The Sigsum team is happy to announce a new version of the Sigsum tools, v0.13.0. The source code for the release can be checked out using
git clone -b v0.13.0 https://git.glasklar.is/sigsum/core/sigsum-go.git
or installed using
go install sigsum.org/sigsum-go/cmd/...@v0.13.0
See the NEWS file https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/v0.13.0/NEWS or the excerpt below for the changes since v0.12.0.
For further documentation and project information, see: https://www.sigsum.org/
/The Sigsum team
NEWS for Sigsum tools, v0.13.0
This release makes policy file format a bit stricter, and includes a first builtin policy using production logs and witnesses.
Incompatible changes:
* The Sigsum policy format has been made a bit stricter, rejecting duplicates, rejecting control characters, and requiring that comments start at the beginning of a line. See updated doc/sigsum-proof.md. For motivation, see https://git.glasklar.is/sigsum/project/documentation/-/blob/main/proposals/2...
New policies:
* This version includes a new builtin trust policy named "sigsum-generic-2025-1". This is the first builtin policy that uses production logs and witnesses. For a description of the procedure used maintain builtin named policies, see https://git.glasklar.is/sigsum/project/documentation/-/blob/main/policy-main...
Bug fixes:
* Make Endpoint.Path not produce request URLs with double '/' separators. See https://git.glasklar.is/sigsum/core/log-go/-/issues/129.
Miscellaneous:
* The primary supported go toolchain version is now 1.24. Using go-1.23 is still supported and tested. Using later versions is also expected to work, but is not tested.