v1.3.0

v1.3.0

Fulcio 1.3.0 adds support for GitLab CI.

Enhancements

• Add GitLab.com OIDC to Fulcio (#983)
• Change ParseDerString to Public Function (#1119)
• Support enterprise-unique GitHub Actions OIDC issuer URLs (#1088)

Documentation

• Map GitLab OIDC token claims to Fulcio OIDs (#1097)
• Mark GitLab JWT claim fields that are still WIP. (#1139)
• oidc.md: Add section for how to select SANs. (#1127)
• oid-info: Drop Build Signer Digest requirement from MUST -> SHOULD (#1126)
• update docs to use CDN-backed TUF endpoint (#1108)

Contributors

• Alishan Ladhani
• Billy Lynch
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• James Ma
• Paul Welch
• Reed Loden
• Sandipan Panda

Full Changelog: v1.2.0...v1.3.0

v1.2.0

v1.2.0

Fulcio 1.2.0 adds support for additional extensions in certificates issued for
CI platforms, starting with GitHub Actions.

Deprecation warning: OIDs 1.3.6.1.4.1.57264.1.1 through 1.3.6.1.4.1.57264.1.6 have been deprecated,
but are still present in the issued certificates. The new extensions 1.3.6.1.4.1.57264.1.8
through 1.3.6.1.4.1.57264.1.21 are correctly formatted as DER-encoded strings.

Enhancements

• Implement standardized CI extensions for GitHub (#1073)
• Allow specifying ChallengeClaim for an Issuer in the Fulcio config (#1007)
• Support custom OIDC issuers
  • Begin implementing Issuer interface for email and github identities (#1005)
  • Implement Issuer interface for spiffe and kubernetes types (#1033)
  • Implement Issuer interface for username and uri Issuer types (#1035)
  • implement Issuer interface for buildkite (#1037)
  • Create BaseIssuer type to implement Match for all Issuers (#1039)
  • Use Issuer interface to allow for custom issuers (#1008)

Bug Fixes

• Don't add nil issuers to issuer pool (#1053)

Documentation

• Standardizing Fulcio Certificate Extensions (#945)
• Add documentation for adding a new OIDC issuer (#1042)
• Update TUF instructions in README (#1079)

Contributors

• Carlos Tadeu Panato Junior
• Hayden B
• Philip Harrison
• priyawadhwa

Full Changelog: v1.1.0...v1.2.0

v1.1.0

v1.1.0

Fulcio 1.1.0 adds support for Buildkite, supports running the HTTP and gRPC servers on the same port,
and fixes a few bugs in the GCP CA Service integration. Fulcio 1.1.0 updates Go to 1.20.

Enhancements

• Add Buildkite OIDC to Fulcio (#890)
• Update Fulcio to 1.20 (#989)
• Add in --duplex flag to run HTTP and GRPC servers on the same port (#931)
• Expose client options for google ca (#892)

Bug Fixes

• googleca: close certificate authority client when done (#930)
• Fix bugs in googleca and update flag description (#897)
• Fix pkcs11ca with no cgo compilation bug (#898)

Miscellaneous

• Add custom error logs when communicating with the CA backend (#966)
• Add new format for AKS OIDC issuer (#971)
• expose rpc options to add auth creds (#934)
• Refactor kmsca constructor to accept x509.Certificates (#917)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Harry Marr
• Hayden B
• Hector Fernandez
• Luke Hinds
• priyawadhwa
• Samuel Cochran
• William Woodruff
• Yoriyasu Yano

Full Changelog: v1.0.0...v1.1.0

v1.0.0

Changelog

• 59ffd02 1.0 changelog! (#830)

Full Changelog: v0.6.0...v1.0.0

Thanks to all contributors!

v1.0.0-rc.0

What's Changed

• update previous releases and add notes for v0.6.0 by @cpanato in #806
• use same way to output version and expose build info to prometheus by @cpanato in #815
• Update swagger doc version for Fulcio 1.0 by @haydentherapper in #816
• Update CHANGELOG for v1.0.0-rc.0 by @haydentherapper in #818

Full Changelog: v0.6.0...v1.0.0-rc.0

v0.6.0

What's Changed

• Update how-certificate-issuing-works.md by @haydentherapper in #755
• Export Fulcio extension OIDs by @wlynch in #761
• upgrade to go1.19 by @cpanato in #767
• Fix documentation link by @haydentherapper in #798
• Change username format, enforce identity format by @haydentherapper in #802

