Skip to content

v1.1.0

Latest
Latest

Choose a tag to compare

View all tags
@dehanj dehanj released this 16 Mar 15:09
v1.1.0
This tag was signed with the committer’s verified signature.
dehanj Daniel Jobson
SSH Key Fingerprint: i7VYbxhWI7CgaxJqw135oixHFsxia6SyqTz0U5vfGCU
Verified
Learn about vigilant mode.
2787bd2

  • Update tkeyclient version because of a vulnerability leaving some
    USSs unused. Keys might have changed since earlier versions! Read
    more here:

    GHSA-4w7r-3222-8h6v

    The error is only triggered if you use tkey-sign-cli with the
    --uss or --uss-file flags and use an affected USS. An affected
    USS hashes to a digest with a 0 (zero) in the first byte.

    Follow these steps to identify if you are affected:

    1. Run tkey-sign -G -p key.pub --uss
    2. Type in your USS.
    3. Remove and reinsert the TKey.
    4. Run tkey-sign -G -p key2.pub
    5. Compare the key.pub and key2.pub files. If they have the same
      contents your USS is vulnerable.

    If your USS are affected, you have three options:

    1. Not using a USS and keep your signing keys.
    2. Keep using the USS and get new signing keys.
    3. Use another USS and get new signing keys.

  • Add a new option flag: --force-full-uss to force full use of the
    32 byte USS digest.

  • Changed license to BSD-2-Clause

Full changelog.

Reproducible builds:

We're currently building releases with goreleaser using Go 1.23.1.

You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries. On macOS tkey-sign is unfortunately not statically linked.

Assets 18
Loading