Release 2024-10-31T07-42-41Z

Changelog

• 60e5ae2 update goreleaser check complaints
• d3b6494 vault: delay the usage of renewed auth tokens (#488)

Release 2024-09-11T07-22-50Z

Changelog

• db17a10 vault: do not reuse TCP connections (#486)

Release 2024-09-03T10-39-51Z

Changelog

• 1da59a0 entrust: Close body to avoid some conn leaks (#485)
• bc4783a fix: remove tab character from example yaml config as it is invalid (#479)
• c07d23a vault: renew token earlier (#481)

Release 2024-08-16T14-39-28Z

Changelog

• c1fa6dc Fix name of application (#475)
• 0d1464e entrust: use reasonable defaults for HTTP transport (#477)
• ca6a5b9 update go.mod dependencies (#473)
• ef3f85c vault: clone client TLS config and headers for status checks (#476)

Release 2024-06-17T15-47-05Z

Changelog

• f111da8 Fix identity new --ip example (#467)
• 4b6f9dc Upgrade to non-legacy Azure SDK (#459)
• e9f73b9 cmd/kes: add support for migrating keys to minkms (#465)
• fe54489 cmd: add kes ls command (#464)
• 802ce81 cmd: support private keys in kes identity (#461)
• 12195cc fix goroutine leak when reloading server config (#469)
• e06e710 update dependencies (#462)

Release 2024-04-12T13-50-00Z

Release Notes

Release 2024-04-12T13-50-00Z is a bugfix that fixes bugs cache garbage collection.
Before, the KES server did not expiry cache entries correctly when offline caching was enabled. In particular, it did not honor the
offline expiry in all cases.

What's Changed

• fix: typos, upgrade linter and CI go-version by @harshavardhana in #456
• vault: improve Vault API interaction by @aead in #458
• Remove 'rm' from list by @ramondeklein in #457
• set cache default values as documented by @aead in #460

New Contributors

• @ramondeklein made their first contribution in #457

Full Changelog: 2024-03-28T12-56-37Z...2024-04-12T13-50-00Z

Release 2024-03-28T12-56-37Z

Release Notes

Release 2024-03-13T17-52-13Z is a bugfix release that fixes bugs in the Gemalto/Thales and Fortanix backend.

What's Changed

• Update client.go (#454)
• keystore: use pre-configured client for {Gemalto,Fortanix} status check (#455)

Full Changelog: 2024-04-12T13-50-00Z...2024-03-28T12-56-37Z

Release 2024-03-13T17-52-13Z

Release Notes

Release 2024-03-13T17-52-13Z is a bugfix release that fixes two issues:

• PR #451 fixes a resource leak in the AWS, GCP, Fortanix and Gemalto backend that can cause OOM issues.
• PR #453 fixes an authentication issue that can cause connection failures since the server "just" requested, but not demanded a client certificate. Hence, clients might not send one causing authentication to fail. Now, the KES server requires a client certificate.

---

What's Changed

• keystore: fix conn leak in {AWS,GCP,Fortanx,Gemalto} backend by @aead in #451
• require a TLS client certificate by default by @aead in #453

Full Changelog: 2024-03-01T18-06-46Z...2024-03-13T17-52-13Z

Release 2024-03-01T18-06-46Z

Changelog

• 8ecd396 azure: Close http response body (#450)

Release 2024-02-29T08-12-28Z

Release Notes

Release 2024-02-29T08-12-28Z adds a new HMAC server API, introduces a new and more efficient ciphertext format and contains bug fixes for prometheus metrics.

Added

• The KES server provides the /v1/key/hmac/<key-name> API can be used to compute a deterministic checksum over a message. It may
  be used to check if a message has been modified. The HMAC API is only available for newly created keys. Existing keys do not support
  this API.
• The KES repository contains a Grafana dashboard example that can be used to visualize server metrics.

Changed

• The KES server uses a new ciphertext format when encrypting messages or generating data encryption keys. This format is more efficient since ciphertexts are now ~40% smaller. This reduces network traffic and storage space when requesting and storing many data key ciphertexts. The server is backwards compatible and still accepts previous ciphertext formats. However, it's no longer possible to
  downgrade to a version before this release after upgrade to this or any future versions. The reason is that existing KES server versions
  don't recognize the new ciphertext format and fail to decrypt it. Hence, this change is backwards but not forward compatible.

What's Changed

• add HMAC API and use KMS secret key crypto by @aead in #433
• add HMAC API test by @aead in #434
• fix: set client CAs for mTLS auth by @lu1as in #437
• ci: fix linter warnings by @aead in #440
• Edit sample YAML config for easier importing to web docs by @feorlen in #442
• fix: return updating http metrics by @DimkaGorhover in #444
• seperating zsh and bash autocomplete by @zveinn in #441
• Added KES grafana dashboard by @shtripat in #447
• update SDK dependency by @aead in #448
• Fix go.sum for release by @donatello in #449

New Contributors

• @feorlen made their first contribution in #442
• @DimkaGorhover made their first contribution in #444
• @zveinn made their first contribution in #441

Full Changelog: 2024-01-11T13-09-29Z...2024-02-29T08-12-28Z