v2.0.2

What's Changed

• Error in case the delegated role is missing from the snapshot by @rdimitrov in #652

Full Changelog: v2.0.1...v2.0.2

v2.0.1

What's Changed

Security

• Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by @rdimitrov (Thanks to @AdamKorcz for reporting it). This fixes CVE-2024-47534 GHSA-4f8r-qqr9-fq8j

Other

• Update MAINTAINERS.md by @trishankatdatadog in #647
• Update the staging TUF repo in the multi-repo example by @rdimitrov in #650
• Fix branch name in multi-repo client example by @rdimitrov in #651

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Breaking changes

• This is the first release of go-tuf v2 and it's a complete re-write indicated by the new major version.
• We also decided to leave go-tuf as a library only.

What's Changed

• chore: fixes the CI status badge and updates the README.md file by @rdimitrov in #569
• chore(deps): bump securesystemslib from 0.30.0 to 0.31.0 by @dependabot in #570
• docs: add Marvin Drees to the list of go-tuf maintainers by @rdimitrov in #571
• chore(deps): bump actions/setup-python from 4.7.1 to 5.0.0 by @dependabot in #572
• chore: enable grouping of minor and patch updates. by @kommendorkapten in #580
• fix: update tests.yml bumping golangci-lint by @rdimitrov in #582
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #573
• chore(deps): bump github/codeql-action from 2 to 3 by @dependabot in #574
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #575
• chore(deps): bump golang.org/x/term from 0.15.0 to 0.16.0 by @dependabot in #577
• chore(deps): bump the minor-patch group with 2 updates by @dependabot in #581
• feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 by @rdimitrov in #583
• Update license from BSD-2-Clause to Apache-2.0 by @rdimitrov in #585
• chore(deps): bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @dependabot in #584
• Replace main with master in workflows by @kipz in #587
• Do not pin to minor Go versions in go.mod by @rdimitrov in #588
• Fixes for windows & enable in CI by @kipz in #586
• Bring back SECURITY.md by @trishankatdatadog in #591
• remove dependency on golang.org/x/exp by @mikedanese in #600
• Refactor errors to use pointer receivers by @codysoyland in #602
• move testutils under an ./internal/ directory by @mikedanese in #601
• Enable macos and windows runners for examples.yml and tests.yml by @rdimitrov in #604
• Do not run CI for all Go versions and use caching by @rdimitrov in #606
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @dependabot in #610
• Don't rename unless file is in same dir by @jonnystoten in #603
• Use filepath.Join when combining filesystem components by @kommendorkapten in #611
• Always use forward slash when splitting target names by @kommendorkapten in #612
• chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @dependabot in #614
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in #615
• chore(deps): use stdlib ed25519 instead of x by @MDr164 in #620
• chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @dependabot in #621
• chore(ci): bump action hashes by @MDr164 in #618
• chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @dependabot in #622
• Silence govulncheck by @MDr164 in #619
• feat: replace logrus in sim with slog by @MDr164 in #617
• repository_simulator_setup.go: Use filepath.Join() instead of concatenation by @udf2457 in #624
• Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf by @rdimitrov in #626
• fix: use SHA384 for ECDSA P384 by @mrjoelkamp in #629
• chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #627
• Remove nil error from being printed in "persist metadata" error message by @malancas in #633
• fix: deep targets file path by @mrjoelkamp in #632
• feat: add missing CODEOWNERS and MAINTAINERS file by @MDr164 in #635
• Update MAINTAINERS by @trishankatdatadog in #636
• chore(deps): bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @dependabot in #637
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #640
• fix: configurable temp file directory by @mrjoelkamp in #638
• export API to set RefTime of Updater by @AdamKorcz in #641
• Add the ability to customize the HTTP user agent by @steiza in #642
• Increase the default value for MaxRootRotations by @kommendorkapten in #645

New Contributors

• @kipz made their first contribution in #587
• @mikedanese made their first contribution in #600
• @codysoyland made their first contribution in #602
• @jonnystoten made their first contribution in #603
• @MDr164 made their first contribution in #620
• @mrjoelkamp made their first contribution in #629
• @malancas made their first contribution in #633
• @AdamKorcz made their first contribution in #641
• @steiza made their first contribution in #642

Full Changelog: v0.7.0...v2.0.0

v0.7.0

Changelog

Breaking

Hello,

As a continuation of #485, we are starting the process of deprecating the existing https://github.com/theupdateframework/go-tuf code base in favour of https://github.com/rdimitrov/go-tuf-metadata.

Reasoning:

• The reasoning behind this is explained in #485, but essentially the new code base is much simpler, easier to work with and last but not least, easier to maintain and contribute to. The last two have been longstanding issues for go-tuf and we are looking forward to address them with this change.
• Deep thank you to all of the people that helped shaping this effort!

