Releases: sigstore/timestamp-authority
v2.1.2
v2.1.1
What's Changed
v2.1.1 drops the Go version back down to 1.25.0.
- Switch utility for PEM encryption in #1378
Full Changelog: v2.1.0...v2.1.1
v2.1.0
What's Changed
- Bound path and HTTP method metric label cardinality to prevent OOM in #1374
- Fix spec violations in policy, EKU, and hash verification in #1375
Full Changelog: v2.0.6...v2.1.0
v2.0.6
What's Changed
- Ensure correct certificate is used for TSA auth checks (GHSA-xm5m-wgh2-rrg3) by @jku in #1333
Full Changelog: v2.0.5...v2.0.6
Contributors
Assets 32
v2.0.5
What's Changed
This release updates the chi middleware to resolve a panic.
- Update the semantics of the NTP monitoring so its clear in the README in #1276
- docs: note that CRL/OCSP checks are not performed in #1277
- Increase default HTTP idle timeout in #1287
- Upgrade chi middleware v4 -> v5 in #1307
Full Changelog: v2.0.4...v2.0.5
v2.0.4
Changelog
What's Changed
- chore(deps): bump go.step.sm/crypto from 0.74.0 to 0.75.0 by @dependabot[bot] in #1239
- chore(deps): bump github.com/tink-crypto/tink-go-hcvault/v2 from 2.3.0 to 2.4.0 by @dependabot[bot] in #1238
- chore(deps): bump github.com/go-openapi/errors from 0.22.4 to 0.22.5 in the gomod group by @dependabot[bot] in #1240
- chore(deps): bump github/codeql-action from 4.31.6 to 4.31.7 in the actions group by @dependabot[bot] in #1241
- chore(deps): bump golang from
20b91edto0ece421by @dependabot[bot] in #1242 - chore(deps): bump golang.org/x/net from 0.47.0 to 0.48.0 by @dependabot[bot] in #1244
- chore(deps): bump github.com/go-openapi/spec from 0.22.1 to 0.22.2 in the gomod group by @dependabot[bot] in #1243
- chore(deps): bump golang from
0ece421toa22b2e6by @dependabot[bot] in #1245 - chore(deps): bump the gomod group with 5 updates by @dependabot[bot] in #1246
- chore(deps): bump github.com/tink-crypto/tink-go/v2 from 2.5.0 to 2.6.0 by @dependabot[bot] in #1247
- chore(deps): bump the actions group with 2 updates by @dependabot[bot] in #1248
- chore(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 in the gomod group by @dependabot[bot] in #1249
- chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 in the actions group by @dependabot[bot] in #1250
- chore(deps): bump actions/cache from 4.3.0 to 5.0.0 by @dependabot[bot] in #1251
- chore(deps): bump golang from
a22b2e6to36b4f45by @dependabot[bot] in #1253 - chore(deps): bump the gomod group with 5 updates by @dependabot[bot] in #1254
- chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #1257
- chore(deps): bump actions/cache from 5.0.0 to 5.0.1 in the actions group by @dependabot[bot] in #1256
- chore(deps): bump github.com/go-playground/validator/v10 from 10.28.0 to 10.29.0 by @dependabot[bot] in #1255
- update changelog for v2.0.4 by @bobcallaway in #1258
Full Changelog: v2.0.3...v2.0.4
Contributors
Assets 35
v2.0.3
v2.0.2
v2.0.2
This release bumps the Go version to 1.25.
v2.0.1
v2.0.1
This release is identical to v2.0.0, as it only contains a fix for the release pipeline.
v2.0.0 changes the default HTTP response code to 200 for timestamp responses,
which matches all other well-known TSA implementations. Sigstore clients already
handle both 200 and 201 response codes, so no changes are needed to clients.
If you need backwards compatibility, you can deploy the service with
--use-http-201.
This release also changes the format of the binary and container signature,
which is now a Sigstore bundle.
To verify a release, use the latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.
Features
- changes default HTTP response code to 200 for timestamp responses (#1202)
- feat: add configurable max request body size for TSA server (#1176)
Testing
- test: Add a K6 loadtest
Documentation
- Minor improvements to documentation (#1169)
Misc
- (fix): minor gosec issues under x509.go (#1201)
Full Changelog: v1.2.9...v2.0.1