CHANGELOG.md

v1.4.5

Features

• Add Codefresh OIDC provider (#1593)

Contributors

• ilia-medvedev-codefresh

v1.4.4

Features

• Add production OIDC provider for Eclipse (#1472)
• Change parseExtension function to be public (#1584)
• Allow exposed metrics port to be overridden (#1518)
• add configurable idle timeout

Bug Fixes

• Fix docker-compose service order (#1537)
• Fix debug docker-compose setup (#1529)
• Fix docker-compose file (#1560)

Documentation

• Create new-idp-requirements.md (#1447)
• docs: Add back descriptive content on cert issuing (#1494)
• Added GitLab OIDC documentation to the /docs/oidc.md file that was missing. (#1574)

Misc

• update builder to use go1.21.6
• Move kubernetes CA processing in config.prepare (#1454)
• Lots of dependabot updates

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Colleen Murphy
• Cyril Cordoui
• Hayden B
• John Kjell
• Paul Welch
• Tanner Jones

v1.4.3

Bug Fixes

• Bump golang.org/x/net from 0.15.0 to 0.17.0 in /hack/tools (#1409)
• Bump golang.org/x/net from 0.15.0 to 0.17.0 (#1410)

Contributors

• dependabot

v1.4.2

• move to go 1.21.3 to pick up fixes for CVE-2023-39325

Bug Fixes

• update builder image to use go1.21.3 (#1407)
• Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1405)
• Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#1404)
• Bump golang from 1.21.2 to 1.21.3 (#1406)
• Bump go.step.sm/crypto from 0.35.1 to 0.36.0 (#1403)
• Bump google.golang.org/api from 0.145.0 to 0.146.0 (#1402)
• Bump sigs.k8s.io/release-utils from 0.7.4 to 0.7.5 (#1401)

Contributors

• Carlos Tadeu Panato Junior

v1.4.1

v1.4.1 disables CGO for released binaries and containers. If you need support for an HSM-backed CA, compile Fulcio with CGO_ENABLED=1.

The Distroless base image of the released containers has been updated to Debian 12, gcr.io/distroless/static-debian12:nonroot.

Features

• Do not block startup if OIDC provider cannot be created (#1389)
• Gracefully shutdown HTTP, gRPC, and Prom servers (#1342)
• Create interface for GRPC server which encompasses the GRPC HealthServer (#1334)

Release

• update builder image to use go1.21.2 (#1397)
• Disable CGO on release builds (#1368)

Contributors

• Appu
• Hayden B
• Jon Johnson
• Jussi Kukkonen
• Priya Wadhwa
• William Woodruff

v1.4.0

Features

• Add "Source Repository Visibility At Signing" ext (#1279)
• Expose SkipExpiryCheck OIDC Config Option in Verifier (#1271)

Documentation

• Update loadtest instructions (#1284)

Contributors

• Hayden B
• Philip Harrison
• Priya Wadhwa

v1.3.4

Features

• Update GitLab claim mappings for build configs (#1206)
• add container builds for each push to main (#1269)

Bug fixes

• always use non-TLS credentials to connect over unix domain socket (#1268)

Contributors

• Marshall Cottrell
• Bob Callaway

v1.3.3

Features

• add HTTP and GRPC health check endpoints (#1258)
• add fsnotify-backed cache for reading TLS PKI material (#1256)

Contributors

• Bob Callaway
• Hayden B

v1.3.2

Features

• configure server-side TLS on grpc listener (#1252)

Bug fixes

• gitlab: remove build config URI. (#1183)

Documentation

• Update OID info (#1188)
• Fix spellings, update protoc (#1184)
• docs/oid-info: clarify source of issuer extensions (#1158)

Contributors

• Billy Lynch
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Kristian Klausen
• William Woodruff

v1.3.1

Bug Fixes

• fix cert.URIs for GitLab CI (#1144)

Contributors

• Carlos Tadeu Panato Junior

v1.3.0

Fulcio 1.3.0 adds support for GitLab CI.

