a bit stricter, and includes a first builtin policy using production logs and witnesses. Incompatible changes: * The Sigsum policy format has been made a bit stricter, rejecting duplicates, rejecting control characters, and requiring that comments start at the beginning of a line. See updated doc/sigsum-proof.md. For motivation, see https://git.glasklar.is/sigsum/project/documentation/-/blob/main/proposals/… New policies: * This version includes a new builtin trust policy named "sigsum-generic-2025-1". This is the first builtin policy that uses production logs and witnesses. For a description of the procedure used maintain builtin named policies, see https://git.glasklar.is/sigsum/project/documentation/-/blob/main/policy-mai… Bug fixes: * Make Endpoint.Path not produce request URLs with double '/' separators. See https://git.glasklar.is/sigsum/core/log-go/-/issues/129. Miscellaneous: * The primary supported go toolchain version is now 1.24. Using go-1.23 is still supported and tested. Using later versions is also expected to work, but is not tested.

1 0

ANNOUNCE: sigsum-go v0.12.0
by Niels Möller 03 Nov '25

03 Nov '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.12.0. The source code for the release can be checked out using git clone -b v0.12.0 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.12.0 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.12.0/NEWS or the excerpt below for the changes since v0.11.2. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team NEWS for Sigsum tools, v0.12.0 The main change in this release is support for named policies. New features: * Support for named policies. This means that the user can optionally specify a policy name (using the -P option or directly in submitter key file) instead of specifying a policy file. * Support for builtin policies. In this version there are two builtin policies called "sigsum-test1-2025" and "sigsum-test2-2025". * New tool "sigsum-policy" that can be used to list and show available named policies. Documentation improvements: * In doc/sigsum-proof.md, document the correct keyword "size", https://git.glasklar.is/sigsum/core/sigsum-go/-/issues/135, and clarify the description of how to compute the leaf hash. Incompatible changes: * Building now requires go version 1.23 or later.

1 0

ANNOUNCE: sigsum ansible v1.5.0
by Elias Rudberg 05 Sep '25

05 Sep '25

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.5.0, succeeding the previous release v1.4.0. The release can be checked out from the git repository as git clone -b v1.5.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.5.0 Changes between v1.4.0 and v1.5.0: * Support for monitoring the presence of a YubiHSM device with a particular serial number was added. * Refactoring regarding lists of go tools in sigsum and litewitness roles, avoiding problems when running ansible in debian trixie. * Fix in when clause in golang and yubihsm_connector roles, avoiding problems when running ansible in debian trixie. * Changed naming of cronjob for weekly public suffix list update, to handle the special case when primary and secondary are on the same machine. * Cleanup and fixes in molecule tests.

1 0

ANNOUNCE: sigsum ansible v1.4.0
by Elias Rudberg 04 Jul '25

04 Jul '25

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.4.0, succeeding the previous release v1.3.0. The release can be checked out from the git repository as git clone -b v1.4.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.4.0 Changes between v1.3.0 and v1.4.0: * The sigsum role had its cronjob for weekly refreshing of the public suffix list changed to make it work also for the secondary node. * galaxy.yml was updated to clarify that this repo contains roles for not only transparency logs but also for witnesses. * The version of sigsum-agent used by default changed from v0.2.3 to v0.2.5. * A bug was fixed where a sigsum-agent using a YubiHSM wouldn't start if it was being started before the yubihsm-connector was properly ready (#73). * A bug making log lines from sigsum-agent not show up in the journal was fixed (#72). * Restarting the agent service was fixed, making restarts made by Ansible work well too (#70).

1 0

ANNOUNCE: key-mgmt v0.2.5
by Niels Möller 09 Jun '25

09 Jun '25

The Sigsum team is happy to release a new version of key-mgmt. This package includes scripts and documentation for managing signing keys and backups using YubiHSM hardware, and sigsum-agent, an SSH agent that can act as an Ed25519 signing oracle for a key that is either stored on disk, or residing in a HSM. The release can be checked out from the git repository as git clone -b v0.2.5 https://git.glasklar.is/sigsum/core/key-mgmt.git Changes in this release are rather modest, see NEWS excerpt below. However, the preceding v0.2.x updates were not previously announced on the mailing list or documented in NEWS; reconstructed NEWS entries for these releases are therefore also included below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on the repository in GitLab. / The Sigsum team NEWS for key-mgmt v0.2.5 This release includes a workaround for issues when sigsum-agent and yubihsm-connector are started or restarted concurrently. * sigsum-agent: New --retry option, to retry connecting to the yubihsm connector at startup. NEWS for key-mgmt v0.2.3 This release improves provisioning, and corresponds to the provisioning of log and witness keys for the services operated by Glasklar Teknik AB. * provisioning: Improve provisioning scripts and documentation thereof. E.g., include provisioned public keys in output files, and do test signatures and validation. NEWS for key-mgmt v0.2.1 This release includes improvements for the sigsum-agent tool. Incompatible changes: * sigsum-agent: New name, renamed from yubihsm-agent. Features: * sigsum-agent: Print socket name to stdout only if the agent generated a random name, and it is running as a daemon. * sigsum-agent: Add support for writing a pid file.