Details:

• This will not happen straight away!
• We'll continue to support this version in a separate branch(v0.7.0) until the migration process is considered as completed.
• We advise all users to pin their dependencies of go-tuf to a certain release version (in case they haven't already) so they don't experience any inconveniences.
• We'll continue to use the https://github.com/theupdateframework/go-tuf repository, but its content will be updated to accommodate the changes. We'll start introducing the go-tuf-metadata code base to the master branch of go-tuf, so technically there will be times where the master branch might be considered unstable (which is a general practice).
• Even though go-tuf is pre-v1.0.0 and technically there are no API commitments to be followed, we won't release a v1.0.0 either with the new code base until it is well tested and we are sure of its stability.

Apologies for the disruption and thank you in advance for the understanding!

Yours,
The go-tuf maintainers team.

---

Features

• 14ed751: feat: Add-Signature to support new formats of input (#538) (@ChevronTango)
• 70d3a54: feat: #528 Add-Key to a role (#535) (@ChevronTango)
• 6e07500: feat: 536 Add Gitpod config to project (#537) (@ChevronTango)

Bug fixes

• 9570146: fix: Set sig to Array when empty (#533) (@ChevronTango)
• 582126a: fix: add-signature to read from stdin (#534) (@ChevronTango)
• 58f321a: fix(localMeta): Ignore deleted delegated targets (#522) (@BaptisteFoy)

Others

• f205b79: chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (#542) (@dependabot[bot])
• cdae812: chore(deps): bump shogo82148/actions-goveralls from 1.7.0 to 1.8.0 (#544) (@dependabot[bot])
• 3ff5aa7: chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#543) (@dependabot[bot])
• fe99435: chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#547) (@dependabot[bot])
• 9099aaa: chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#548) (@dependabot[bot])
• 3a50777: chore(deps): bump arnested/go-version-action from 1.1.12 to 1.1.13 (#549) (@dependabot[bot])
• 308e63e: chore(deps): bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#553) (@dependabot[bot])
• 0107a72: chore(deps): bump securesystemslib from 0.28.0 to 0.29.0 (#552) (@dependabot[bot])
• 057cf19: chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#550) (@dependabot[bot])
• 1f8a2d8: chore(deps): bump actions/checkout from 3 to 4 (#551) (@dependabot[bot])
• 35c71e4: chore(deps): bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (#554) (@dependabot[bot])
• ca61fb0: chore(deps): bump securesystemslib from 0.29.0 to 0.30.0 (#557) (@dependabot[bot])
• 257ce1a: chore(deps): bump golang.org/x/term from 0.12.0 to 0.13.0 (#559) (@dependabot[bot])
• dde2ad4: chore(deps): bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#560) (@dependabot[bot])
• c544d32: chore(deps): bump actions/setup-python from 4.7.0 to 4.7.1 (#561) (@dependabot[bot])
• c9be819: chore(deps): bump amannn/action-semantic-pull-request from 5.2.0 to 5.3.0 (#555) (@dependabot[bot])
• dfef2ca: chore(deps): bump tuf from 3.0.0 to 3.1.0 (#562) (@dependabot[bot])
• 2258ee1: chore(deps): bump iso8601 from 2.0.0 to 2.1.0 (#558) (@dependabot[bot])
• 9301e5a: chore(deps): bump amannn/action-semantic-pull-request from 5.3.0 to 5.4.0 (#563) (@dependabot[bot])
• 17b6205: chore(deps): bump arnested/go-version-action from 1.1.13 to 1.1.14 (#564) (@dependabot[bot])
• beddac2: chore(deps): bump golang.org/x/term from 0.13.0 to 0.14.0 (#565) (@dependabot[bot])
• 6ad7fe5: chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.16.0 (#568) (@dependabot[bot])

v0.6.1

Changelog

Bug fixes

• ca0c316: fix: fail to load deprecated ecdsa verifier (#541) (@rdimitrov)

Others

• 8efd6cd: test: add python-tuf v3.0.0 support (#515) (@rdimitrov)
• 7b85661: chore: add govulncheck and bump Go to 1.20 (#523) (@rdimitrov)
• 4e4f7f3: chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 (#519) (@dependabot[bot])
• ad706ed: chore(deps): bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#539) (@dependabot[bot])

v0.6.0

Changelog

Breaking changes

• 9774d79: feat!: add deprecating message for the encrypted package (#521) (@rdimitrov)

Features

• 6aa3072: feat: increase scrypt parameters (#470) (@Zenithar)

Bug fixes

• 5a019c3: fix: golangci-lint failures when tested against Go 1.20 (#457) (@rdimitrov)
• 6b93a5a: fix: sign-payload shouldn't recanonicalize payload (#479) (@znewman01)
• 2adcfe7: fix: Update the ecdsa key type to the latest spec (1.0.32). (#508) (@kommendorkapten)