Enhancements

• Add GitLab.com OIDC to Fulcio (#983)
• Change ParseDerString to Public Function (#1119)
• Support enterprise-unique GitHub Actions OIDC issuer URLs (#1088)

Documentation

• Map GitLab OIDC token claims to Fulcio OIDs (#1097)
• Mark GitLab JWT claim fields that are still WIP. (#1139)
• oidc.md: Add section for how to select SANs. (#1127)
• oid-info: Drop Build Signer Digest requirement from MUST -> SHOULD (#1126)
• update docs to use CDN-backed TUF endpoint (#1108)

Contributors

• Alishan Ladhani
• Billy Lynch
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• James Ma
• Paul Welch
• Reed Loden
• Sandipan Panda

v1.2.0

Fulcio 1.2.0 adds support for additional extensions in certificates issued for CI platforms, starting with GitHub Actions.

Deprecation warning: OIDs 1.3.6.1.4.1.57264.1.1 through 1.3.6.1.4.1.57264.1.6 have been deprecated, but are still present in the issued certificates. The new extensions 1.3.6.1.4.1.57264.1.8 through 1.3.6.1.4.1.57264.1.21 are correctly formatted as DER-encoded strings.

Enhancements

• Implement standardized CI extensions for GitHub (#1073)
• Allow specifying ChallengeClaim for an Issuer in the Fulcio config (#1007)
• Support custom OIDC issuers
  • Begin implementing Issuer interface for email and github identities (#1005)
  • Implement Issuer interface for spiffe and kubernetes types (#1033)
  • Implement Issuer interface for username and uri Issuer types (#1035)
  • implement Issuer interface for buildkite (#1037)
  • Create BaseIssuer type to implement Match for all Issuers (#1039)
  • Use Issuer interface to allow for custom issuers (#1008)

Bug Fixes

• Don't add nil issuers to issuer pool (#1053)

Documentation

• Standardizing Fulcio Certificate Extensions (#945)
• Add documentation for adding a new OIDC issuer (#1042)
• Update TUF instructions in README (#1079)

Contributors

• Carlos Tadeu Panato Junior
• Hayden B
• Philip Harrison
• priyawadhwa

v1.1.0

Fulcio 1.1.0 adds support for Buildkite, supports running the HTTP and gRPC servers on the same port, and fixes a few bugs in the GCP CA Service integration. Fulcio 1.1.0 updates Go to 1.20.

Enhancements

• Add Buildkite OIDC to Fulcio (#890)
• Update Fulcio to 1.20 (#989)
• Add in --duplex flag to run HTTP and GRPC servers on the same port (#931)
• Expose client options for google ca (#892)

Bug Fixes

• googleca: close certificate authority client when done (#930)
• Fix bugs in googleca and update flag description (#897)
• Fix pkcs11ca with no cgo compilation bug (#898)

Miscellaneous

• Add custom error logs when communicating with the CA backend (#966)
• Add new format for AKS OIDC issuer (#971)
• expose rpc options to add auth creds (#934)
• Refactor kmsca constructor to accept x509.Certificates (#917)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Harry Marr
• Hayden B
• Hector Fernandez
• Luke Hinds
• priyawadhwa
• Samuel Cochran
• William Woodruff
• Yoriyasu Yano

v1.0.0

1.0 release!

No changes from the previous release v1.0.0-rc.0.

v1.0.0-rc.0

Notice for Deprecation: The legacy (V1) API will be deprecated by February 1, 2023, and no longer supported in the public instance. Please update clients to the V2 API, which supports for gRPC and HTTP.

Enhancements

• use same way to output version and expose build info to prometheus (#815)

Documentation

• Update swagger doc version for Fulcio 1.0 (#816)

Contributors

• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)

v0.6.0

Note: Changed username identity format to username!Domain, username now specified in the OtherName SAN. If you have deployed your own instance of Fulcio and are using username issuers, you must update to the latest Cosign release.

Enhancements

• Change username format, enforce identity format (#802)
• Export Fulcio extension OIDs (#761)

Documentation

• Update how-certificate-issuing-works.md (#755)

Bug Fixes

• Fix documentation link (#798)

Miscellaneous

• upgrade to go1.19 (#767)

Contributors

• Billy Lynch (@wlynch)
• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)

v0.5.4

Bug Fixes

• adding tuf root env variable (#751)

Contributors

• Carlos Tadeu Panato Junior (@cpanato)

v0.5.3

Bug Fixes

• Clean up unix socket (#739)
• address Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (#735)
• fix example to explicitly set port for gRPC call (#732)

Documentation

• Create certificate specification (#703)
• Add documentation for SCT formats (#718)
• Update certificate issuance documentation (#702)

