Releases: loicsikidi/tpm-trust
v0.3.0
tpm-trust v0.3.0
What's Changed
This release contains the tpm-trust binary and OCI images built from commit 585ec17af37a4e502da10b78600ed9317c660fd5.
Artifacts
tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION- CLI binaries for various platforms (stored in archives)tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json- SBOMs for the binaries in SPDX formatchecksums.txt- SHA-256 checksums of all artifactschecksums.txt.sigstore.json- Sigstore signature bundle for checksum verification
Verification
Important
If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:
For complete security verification, follow this two-step process:
Step 1: Verify Integrity with Cosign
First, verify the integrity of the checksums file using Cosign:
Tip
Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.
# Verify the checksums signature
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/loicsikidi/tpm-trust/.github/workflows/release.yaml@refs/tags/v0.3.0' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
# Verify any artifact matches the checksum
sha256sum -c checksums.txtStep 2: Verify Provenance with GitHub CLI
Once the checksum integrity is established, verify the provenance using GitHub's attestation system:
# Verify the archive
gh attestation verify tpm-trust_0.3.0_linux_amd64.tar.gz --repo loicsikidi/tpm-trustChangelog
This release adds a bunch of new features and improvements 💫
New
- Add
infocommand: Display detailed information about the TPM - Add
certificatessubcommand: Display EK certificatescertificates list: List all EK certificates available in the TPMcertificates get <key type>: Show details of a specific EK certificate
- Add support for external EK certificates in
auditcommand
Improvements
auditcommand support for external EK certificates (i.e. AMD and Intel)auditcommand is able to extract EK chain in addition to EK certificate if available- note: this way, the full chain can be audited without relying on external sources
auditcommand now accept an optional<key type>argument to select a specific certificate- example:
tpm-trust audit rsa-2048
- example:
Security
- Bump otel indirect dependency to avoid GO-2026-4394
- Note: according to this issue it's unlikely to be exploitable in our context
Commits
- fe40d1a: Merge pull request #21 from Strykar/fix/ecc-comment-typo (@loicsikidi)
- 354dde3: feat: add bunch of features (#11) (@loicsikidi)
- ca6daba: feat: add certificates get/list subcmds (#12) (@loicsikidi)
- 9d5e699: feat: support ek cert chain in check method (#14) (@loicsikidi)
- bad072c: fix: log and continue on EK cert URL fetch failure instead of aborting (#22) (@Strykar)
- ed01128: tpm: add URL fallback for AMD/Intel fTPMs without NV certs (#20) (@Strykar)
- ca8ddc0: vuln(deps): bump otel to avoid GO-2026-4394 (#16) (@loicsikidi)
Generated with GoReleaser 🚀
Contributors
Assets 12
v0.2.0
tpm-trust v0.2.0
What's Changed
This release contains the tpm-trust binary and OCI images built from commit 3049037b9cc742969dfab8cd17f8dd3d8d7bf402.
Artifacts
tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION- CLI binaries for various platforms (stored in archives)tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json- SBOMs for the binaries in SPDX formatchecksums.txt- SHA-256 checksums of all artifactschecksums.txt.sigstore.json- Sigstore signature bundle for checksum verification
Verification
Important
If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:
For complete security verification, follow this two-step process:
Step 1: Verify Integrity with Cosign
First, verify the integrity of the checksums file using Cosign:
Tip
Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.
# Verify the checksums signature
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/loicsikidi/tpm-trust/.github/workflows/release.yaml@refs/tags/v0.2.0' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
# Verify any artifact matches the checksum
sha256sum -c checksums.txtStep 2: Verify Provenance with GitHub CLI
Once the checksum integrity is established, verify the provenance using GitHub's attestation system:
# Verify the archive
gh attestation verify tpm-trust_0.2.0_linux_amd64.tar.gz --repo loicsikidi/tpm-trustChangelog
Generated with GoReleaser 🚀
v0.1.1
tpm-trust v0.1.1
What's Changed
This release contains the tpm-trust binary and OCI images built from commit bec855188f9b85d9f7e9914d36b55704c34a61e8.
Artifacts
tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION- CLI binaries for various platforms (stored in archives)tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json- SBOMs for the binaries in SPDX formatchecksums.txt- SHA-256 checksums of all artifactschecksums.txt.sigstore.json- Sigstore signature bundle for checksum verification
Verification
Important
If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:
For complete security verification, follow this two-step process:
Step 1: Verify Integrity with Cosign
First, verify the integrity of the checksums file using Cosign:
Tip
Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.
# Verify the checksums signature
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/loicsikidi/tpm-trust/.github/workflows/release.yaml@refs/tags/v0.1.1' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
# Verify any artifact matches the checksum
sha256sum -c checksums.txtStep 2: Verify Provenance with GitHub CLI
Once the checksum integrity is established, verify the provenance using GitHub's attestation system:
# Verify the archive
gh attestation verify tpm-trust_0.1.1_linux_amd64.tar.gz --repo loicsikidi/tpm-trustChangelog
- bec8551: fix: remove typo in 'tpm-trust version' (#4) (@loicsikidi)
Generated with GoReleaser 🚀
Contributors
Assets 8
v0.1.0
tpm-trust v0.1.0
What's Changed
This release contains the tpm-trust binary and OCI images built from commit 1a04486f28e69d7be4e3c990d679831e742025ab.
Artifacts
tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION- CLI binaries for various platforms (stored in archives)tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json- SBOMs for the binaries in SPDX formatchecksums.txt- SHA-256 checksums of all artifactschecksums.txt.sigstore.json- Sigstore signature bundle for checksum verification
Verification
Important
If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:
For complete security verification, follow this two-step process:
Step 1: Verify Integrity with Cosign
First, verify the integrity of the checksums file using Cosign:
Tip
Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.
# Verify the checksums signature
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/loicsikidi/tpm-trust/.github/workflows/release.yaml@refs/tags/v0.1.0' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
# Verify any artifact matches the checksum
sha256sum -c checksums.txtStep 2: Verify Provenance with GitHub CLI
Once the checksum integrity is established, verify the provenance using GitHub's attestation system:
# Verify the archive
gh attestation verify tpm-trust_0.1.0_linux_amd64.tar.gz --repo loicsikidi/tpm-trustChangelog
- 6e8c945: feat: init project (#1) (@loicsikidi)
- 7f246ee: first commit (@loicsikidi)
Generated with GoReleaser 🚀