New Contributors

• @wlynch made their first contribution in #761

Full Changelog: v0.5.4...v0.6.0

v0.5.4

What's Changed

• adding tuf root env variable by @cpanato in #751

Full Changelog: v0.5.3...v0.5.4

v0.5.3

What's Changed

• Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in #705
• Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #704
• Bump golang from 9349ed8 to f3d3d69 by @dependabot in #707
• ✨ Enable Scorecard badge by @azeemshaikh38 in #706
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 in /hack/tools by @dependabot in #712
• Bump golang from f3d3d69 to 6e10f44 by @dependabot in #708
• Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in #711
• Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #709
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #710
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.0 to 2.11.1 by @dependabot in #714
• Bump golang from 6e10f44 to 8a62670 by @dependabot in #713
• Bump golang from 1.18.4 to 1.18.5 by @dependabot in #717
• Update certificate issuance documentation by @haydentherapper in #702
• Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in #720
• Add documentation for SCT formats by @haydentherapper in #718
• Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #721
• Create certificate specification by @haydentherapper in #703
• Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 by @dependabot in #725
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.1 to 2.11.2 by @dependabot in #724
• install protobuff 3.20.1 by @cpanato in #728
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.0 to 2.11.2 in /hack/tools by @dependabot in #726
• Bump go.uber.org/zap from 1.21.0 to 1.22.0 by @dependabot in #730
• Bump github.com/googleapis/api-linter from 1.33.2 to 1.33.3 in /hack/tools by @dependabot in #722
• Bump github.com/googleapis/api-linter from 1.33.3 to 1.34.0 in /hack/tools by @dependabot in #731
• fix example to explicitly set port for gRPC call by @bobcallaway in #732
• Bump google.golang.org/api from 0.91.0 to 0.92.0 by @dependabot in #733
• Bump go.step.sm/crypto from 0.17.0 to 0.17.1 by @dependabot in #737
• update github.com/google/tink/go to 1.7.0 and fix deprecation by @cpanato in #736
• address Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server by @cpanato in #735
• Bump go.step.sm/crypto from 0.17.1 to 0.17.2 by @dependabot in #742
• Bump google.golang.org/api from 0.92.0 to 0.93.0 by @dependabot in #741
• update builder and cosign images by @cpanato in #743
• Update scorecard-action to v2:alpha by @azeemshaikh38 in #746
• Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #744
• update changelog to add release v0.5.3 by @cpanato in #747
• Clean up unix socket by @pauldthomson in #739
• bump sigstore/sigstore from 1.3.1 to 1.4.0 by @k4leung4 in #745

New Contributors

• @azeemshaikh38 made their first contribution in #706
• @pauldthomson made their first contribution in #739

Full Changelog: v0.5.2...v0.5.3

v0.5.2

What's Changed

• Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #677
• Bump github.com/prometheus/common from 0.35.0 to 0.36.0 by @dependabot in #678
• Bump cloud.google.com/go/security from 1.4.0 to 1.4.1 by @dependabot in #681
• Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in #680
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #682
• Bump github.com/googleapis/api-linter from 1.33.1 to 1.33.2 in /hack/tools by @dependabot in #685
• Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #684
• Bump golang from 1.18.3 to 1.18.4 by @dependabot in #683
• Bump github.com/prometheus/common from 0.36.0 to 0.37.0 by @dependabot in #687
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #686
• Bump go.step.sm/crypto from 0.16.2 to 0.17.0 by @dependabot in #688
• bump cosign to v1.9.0 by @bobcallaway in #692
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.3 to 2.11.0 by @dependabot in #695
• Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in #694
• Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.3 to 2.11.0 in /hack/tools by @dependabot in #696
• [NFC] docs/oidc: mark code blocks as JSON, minor syntax fixes by @woodruffw in #697
• ensure GetTrustBundle returns array of strings instead of a single string with newlines by @bobcallaway in #690
• update go builder and cosign image by @cpanato in #700
• Add CHANGELOG for 0.5.2 by @haydentherapper in #701

New Contributors

• @woodruffw made their first contribution in #697

Full Changelog: v0.5.1...v0.5.2

Thanks to all contributors!

v0.5.1

What's Changed

• Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #642
• Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in #647
• Add interface for certs/signer fetching to remove mutex by @haydentherapper in #643
• change grpc response logger to debug level instead of error by @bobcallaway in #648
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #650
• Bump github.com/googleapis/api-linter from 1.32.1 to 1.32.2 in /hack/tools by @dependabot in #651
• Bump golang from b203dc5 to 1c3d22f by @dependabot in #649
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #652
• Bump github.com/googleapis/api-linter from 1.32.2 to 1.32.3 in /hack/tools by @dependabot in #653
• Refactor in-memory signing CAs to use a single implementation by @haydentherapper in #644
• Bump github.com/prometheus/common from 0.34.0 to 0.35.0 by @dependabot in #655
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #658
• Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in #657
• Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #656
• Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #659
• Bump golang from 1c3d22f to 957001e by @dependabot in #660
• Bump golang from 957001e to a452d62 by @dependabot in #661
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #662
• Add Tink signing backend by @haydentherapper in #645
• Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in #664
• Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #663
• generate OpenAPI documents from protobuf by @bobcallaway in #666
• add dependabot hack to monitor for new protoc releases by @bobcallaway in #667
• Bump github.com/googleapis/api-linter from 1.32.3 to 1.33.0 in /hack/tools by @dependabot in #669
• Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in #668
• Update sigstore to pull in fixes by @haydentherapper in #671
• Add CORS support to HTTP endpoint by @bobcallaway in #670
• pipe all log messages to stdout for dev logger by @bobcallaway in #673
• Bump github.com/googleapis/api-linter from 1.33.0 to 1.33.1 in /hack/tools by @dependabot in #674
• add changelog for v0.5.1 by @cpanato in #675

Full Changelog: v0.5.0...v0.5.1

Thanks for all contributors!