Miscellaneous

• Bump actions/dependency-review-action from 2.0.4 to 2.1.0 (#744)
• Update scorecard-action to v2:alpha (#746)
• update builder and cosign images (#743)
• Bump google.golang.org/api from 0.92.0 to 0.93.0 (#741)
• Bump go.step.sm/crypto from 0.17.1 to 0.17.2 (#742)
• update github.com/google/tink/go to 1.7.0 and fix deprecation (#736)
• Bump go.step.sm/crypto from 0.17.0 to 0.17.1 (#737)
• Bump google.golang.org/api from 0.91.0 to 0.92.0 (#733)
• Bump github.com/googleapis/api-linter in /hack/tools (#731)
• Bump github.com/googleapis/api-linter in /hack/tools (#722)
• Bump go.uber.org/zap from 1.21.0 to 1.22.0 (#730)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.0 to 2.11.2 in /hack/tools (#726)
• install protobuff 3.20.1 (#728)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.1 to 2.11.2 (#724)
• Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 (#725)
• Bump github/codeql-action from 2.1.17 to 2.1.18 (#721)
• Bump google.golang.org/api from 0.90.0 to 0.91.0 (#720)
• Bump golang from 1.18.4 to 1.18.5 (#717)
• Bump golang from 6e10f44 to 8a62670 (#713)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.0 to 2.11.1 (#714)
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#710)
• Bump github/codeql-action from 2.1.16 to 2.1.17 (#709)
• Bump google.golang.org/api from 0.89.0 to 0.90.0 (#711)
• Bump golang from f3d3d69 to 6e10f44 (#708)
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 in /hack/tools (#712)
• Enable Scorecard badge (#706)
• Bump golang from 9349ed8 to f3d3d69 (#707)
• Bump imjasonh/setup-ko from 0.4 to 0.5 (#704)
• Bump google.golang.org/api from 0.88.0 to 0.89.0 (#705)

Contributors

• Azeem Shaikh (@azeemshaikh38)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Paul Thomson (@pauldthomson)

v0.5.2

Bug Fixes

• Ensure GetTrustBundle returns array of strings instead of a single string with newlines (#690)

Miscellaneous

• Bump github.com/grpc-ecosystem/grpc-gateway/v2 in /hack/tools (#696)
• Bump google.golang.org/api from 0.87.0 to 0.88.0 (#694)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.3 to 2.11.0 (#695)
• bump cosign to v1.9.0 (#692)
• Bump go.step.sm/crypto from 0.16.2 to 0.17.0 (#688)
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (#686)
• Bump github.com/prometheus/common from 0.36.0 to 0.37.0 (#687)
• Bump golang from 1.18.3 to 1.18.4 (#683)
• Bump github/codeql-action from 2.1.15 to 2.1.16 (#684)
• Bump github.com/googleapis/api-linter in /hack/tools (#85)
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (#682)
• Bump google.golang.org/api from 0.86.0 to 0.87.0 (#680)
• Bump cloud.google.com/go/security from 1.4.0 to 1.4.1 (#681)
• Bump github.com/prometheus/common from 0.35.0 to 0.36.0 (#678)
• Bump actions/setup-go from 3.2.0 to 3.2.1 (#677)

Contributors

• Bob Callaway (@bobcallaway)

v0.5.1

Enhancements

• pipe all log messages to stdout for dev logger (#673)
• Add CORS support to HTTP endpoint (#670)
• generate OpenAPI documents from protobuf (#666)
• Add Tink signing backend (#645)
• Refactor in-memory signing CAs to use a single implementation (#644)
• change grpc response logger to debug level instead of error (#648)
• Add interface for certs/signer fetching to remove mutex (#643)