1 0

ANNOUNCE: sigsum ansible v1.3.0
by Elias Rudberg 08 May '25

08 May '25

The Sigsum team is happy to release a new version of the sigsum ansible collection, version tag v1.3.0, succeeding the previous release v1.2.0. The release can be checked out from the git repository as git clone -b v1.3.0 https://git.glasklar.is/sigsum/admin/ansible.git See the NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the ansible repository: https://git.glasklar.is/sigsum/admin/ansible/ See the README.md file for installation and usage instructions, and the HACKING file for information about how the molecule tests can be used. / The Sigsum team NEWS for sigsum ansible v1.3.0 This release adds a litebastion role in roles/litebastion based on the https://git.glasklar.is/sigsum/admin/litebastion repository which has now been archived. Changes: * Merged litebastion repo into roles/litebastion/ directory. * Added molecule test scenario for litebastion. * Changed the name litetlog to the new name of that repo which is torchwood. (https://github.com/FiloSottile/litetlog renamed to https://github.com/FiloSottile/torchwood) Using torchwood v0.5.0 for both litewitness and litebastion. * Changes to allow primary and secondary running on same machine. This involves the possibility of using different filenames for the config file and the tree-id file for primary and secondary, but the default filenames are the same as before so the change is backwards-compatible. * Added brief documentation in mariadb role. * Removed unused docs/ and renamed CHANGELOG.rst to NEWS. * Changes to automatically restart log after weekly suffix-list update. * Made it possible to run several litewitness instances in parallel. * Added support for non-sigsum logs in litewitness role. * Cleanup and fixes to avoid red output from molecule tests. * Changed debian repo url from ftp.acc.umu.se to deb.debian.org. * Bumped community.mysql version from 3.6.0 to 3.12.0 * Moved away from legacy /var/run to /run for sigsum-agent.socket file. See https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html

1 0

ANNOUNCE: log-go v0.15.2
by Niels Möller 25 Mar '25

25 Mar '25

The Sigsum team is happy to release a new version of the log-go log server software, version tag v0.15.2, succeeding the previous release v0.15.0. The source code for the release can be checked out from the git repository as git clone -b v0.15.2 https://git.glasklar.is/sigsum/core/log-go.git or installed using go install sigsum.org/log-go/cmd/...@v0.15.2 This is a bugfix release. The most important change is a correction to how the log server applies its configured rate limits. See NEWS file for details on changes, excerpt below. If you find any bugs, please report them on the sigsum-general(a)lists.sigsum.org mailing list or open an issue on GitLab in the log-go repository: https://git.glasklar.is/sigsum/core/log-go/ The expectations and intended use of the log server software is documented in the log-go RELEASES file. You will also find more information about the overall release process there, see https://git.glasklar.is/sigsum/core/log-go/-/blob/main/RELEASES.md. / The Sigsum team NEWS for log-go v0.15.2 This is minor release fixing a few issues found since the previous release. Upgrading from the previous release is expected to work with no issues. This release has been tested to work together with: * Sigsum tools (most importantly sigsum-submit and sigsum-verify, as well as sigsum-witness) https://git.glasklar.is/sigsum/core/sigsum-go, tag v0.11.2. Improvements: * Fixed a bug in the rate-limit logic. The intended behavior is to only count the first add-leaf requests for a particular leaf, and not count retries for the same leaf. In v0.15.0, retries could exhaust the rate limit quota. * More relevant logging of witness errors. When a witness starts failing, and when it recovers, the error is logged at INFO level. Repeated errors are logged at DEBUG level. In v0.15.0, all errors were logged at DEBUG level, i.e., no errors logged by default. Incompatible changes: * The --max-range command-line option is now only available for the primary node. Before this change, there was a --max-range command-line option also for the secondary node but that option had no effect. Miscellaneous: * Increased max-range default value to 512. * Updated config.toml.example file and added a corresponding test to help ensure the example config stays up-to-date.

1 0

ANNOUNCE: sigsum-go v0.11.2
by Rasmus Dahlberg 21 Mar '25

21 Mar '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.11.2. The source code for the release can be checked out using git clone -b v0.11.2 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.11.2 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.11.2/NEWS or the excerpt below for the changes since v0.11.1. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team --- NEWS for Sigsum tools, v0.11.2 This release fixes yet another manpage date nit. Bug fixes: * Fix so that make doc works for signed git tags.

1 0

ANNOUNCE: sigsum-go v0.11.1
by Rasmus Dahlberg 13 Mar '25

13 Mar '25

The Sigsum team is happy to announce a new version of the Sigsum tools, v0.11.1. The source code for the release can be checked out using git clone -b v0.11.1 https://git.glasklar.is/sigsum/core/sigsum-go.git or installed using go install sigsum.org/sigsum-go/cmd/...@v0.11.1 See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.11.1/NEWS or the excerpt below for the changes since v0.11.0. For further documentation and project information, see: https://www.sigsum.org/ /The Sigsum team --- NEWS for Sigsum tools, v0.11.1 This release fixes manpage nits found during Debian packaging. Bug fixes: * Fix non-deterministic date in sigsum-tools manpage. * Fix invalid manpage NAME sections for all subcommands. * Fix typos in usage messages and manpages. * Fix s/--verbose/--quiet/ in NEWS entry for v0.11.0. Incompatible changes: * Move sigsum-tools manpage from section 5 to section 7.

1 0

2025

2024

Sigsum-announce ----- 2025 ----- December 2025 November 2025 October 2025 September 2025 August 2025 July 2025 June 2025 May 2025 April 2025 March 2025 February 2025 January 2025 ----- 2024 ----- December 2024 November 2024 October 2024

Sigsum-announce