Others

• 2cea368: chore(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#453) (@dependabot[bot])
• f077110: chore(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#451) (@dependabot[bot])
• 0cd000c: chore(deps): bump arnested/go-version-action from 1.1.6 to 1.1.7 (#454) (@dependabot[bot])
• fab805a: chore(deps): bump amannn/action-semantic-pull-request from 5.0.2 to 5.1.0 (#458) (@dependabot[bot])
• 96a25a4: chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#466) (@dependabot[bot])
• 075e800: chore(deps): bump golang.org/x/term from 0.0.0-20210927222741-03fcf44c2211 to 0.5.0 (#465) (@dependabot[bot])
• 7b0f249: chore(deps): bump golang.org/x/crypto from 0.0.0-20211117183948-ae814b36b871 to 0.6.0 (#464) (@dependabot[bot])
• c386074: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.4.0 to 0.5.0 (#459) (@dependabot[bot])
• ad9ad10: chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#468) (@dependabot[bot])
• ba794d1: chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#469) (@dependabot[bot])
• d271873: chore(deps): bump securesystemslib from 0.26.0 to 0.27.0 (#471) (@dependabot[bot])
• 493ab6c: chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 (#472) (@dependabot[bot])
• 7f231b3: chore(deps): bump amannn/action-semantic-pull-request from 5.1.0 to 5.2.0 (#473) (@dependabot[bot])
• 7cddf58: docs: Update install instructions in README (#474) (@haydentherapper)
• 30b7aae: chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#477) (@dependabot[bot])
• ab35782: chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#478) (@dependabot[bot])
• c7d649b: ci(build): Add arm64 to build (#463) (@udf2457)
• 7986772: chore(deps): bump arnested/go-version-action from 1.1.7 to 1.1.8 (#480) (@dependabot[bot])
• 7a57438: chore(deps): bump securesystemslib from 0.27.0 to 0.28.0 (#481) (@dependabot[bot])
• c79b5e6: chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 (#482) (@dependabot[bot])
• 8edc996: chore(deps): bump shogo82148/actions-goveralls from 1.6.0 to 1.7.0 (#483) (@dependabot[bot])
• e077a68: chore(deps): bump requests from 2.28.2 to 2.29.0 (#484) (@dependabot[bot])
• 39f588c: chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#487) (@dependabot[bot])
• dfbd21a: chore(deps): bump requests from 2.29.0 to 2.30.0 (#488) (@dependabot[bot])
• 56698a3: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.5.0 to 0.6.0 (#486) (@dependabot[bot])
• b4feccd: chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#489) (@dependabot[bot])
• ed58d45: chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (#491) (@dependabot[bot])
• e9da9a9: chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#493) (@dependabot[bot])
• d1450a5: chore: Bump spec version (#495) (@znewman01)
• 401f689: chore(deps): bump requests from 2.30.0 to 2.31.0 (#496) (@dependabot[bot])
• a41f2d2: chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#497) (@dependabot[bot])
• 1f98392: chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#498) (@dependabot[bot])
• 6e5284c: chore(deps): bump arnested/go-version-action from 1.1.8 to 1.1.9 (#499) (@dependabot[bot])
• c95b553: chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#501) (@dependabot[bot])
• 0bf668e: ci: Disable daily checking for version but not security updates (#500) (@trishankatdatadog)
• 44727bf: chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#502) (@dependabot[bot])
• 4e506c4: chore(deps): bump iso8601 from 1.1.0 to 2.0.0 (#503) (@dependabot[bot])
• c844873: docs: add go-tuf security assessment report (#504) (@rdimitrov)
• 842dc87: chore(deps): bump golang.org/x/term from 0.8.0 to 0.9.0 (#505) (@dependabot[bot])
• caa9677: chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#507) (@dependabot[bot])
• f21355b: chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#506) (@dependabot[bot])
• 31dbaec: docs: added myself (kommendorkapten) as a maintainer (#510) (@kommendorkapten)
• 6adc195: chore(deps): bump arnested/go-version-action from 1.1.9 to 1.1.11 (#511) (@dependabot[bot])
• 4b9fd32: docs: add list with alternative implementations (#169) (@mnm678)
• aa1a857: chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 (#513) (@dependabot[bot])
• 5ed6239: chore(deps): bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#514) (@dependabot[bot])
• 030ef07: chore(deps): bump arnested/go-version-action from 1.1.11 to 1.1.12 (#520) (@dependabot[bot])
• e2f53d9: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.6.0 to 0.7.0 (#518) (@dependabot[bot])

v0.5.2

Changelog

Features

• 3890c1e: feat: Add Filesystem based remote store to support airgap. (#397) (@vaikas)