Miscellaneous

• Bump github.com/googleapis/api-linter in /hack/tools (#674)
• Update sigstore to pull in fixes (#671)
• Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 (#668)
• Bump github.com/googleapis/api-linter in /hack/tools (#669)
• add dependabot hack to monitor for new protoc releases (#667)
• Bump github/codeql-action from 2.1.14 to 2.1.15 (#663)
• Bump google.golang.org/api from 0.85.0 to 0.86.0 (#664)
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (#662)
• Bump golang from 957001e to a452d62 (#661)
• Bump golang from 1c3d22f to 957001e (#660)
• Bump github/codeql-action from 2.1.13 to 2.1.14 (#659)
• Bump github/codeql-action from 2.1.12 to 2.1.13 (#656)
• Bump google.golang.org/api from 0.84.0 to 0.85.0 (#657)
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#658)
• Bump github.com/prometheus/common from 0.34.0 to 0.35.0 (#655)
• Bump github.com/googleapis/api-linter in /hack/tools (#653)
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2 (#652)
• Bump golang from b203dc5 to 1c3d22f (#649)
• Bump github.com/googleapis/api-linter in /hack/tools (#651)
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1 (#650)
• Bump google.golang.org/api from 0.83.0 to 0.84.0 (#647)
• Bump google.golang.org/api from 0.82.0 to 0.83.0 (#642)

Contributors

• Bob Callaway (@bobcallaway)
• Hayden Blauzvern (@haydentherapper)

v0.5.0

Enhancements

• code refactor (#626 / #620 / #625 / #619 / #604 / #599 / #590 / #580 / #561 / #558)
• Add API for fetching Fulcio configuration (#608)
• Split pkg/server from pkg/api (#616)
• Restict issuer claim mapping to email issuers (#606)
• Validate SPIFFE IDs and trust domains via library (#592)
• Use principal in CA abstraction (#570)
• googleca: Don't log all identities (#577)
• Small ca refactor (#569)
• Remove unused Subject field from code signing certificate (#568)
• Add client options testing (#562)
• Add timeout to OIDC discovery (#560)

Bug Fixes

• spiffe: correct trust domain checking (#588)
• fix the digest image (#555)

Documentation

• identity: improve the documentation for Principal.Name() (#579)

Miscellaneous

• Use GenerateSerialNumber from cryptoutils (#571)
• challenges: remove ParseCSR (#578)
• Bump github/codeql-action from 2.1.11 to 2.1.12 (#629)
• Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (#630)
• update cross-builder image to use go1.18.3 (#635)
• typo: Github -> GitHub (#636)
• Bump google.golang.org/api from 0.81.0 to 0.82.0 (#631)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.2 to 2.10.3 (#632)
• Bump golang from 1.18.2 to 1.18.3 (#628)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 in /hack/tools (#633)
• Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (#627)
• Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#623)
• Bump actions/setup-go from 3.1.0 to 3.2.0 (#621)
• Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#622)
• Update sigstore to pull in go-tuf security fixes (#617)
• Bump ossf/scorecard-action from 1.0.4 to 1.1.0 (#618)
• Bump cloud.google.com/go/security from 1.3.0 to 1.4.0 (#613)
• Bump google.golang.org/api from 0.80.0 to 0.81.0 (#614)
• Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (#609)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.1 to 2.10.2 (#610)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 in /hack/tools (#611)
• Add e2e test that tests IssuerClaim (#605)
• Bump actions/upload-artifact from 3.0.0 to 3.1.0 (#603)
• Added additional tests for CA implementations and OIDC (#602)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 in /hack/tools (#601)
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.0 to 2.10.1 (#600)
• cmd/app: remove dependency on deprecated github.com/pkg/errors (#598)
• Bump github.com/googleapis/api-linter in /hack/tools (#597)
• Bump github/codeql-action from 2.1.10 to 2.1.11 (#593)
• Bump go.step.sm/crypto from 0.16.1 to 0.16.2 (#594)
• Bump google.golang.org/api from 0.79.0 to 0.80.0 (#595)
• Skip tests that require network access with HERMETIC=true (#587)
• Bump github.com/google/certificate-transparency-go from 1.1.2 to 1.1.3 (#586)
• Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#585)
• Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (#584)
• Bump actions/setup-go from 3.0.0 to 3.1.0 (#582)
• Add some tests for challenges (#583)
• Bump actions/dependency-review-action (#581)
• Bump github/codeql-action (#572)
• Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#573)
• Update to use go1.18 (#576)
• Bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 (#574)
• Bump github.com/googleapis/api-linter in /hack/tools (#575)
• update go to 1.17.10 (#567)
• Bump github/codeql-action from 2.1.9 to 2.1.10 (#565)
• Bump google.golang.org/api from 0.78.0 to 0.79.0 (#566)
• Bump github.com/googleapis/api-linter in /hack/tools (#557)
• Bump google.golang.org/api from 0.77.0 to 0.78.0 (#556)
• update go builder image and cosign image (#554)
• add changelog for 0.4.1 release (#553)

