Skip to content

Releases: tarnover/TrustVer

TrustVer CLI v0.1.2

25 Mar 05:38
@jaschadub jaschadub
v0.1.2
d753ef7

Choose a tag to compare

View all tags
TrustVer CLI v0.1.2 Latest
Latest

TrustVer CLI v0.1.2 — Security Fixes

TrustVer: 0.1.2+hrai | Scope: stable | Spec: v0.3.0

Security

  • Cosign identity validationcosign verify-blob now requires --certificate-identity-regexp and --certificate-oidc-issuer. Previously any valid Sigstore signature would pass verification.
  • Attestation stripping protection — Release signatures now include attestation_count in the signable content. Removing attestations (e.g., a failed security audit) invalidates the release signature.
  • Derivation: auto prevents hrai — Unreviewed autonomous agent code no longer inherits the "human-reviewed" label. A release with 85% hrai + 5% auto now correctly derives as ai, not hrai.
  • Derivation: AI fallthrough fix — 80%+ AI-origin code (any combination of ai/hrai/auto) now correctly derives as ai instead of falling through to mix.

Bug Fixes

  • Multi-key validationtrustver pad validate --verify no longer falsely rejects PADs with multiple signatures when only one public key is provided. Non-matching signatures are skipped instead of treated as errors.
  • Git log delimiter — Changed from ---END-COMMIT--- to a UUID-based sentinel to prevent collision with commit messages containing that string.
  • Missing notes fieldPadDocument now includes the notes field referenced in spec §3.

Install

cargo install --git https://github.com/tarnover/TrustVer trustver-cli
Assets 17