- Go checksum database error on installation due to deleting a tag
- Dependabot updates
v1.2.1 includes a minor bug fix to set the SignedData version value in a timestamp response as per the RFC.
- Bump digitorus/timestamp version to pick up RFC correctness fix (#584)
v1.2.0 is based on Go 1.21.3.
- Support other hash algs for pre-signed timestamp besides SHA256 (#488)
- new http-ping-only flag for 'timestamp-server serve' (#474)
- Fix bug where TSA signing fails if cert hash != content hash. (#465)
- expand README on Cloud KMS deployment (#476)
- upgrade to Go1.21 (#471)
- Billy Lynch
- Carlos Tadeu Panato Junior
- Dmitry Savintsev
- Hayden B
1.1.2 fixes a signing related hash function bug and a typo.
- Fix hash function hardcoding bug by updating dependency (sigstore#452)
- Fix typo in OpenAPI spec (sigstore#419)
- Update GoReleaser flag (sigstore#356)
- Carlos Tadeu Panato Junior
- Dmitry Savintsev
- Meredith Lancaster
1.1.1 fixes a bug in the JSON format request code.
- Update how the JSON body is parsed (sigstore#343)
- Meredith Lancaster
1.1.0 now supports making timestamp requests in JSON format in addition to DER encoded format.
- Support timestamp requests in JSON format (sigstore#247)
- Fix typo in README (sigstore#294)
- Andrea Cosentino
- Meredith Lancaster
1.0 release of the timestamp authority. No changes from the previous release candidate.
Thank you to all contributors!
Note: This is a prerelease for 1.0. Please try it out and file issues!
- Upgrade to go 1.20.1 (sigstore#245)
- Update policy (sigstore#251, sigstore#262)
- Carlos Tadeu Panato Junior
- Hayden B
- Meredith Lancaster
Note: This is a prerelease for 1.0. Please try it out and file issues!
SLSA provenance is now uploaded with each release. Use slsa-verifier to verify the release.
- Mock NTP client (sigstore#217)
- Carlos Tadeu Panato Junior
- Hayden B
- Meredith Lancaster
0.2.1 now rejects timestamp requests that use SHA-1. For server operators, it now defaults to using NTP monitoring.
- Generate slsa provenance (sigstore#193)
- Use default NTP monitoring configuration (sigstore#186)
- Reject requests that use SHA-1 (sigstore#202)
- Update README with more details (sigstore#188)
- Hayden B
- Hector Fernandez
- Meredith Lancaster
0.2.0 improves the verification library (sigstore#121). The library now verifies the full certificate chain and additional properties of the timestamp.
- Start adding more verification with VerificationOpts struct (sigstore#153)
- Verify command returns the parsed timestamp (sigstore#174)
- Add intermediate and root verify flags (sigstore#180)
- Verify full certificate chain (sigstore#181)
- Add mock client (sigstore#175)
- Update timing accuracy statements in the policy document (sigstore#179)
- Hayden Blauzvern
- Meredith Lancaster
- Added an optional feature to compare the local time with a set of trusted ntp servers (sigstore#143)
- Register KMS providers (sigstore#160)
- Added .PHONY target for CLI rebuilding (sigstore#159)
- inspect: remove format flag (sigstore#155)
- Fredrik Skogman
- Hector Fernandez
- Meredith Lancaster
- neilnaveen
- Fix a bug where certChain was not set correctly (sigstore#140)
- Ville Aikas
- Update in memory signer to use intermediate certificate (sigstore#136)
- Move verify logic to pkg (sigstore#120)
- Require the file signer to specify the certificate chain (sigstore#137)
- Fix hashed message verification (sigstore#118)
- Update fetch TSA certs script for Tink (sigstore#111)
- Hayden Blauzvern
- Hector Fernandez
Initial release of sigstore/timestamp-authority
See the README for instructions on how to run the timestamp authority and fetch and verify signed timestamps.
- Carlos Tadeu Panato Junior (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- Meredith Lancaster (@malancas)