Contributors

• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Jason Hall (@imjasonh)
• Koichi Shiraishi (@zchee)
• Miloslav Trmač (@mtrmac)
• Nathan Smith (@nsmith5)

v0.4.1

Bug Fixes

• Fix key usage for issued certificates (#549)

Documentation

• Add note about the status of the legacy HTTP API. (#531)

Others

• Bump google.golang.org/api from 0.76.0 to 0.77.0 (#552)
• chore(deps): Included dependency review (#540)
• Add @haydentherapper to CODEOWNERS (#548)
• Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#544)
• Bump github.com/fsnotify/fsnotify from 1.5.3 to 1.5.4 (#543)
• Bump google.golang.org/api from 0.75.0 to 0.76.0 (#542)
• Bump github/codeql-action from 2.1.8 to 2.1.9 (#545)
• Bump github.com/googleapis/api-linter in /hack/tools (#546)
• Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#541)

Contributors

• Bob Callaway (@bobcallaway)
• Hayden Blauzvern (@haydentherapper)
• Naveen (@naveensrinivasan)
• Zack Newman (@znewman01)

v0.4.0

Enhancements

• Add CSR support for key delivery and proof of possession (#527)
• Remove checked in binary (#524)
• add GRPC interface (#472)
• Embed SCTs in issued certificates (#507)
• Add intermediate CA implementation with KMS-backed signer (#496)

Bug Fixes

• Fix null pointer crash and incorrect error statuses (#526)

Documentation

• Add documentation for setting up Fulcio instance (#521)
• Add documentation for CT log (#514)
• examples: This adds example code on how to fetch a fulcio certificate (#324)

Others

• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.8.0 to 2.10.0 (#523)
• Bump actions/checkout from 3.0.0 to 3.0.1 (#522)
• Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 in /hack/tools (#520)
• Update release images (#517)
• Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (#516)
• Bump github/codeql-action from 2.1.7 to 2.1.8 (#513)
• add changelog for v0.3.0 release (#508)

Contributors

• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Morten Linderud (@Foxboron)

v0.3.0

Enhancements

• Generate larger, compliant serial numbers (#500)
• Use provided HTTP client instead when fetching root cert (#502)
• Add missing reader lock to File CA when reading certificate chain (#493)
• Add validation of public keys to prevent certifying weak keys (#490)
• Refactor API tests (#483)
• Update Username OIDC flow based on comments (#463)

Bug Fixes

• fix_certificate_readme_typos (#487)
• Fix minor typs in security model README (#488)
• Fix minor typos in README (#486)
• fix build date format for version command (#484)

Others

• update cosign and golang-cross images (#506)
• Bump codecov/codecov-action from 2.1.0 to 3 (#505)
• Bump github/codeql-action from 2.1.6 to 2.1.7 (#504)
• Bump go.step.sm/crypto from 0.16.0 to 0.16.1 (#498)
• Bump github/codeql-action from 1.1.5 to 2.1.6 (#497)
• Bump google.golang.org/api from 0.73.0 to 0.74.0 (#499)
• Bump github.com/prometheus/common from 0.32.1 to 0.33.0 (#491)
• Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (#485)
• Fix concurrency properly in File CA implementation (#495)
• Bump go.step.sm/crypto from 0.15.3 to 0.16.0 (#482)
• Bump google.golang.org/api from 0.72.0 to 0.73.0 (#479)
• Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#478)
• Bump github/codeql-action from 1.1.4 to 1.1.5 (#477)
• Bump google.golang.org/api from 0.71.0 to 0.72.0 (#476)
• Bump go.step.sm/crypto from 0.15.2 to 0.15.3 (#473)

