• Update tkeyclient to v1.3.1 to handle TKey Unlocked (product ID 8)
  as a Bellatrix when it comes to USS digest handling.

• Only allow --force-full-uss when either --uss or --uss-file is
  used.

Full
changelog.

• Update tkeyclient version because of a vulnerability leaving some
  USSs unused. Keys might have changed since earlier versions! Read
  more here:

  GHSA-4w7r-3222-8h6v

  The error is only triggered if you use tkey-sign-cli with the
  --uss or --uss-file flags and use an affected USS. An affected
  USS hashes to a digest with a 0 (zero) in the first byte.

  Follow these steps to identify if you are affected:

  1. Run tkey-sign -G -p key.pub --uss
  2. Type in your USS.
  3. Remove and reinsert the TKey.
  4. Run tkey-sign -G -p key2.pub
  5. Compare the key.pub and key2.pub files. If they have the same
     contents your USS is vulnerable.

  If your USS are affected, you have three options:

  1. Not using a USS and keep your signing keys.
  2. Keep using the USS and get new signing keys.
  3. Use another USS and get new signing keys.

• Add a new option flag: --force-full-uss to force full use of the
  32 byte USS digest.

• Changed license to BSD-2-Clause

Full changelog.

Reproducible builds:

We're currently building releases with goreleaser using Go 1.23.1.

You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries. On macOS tkey-sign is unfortunately not statically linked.

Reproducible builds:

We're currently building releases with goreleaser using Go 1.23.2.

You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries.

On macOS tkey-sign is unfortunately not statically linked. The binary was built on macOS with uname:

Darwin Kernel Version 23.6.0: Mon Jul 29 21:13:04 PDT 2024

Changelog:

• Normalize line endings of user input when asked to overwrite a file. This fixes an issue on Windows where a file was never overwritten regardless of user input.
• tkeyutil has been updated to v0.0.9. This resolves a bug on USS input for Windows.
• tkeyclient has been updated to v1.1.0.
• tkeysign has been updated to v1.0.1.
• Update Go packages.

Full changelog.

Note: This is a major release that changes the Ed25519 key pair.

Reproducible builds:

We're currently building releases with goreleaser using Go 1.22.2.

You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries.

On macOS tkey-sign is unfortunately not statically linked. The binary was built on macOS with uname:

Darwin Kernel Version 22.6.0: Tue Nov  7 21:42:24 PST 2023; root:xnu-8796.141.3.702.9~2/RELEASE_ARM64_T6020 arm64

Changelog:

• --version now also outputs version of embedded device app.
• Builds releases and OS packages with goreleaser.
• tkey-device-signer has been updated to v1.0.0. WARNING: Breaks CDI! Generates new key pair.
• tkeyclient has been updated to v1.0.0.
• tkeysign has been updated to v1.0.0.

Full changelog.

Changelog

• bb10426 README: Add note about reproducible builds
• cca1707 Unify build flags
• 7225606 Goreleaser: split builds, add signing for macos, add support for brew , change naming of archives
• 728ac24 build scripts: Add git pull
• 7f428b9 Release notes for v0.0.8
• a28a73f Update to device signer v0.0.8
• b563b0a Add architecture for podman target
• 78c63ce Add pre-compiled signer device app
• 30f02fe Update Go packages
• 51384ec lint: Use GH action and local install
• 1920241 Make tkey-sign more compatible with OpenBSD signify
• e0ddfbe Add goreleaser support
• f55cbd7 Add a tkey-sign man page
• a27d407 Move Go files under cmd/tkey-sign
• d6188b0 Add --version and global --help
• 98b2fab Added missing windows build to make clean
• eab4d74 Use variables in build-podman, update README
• 055bf8c Add extra check for right signer
• 2a4eca2 Build statically unless macOS
• f235491 Make build.sh a little more resiliant
• 4b687ec Add build-podman.sh
• 1e6ef79 Use tkeyclient v0.0.8
• 8f14661 Bump version of golang.org/x/crypto & github.com/tillitis/tkeyutil
• 0986f7f Add support for signing files of arbitrary size
• fb5448f Adding tkey-sign verify, to be able to verify signatures
• 6cb5260 Refactor signing the file into a function
• 816c0a4 Update docs
• 4d635cf Support entering USS or USS file
• cddefd6 Use tags for tkey-lib and tkey-device-signer
• 0ac5013 Update Go packages
• 5d86a70 Use DetectSerialPort from tkeyclient
• ea23ad4 Embed the signer binary into tkey-sign