Bug fixes

• f75cbcc: fix(cmd): fix logging of help message (#395) (@asraa)
• adbdc7d: fix(data): add back SnapshotFileMeta.Custom (#373) (@arbll)
• 4705874: fix: fix delegation null json value interoperability (#410) (@asraa)
• 047cdb3: fix: fix verification to continue on invalid sigs (#418) (@asraa)
• 7e86441: fix(localMeta): Add delegated targets back to localMeta (#384) (@BaptisteFoy)

Others

• 8a4aabf: test: update lint CI parameters (#394) (@znewman01)
• 6ea14f5: chore: update TUF spec version to 1.0.31 (#393) (@znewman01)
• e56ccf6: chore(deps): bump amannn/action-semantic-pull-request from 4.5.0 to 4.6.0 (#398) (@dependabot[bot])
• b611a26: docs: fix broken link (#401) (@znewman01)
• 4f55897: test: Do not fail-fast when CI runs. (#403) (@vaikas)
• 22f95c0: chore(deps): bump iso8601 from 1.0.2 to 1.1.0 (#404) (@dependabot[bot])
• 2541d68: docs: fix broken link (#405) (@abs007)
• b4b954d: chore(deps): bump arnested/go-version-action from 1.1.5 to 1.1.6 (#408) (@dependabot[bot])
• 14853e3: chore: update release notes breaking change regex (#409) (@znewman01)
• 0f8d7fe: docs: mention breaking changes in PR template (#413) (@znewman01)
• 6f22146: chore(deps): bump actions/setup-python from 4.2.0 to 4.3.0 (#414) (@dependabot[bot])
• b4c6f5a: chore(deps): bump amannn/action-semantic-pull-request from 4.6.0 to 5.0.0 (#415) (@dependabot[bot])
• 3f725e2: docs: add security.md (#412) (@asraa)
• 39613e3: chore(deps): bump amannn/action-semantic-pull-request from 5.0.0 to 5.0.1 (#416) (@dependabot[bot])
• 81884a3: chore(deps): bump amannn/action-semantic-pull-request from 5.0.1 to 5.0.2 (#419) (@dependabot[bot])
• fff5e69: chore(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#421) (@dependabot[bot])
• 680a077: chore(deps): bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 (#420) (@dependabot[bot])
• 7d83cf2: chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#423) (@dependabot[bot])
• 64bd805: chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#424) (@dependabot[bot])
• cfd009d: docs: Remove ethan-lowman-dd from maintainers (#428) (@ethan-lowman-dd)
• 2ac63f7: docs: Update MAINTAINERS (#430) (@trishankatdatadog)
• 901213d: chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (#433) (@dependabot[bot])
• 535756a: chore: Update interop tests for new python-tuf release 2.0.0 (#434) (@joshuagl)
• 00e8129: docs: Use Github's vulnerability reporting (#432) (@mnm678)
• c803c81: chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#435) (@dependabot[bot])
• 9cb61d6: chore: elevate GitHub token permissions for release.yml workflow (#437) (@rdimitrov)
• 3889ddd: chore(deps): bump actions/setup-python from 4.3.0 to 4.4.0 (#443) (@dependabot[bot])
• f310d5e: chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#441) (@dependabot[bot])
• a6e32be: chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#442) (@dependabot[bot])
• 5f964cf: chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 (#445) (@dependabot[bot])
• 8f585b5: chore(deps): bump requests from 2.28.1 to 2.28.2 (#446) (@dependabot[bot])
• 66a4473: chore(deps): bump securesystemslib from 0.25.0 to 0.26.0 (#448) (@dependabot[bot])
• 2b21357: chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#447) (@dependabot[bot])
• 91c85a0: test: add tests for rollback protection on snapshot, targets, delegations (#450) (@asraa)

v0.5.1

Changelog

Features

• 7097fd8: feat: Adds a new raw file metadata storage for clients (#347) (@kommendorkapten)
• f237d7c: feat: pass logger into repo and client (#385) (@asraa)

Bug fixes

• a9ddd89: fix: fix IsTopLevelManifest calculation for versioned manifests (#381) (@asraa)
• 040092c: fix: abandon updates if timestamp.json isn't new (#387) (@znewman01)

Others

• 13eff30: chore(deps): bump securesystemslib from 0.22.0 to 0.24.0 (#383) (@dependabot[bot])
• 0e33cdf: docs: Add docs for adding and rotating root keys (#389) (@mnm678)
• 7f9beab: chore: update TUF spec version (#392) (@znewman01)

v0.5.0

Changelog

Features

• 61872a3: feat: Support ecdsa and RSA keys (#270 with backwards compatibility) (#357) (@asraa)

v0.3.2

Changelog

Bug fixes

• b6695e4: fix(verify): backport "Fix a vulnerability in the verification of threshold si… (#375) (@znewman01)