Contributors

• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Jason Hall (@imjasonh)
• John Speed Meyers (@jspeed-meyers)

v0.2.0

Enhancements

• Use fulcio-system ns and drop -dev suffix for sa (#418)
• Return an error if we fail get get the Root cert. (#416)
• Add unit tests for oidc-EmailFromIDToken method (#413)
• extract CA/KMS support info to separate file (#409)
• add securityContext to deployment (#420)
• Count HTTP request error codes with prometheus (#396)
• Remove organization from subject for GCP CAS issuer (#391)
• Update warning text. (#389)
• Improve error messages returned by SigningCert (#388)
• Allow parameterized application/json content types (#386)
• Add AKS MetaIssuer (#384)
• Move CTL logging logic over to CTL package (#353)
• Move OID information to docs directory and reformat (#378)
• Upgrade miekg/pkcs11 using 'go get github.com/miekg/pkcs11@v1.1.1' (#376)
• Address signingCert panic with the last-byte calculation of finalChainPEM (#370)
• Include instructions to download verify the fulcio root certificate with TUF (#361)
• Make CA explicit dependency of API handler (#354)
• Improve error message when an invalid OIDC issuer is provided (#357)
• Make the the invalid CA error message actionable (#356)
• Initialize CT log client once (#350)
• Generate subject key ID correctly for non-GCP certs (#345)
• Add chain in response for all CAs, fix newlines in response (#341)
• Add some reasonable timeouts to API server (#337)
• fileca: add support for intermediate certificates (#320)
• Set max request size to 4MiB (#338)
• Extract additional claims from github-workflow token (#306)
• Enable server settings via config file and env vars (#315)
• Add file backed certificate authority (#280)
• Handle error when there are no roots returned by CA Service (#298)
• Add RootCert method to client + tests (#290)
• Add back support for building with CGO_ENABLED=0 (#293)
• add usersnames list to the codeonwers to make it easier to check (#295)
• Add a Root Cert method to the CA interface, and implement it. (#287)
• Update readme for V1 CA Service (#286)
• Fail fast if private key is not found when using PKCS11 CA (#285)
• Do not close the PKCS11 context on startup (#282)
• Localize flags to each subcommand (#274)
• Make client request timeout configurable with WithTimeout client option (#272)
• add the ability to set the user-agent string on requests from the Client (#264)
• Consolidate the source-of-truth. (#263)
• Move the deployment to the new v1 cert. (#261)
• The v1 GCP CA requires this field to be set. (#260)
• Experiment with FulcioConfig pulling from context.Context (#249)
• Upgrade fulcios to use of the google privateca api at v1 (#218)
• plumb through !cgo golang tags that removes pkcs11 support (#244)
• break out CA-specific implementation from common API class (#220)
• Add support for recoginizing allow.pub as an spiffe issuer (#228)
• Various nits trying SoftHSM (#217)
• Use MetaIssuers to simular EKS / GKE in e2e test. (#225)
• Add support for "meta issuers". (#223)
• Remove the cluster-local block by default. (#224)
• Refactor the way we access Config (#222)
• Enable Fulcio e2e testing. (#219)
• use sigstore/sigstore instead of directly calling RSA/ECDSA verify calls (#221)
• Refactor the kind e2e test. (#215)
• Add issuer information to code signing certificates (#204)
• Extract the OIDC issuer URL. (#211)
• use request ID logger where possible (#209)
• Rewrite "FulcioCA" to "PKCS11CA" and add AWS support (#187)
• add pkcs11-config-path command line parameter (#192)
• Add GitHub OIDC to Fulcio (#181)
• Changes fulcio-server to fulcio (#186)
• Add Github to fulcioca path. (#184)
• Add support for Github OIDC (#180)
• Generate client code with swagger in Makefile (#176)
• Switch to the JSON logger in prod (#175)
• add SCT as HTTP response header (#163)
• fulcio: add version command (#155)
• Script and process to generate OIDC config from federation directory. (#139)

Bug Fixes

• Fix the SCT header return value from the API to base64 encode it. (#288)
• Fix the k8s subject parsing. (#254)
• [Correction] Upgrade fulcios to use of the google privateca api at v1 (#252)
• fix: go get complain missing version when dir not in module (#248)
• Fix street-address and postal-code descriptions to be more descriptive. (#245)
• fix cutpaste error, sets cpu correctly (#237)
• Fix nil pointer, update dev docs (#236)
• Fix the Github OIDC challenge endpoint (#206)
• Fix misspellings. (#177)

Documentation

• extract development documentation from README (#410)
• fixing link to external resources (#411)
• Add feature stability and deprecation docs (#400)
• docs: overview of certificate issuing (#383)
• Add Logo to README (#381)
• Move sec model out of readme (#382)
• Update README for V1 Fulcio cert (#355)
• fix link for SECURITY.md (#340)
• Remove root CA whitespaces on README.md (#325)
• Add Locust load test and README (#311)
• add oid documentation (#307)
• Add documentation for testing with ephemeralca as well as document (#296)

Others

• Bump actions/upload-artifact from 2.3.1 to 3 (#452)
• Go update to 1.17.8 and cosign to 1.6.0 (#453)
• add missing target name (#450)
• Bump cloud.google.com/go/security from 1.2.1 to 1.3.0 (#448)
• Bump golang from c2ca472 to b983574 (#447)
• Move CI private-ca YAML to subdir (#446)
• Add step in release to mirror signed image to ghcr (#441)
• Bump actions/checkout from 2 to 3 (#443)
• Bump golang from e06c834 to c2ca472 (#442)
• Bump actions/setup-go from 2.2.0 to 3.0.0 (#440)
• Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (#439)
• Bump golangci/golangci-lint-action from 2.5.2 to 3 (#438)
• Bump github/codeql-action from 1.1.2 to 1.1.3 (#435)
• Bump github.com/magiconair/properties from 1.8.5 to 1.8.6 (#436)
• add indent to fix yaml error (#434)
• Bump cloud.google.com/go/security from 1.2.0 to 1.2.1 (#431)
• explicitly set permissions for github workflows (#433)
• Bump google.golang.org/api from 0.69.0 to 0.70.0 (#432)
• Add missing testing dependency (#429)
• Workflow to kick off release. (#407)
• Take advantage of Chainguard maintained versions of various actions. (#427)
• Bump golang from 2c92978 to e06c834 (#426)
• create namespace as part of config yaml (#422)
• Bump golang from 1a35cc2 to 2c92978 (#423)
• Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (#425)
• Bump github/codeql-action from 1.1.0 to 1.1.2 (#424)
• Bump google.golang.org/api from 0.68.0 to 0.69.0 (#412)
• Bump cloud.google.com/go/security from 1.1.1 to 1.2.0 (#408)
• Bump github/codeql-action from 1.0.32 to 1.1.0 (#406)
• update cross-build to use go 1.17.7 (#404)
• Bump golang from 1.17.6 to 1.17.7 (#403)
• Bump golang from 301609e to fff998d (#401)
• Bump actions/setup-go from 2.1.5 to 2.2.0 (#402)
• Bump google.golang.org/api from 0.67.0 to 0.68.0 (#399)
• Bump go.uber.org/zap from 1.20.0 to 1.21.0 (#393)
• Bump github/codeql-action from 1.0.31 to 1.0.32 (#392)
• Bump google.golang.org/api from 0.66.0 to 0.67.0 (#385)
• Bump github/codeql-action from 1.0.30 to 1.0.31 (#366)
• Bump ossf/scorecard-action from 1.0.2 to 1.0.3 (#367)
• Bump go.step.sm/crypto from 0.15.0 to 0.15.1 (#377)
• Bump google.golang.org/api from 0.65.0 to 0.66.0 (#363)
• Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (#362)
• Bump golang from d7f2f6f to 301609e (#358)
• Bump go.step.sm/crypto from 0.14.0 to 0.15.0 (#359)
• Bump golang from 0fa6504 to d7f2f6f (#352)
• createca: Address panic when no private key pair matches (#351)
• update version marker (#346)
• Remove Google CA v1beta1 API and associated config (#349)
• Bump ossf/scorecard-action from 1.0.1 to 1.0.2 (#347)
• update to v1.0.29 of codeql-action (#344)
• Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (#333)
• Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#334)
• Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 (#332)
• Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 (#331)
• pin one additional set of actions (#329)
• Bump google.golang.org/api from 0.64.0 to 0.65.0 (#321)
• add OSSF scorecard action (#328)
• Bump golang from 8c0269d to 0fa6504 (#326)
• pin github actions by digest instead of tag (#323)
• release: add cloudbuild to run the release for fulcio (#322)
• Fix docker-compose dexidp startup (#316)
• Bump go.step.sm/crypto from 0.13.0 to 0.14.0 (#319)
• Bump golang from 1.17.5 to 1.17.6 (#317)
• Switch to use fileca in e2e tests (#309)
• Bump google.golang.org/api from 0.63.0 to 0.64.0 (#318)
• Remove hack/tools (#308)
• Bump cloud.google.com/go/security from 1.1.0 to 1.1.1 (#312)
• Bump go.uber.org/zap from 1.19.1 to 1.20.0 (#313)
• Bump github.com/sigstore/sigstore from 1.0.1 to 1.1.0 (#299)
• Change ports for docker compose to avoid conflict with Rekor (#297)
• Bump github.com/spf13/viper from 1.10.0 to 1.10.1 (#283)
• Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#278)
• Bump golang from 1.17.4 to 1.17.5 (#269)
• Bump github.com/prometheus/common from 0.29.0 to 0.32.1 (#270)
• Bump golang from 1.17.3 to 1.17.4 (#265)
• Wrap the server with the Prometheus so we get metrics + add an e2e te… (#267)
• While working on #267 noticed this, but didn't want to bake into it. (#268)
• Drop OpenAPI from Fulcio (#262)
• Drop useless package. (#259)
• Drop gratuitous sync.Once in google CAs. (#258)
• Remove viper from pkg/. (#257)
• Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (#256)
• Consolidate viper usage in pkg/ca/ca.go (#255)
• Bump cloud.google.com/go/security from 0.1.0 to 1.1.0 (#246)
• Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (#247)
• Use CGO_ENABLED=1 via .ko.yaml. (#242)
• Bump github.com/sigstore/sigstore from 1.0.0 to 1.0.1 (#239)
• Add commit sha and trigger to github workflow (#232)
• Bump golang from 1.17.2 to 1.17.3 (#234)
• Bump actions/checkout from 2.3.5 to 2.4.0 (#233)
• Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (#229)
• Bump github.com/go-openapi/strfmt from 0.20.3 to 0.21.0 (#226)
• Bump github.com/hashicorp/golang-lru from 0.5.3 to 0.5.4 (#227)
• bump go-swagger to v0.28.0 (#213)
• Reproducible builds with trimpath (#210)
• Bump actions/checkout from 2.3.4 to 2.3.5 (#207)
• Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (#202)
• Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (#201)
• Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (#198)
• update go.sum (#205)
• Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (#200)
• Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (#199)
• Bump golang from 1.17.1 to 1.17.2 (#197)
• Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (#189)
• Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 (#188)
• Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (#185)
• Bump github.com/ThalesIgnite/crypto11 from 1.2.4 to 1.2.5 (#182)
• Bump golang from 1.17.0 to 1.17.1 (#179)
• Bump go.uber.org/zap from 1.19.0 to 1.19.1 (#178)
• Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (#171)
• Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (#169)
• Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (#168)
• Bump golang from 1.16.7 to 1.17.0 (#166)
• Bump cloud.google.com/go from 0.91.1 to 0.92.3 (#167)
• Bump cloud.google.com/go from 0.90.0 to 0.91.1 (#162)
• Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (#161)
• Bump go.uber.org/zap from 1.18.1 to 1.19.0 (#160)
• Bump golang from 1.16.6 to 1.16.7 (#159)
• Bump cloud.google.com/go from 0.89.0 to 0.90.0 (#158)
• Bump cloud.google.com/go from 0.88.0 to 0.89.0 (#156)
• makefile: add rule to download and set swagger and make rule to build the dist (#154)
• Add missing code of conduct (stock sigstore one) (#153)

Contributors

• Appu (@loosebazooka)
• Asra Ali (@asraa)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Christian Kotzbauer (@ckotzbauer)
• Dan Lorenc (@dlorenc)
• Elizabeth Thomas (@elizabetht)
• Evan Phoenix (@evanphx)
• Hayden Blauzvern (@haydentherapper)
• Jake Sanders (@dekkagaijin)
• Josh Dolitsky (@jdolitsky)
• Jyotsna (@jyotsna-penumaka)
• Kenny Leung (@k4leung4)
• Luke Hinds (@lukehinds)
• Mark Bestavros (@mbestavros)
• Matt Moore (@mattmoor)
• Matthew Suozzo (@msuozzo)
• Nathan Smith (@nsmith5)
• Naveen (@naveensrinivasan)
• Nghia Tran (@tcnghias)
• Priya Wadhwa (@priyawadhwa)
• Radoslav Gerganov (@rgerganov)
• Rafael Fernández López (@ereslibre)
• Scott Nichols (@n3wscott)
• Thomas Strömberg (@tstromberg)
• Tuan Anh Tran (@tuananh)
• Viacheslav Vasilyev (@avoidik)
• Ville Aikas (@vaikas)
• Zack Newman (@znewman01)
• endorama (@endorama)