From 62e57f2073a94ad0b797ee1e9fb6d63a3b196844 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 19 Apr 2022 21:24:21 +0200 Subject: [PATCH 1/7] Update changelog for v0.19.0 --- CHANGELOG.md | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bb9ea0f9..916d9148 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,19 +4,41 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [Unreleased - 0.18.3] - DATE +## [Unreleased - 0.19.1] - DATE ### Added -- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`. -- Added support for `extraNames` in X.509 templates. -- Added RA support using a Vault instance as the CA. -- Added support for automatic configuration of linked RAs. ### Changed -- Made SCEP CA URL paths dynamic -- Support two latest versions of Go (1.17, 1.18) ### Deprecated ### Removed ### Fixed +### Security + +## [0.19.0] - 2022-04-19 +### Added +- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`. +- Added support for `extraNames` in X.509 templates. +- Added `armv5` builds. +- Added RA support using a Vault instance as the CA. +- Added `WithX509SignerFunc` authority option. +- Added a new `/roots.pem` endpoint to download the CA roots in PEM format. +- Added support for Azure `Managed Identity` tokens. +- Added support for automatic configuration of linked RAs. +- Added support for the `--context` flag. It's now possible to start the + CA with `step --context=abc` to use the configuration from context `abc`. + When a context has been configured and no configuration file is provided + on startup, the configuration for the current context is used. +- Added startup info logging and option to skip it (`--quiet`). +### Changed +- Made SCEP CA URL paths dynamic. +- Support two latest versions of Go (1.17, 1.18). +- Upgrade go.step.sm/crypto to v0.16.1. +- Upgrade go.step.sm/linkedca to v0.15.0. +### Deprecated +- Go 1.16 support. +### Removed +### Fixed - Fixed admin credentials on RAs. +- Fixed ACME HTTP-01 challenges for IPv6 identifiers. +- Various improvements under the hood. ### Security ## [0.18.2] - 2022-03-01 @@ -52,7 +74,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Support for multiple certificate authority contexts. - Support for generating extractable keys and certificates on a pkcs#11 module. ### Changed -- Support two latest versions of golang (1.16, 1.17) +- Support two latest versions of Go (1.16, 1.17) ### Deprecated - go 1.15 support From 714b5e61e2951de15c77e1b2fc40140bec739182 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 19 Apr 2022 22:50:28 +0200 Subject: [PATCH 2/7] Fix `step` -> `step-ca` --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 916d9148..fdd504e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Added support for Azure `Managed Identity` tokens. - Added support for automatic configuration of linked RAs. - Added support for the `--context` flag. It's now possible to start the - CA with `step --context=abc` to use the configuration from context `abc`. + CA with `step-ca --context=abc` to use the configuration from context `abc`. When a context has been configured and no configuration file is provided on startup, the configuration for the current context is used. - Added startup info logging and option to skip it (`--quiet`). From 18ca66069efa1ff7b2216144ba709d2314a20d44 Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 19 Apr 2022 14:16:27 -0700 Subject: [PATCH 3/7] [action] issue uploading to scoop - attempt setting goamd64 --- .goreleaser.yml | 42 ++++-------------------------------------- 1 file changed, 4 insertions(+), 38 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 441d5785..6886a88a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -29,6 +29,7 @@ builds: binary: bin/step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + goamd64: v1 - id: step-cloudkms-init env: @@ -50,6 +51,7 @@ builds: binary: bin/step-cloudkms-init ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + goamd64: v1 - id: step-awskms-init env: @@ -71,6 +73,7 @@ builds: binary: bin/step-awskms-init ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + goamd64: v1 archives: - @@ -231,41 +234,4 @@ scoop: # Default is empty. license: "Apache-2.0" - #dockers: - # - dockerfile: docker/Dockerfile - # goos: linux - # goarch: amd64 - # use_buildx: true - # image_templates: - # - "smallstep/step-cli:latest" - # - "smallstep/step-cli:{{ .Tag }}" - # build_flag_templates: - # - "--platform=linux/amd64" - # - dockerfile: docker/Dockerfile - # goos: linux - # goarch: 386 - # use_buildx: true - # image_templates: - # - "smallstep/step-cli:latest" - # - "smallstep/step-cli:{{ .Tag }}" - # build_flag_templates: - # - "--platform=linux/386" - # - dockerfile: docker/Dockerfile - # goos: linux - # goarch: arm - # goarm: 7 - # use_buildx: true - # image_templates: - # - "smallstep/step-cli:latest" - # - "smallstep/step-cli:{{ .Tag }}" - # build_flag_templates: - # - "--platform=linux/arm/v7" - # - dockerfile: docker/Dockerfile - # goos: linux - # goarch: arm64 - # use_buildx: true - # image_templates: - # - "smallstep/step-cli:latest" - # - "smallstep/step-cli:{{ .Tag }}" - # build_flag_templates: - # - "--platform=linux/arm64/v8" + goamd64: v1 From 27b3d82f1d2d76d958253ff24ff52ba2449fbde0 Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 19 Apr 2022 14:30:32 -0700 Subject: [PATCH 4/7] [action] goamd64 another attempt at fix --- .goreleaser.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 6886a88a..74c269e0 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -29,7 +29,8 @@ builds: binary: bin/step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - goamd64: v1 + goamd64: + - v1 - id: step-cloudkms-init env: @@ -51,7 +52,8 @@ builds: binary: bin/step-cloudkms-init ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - goamd64: v1 + goamd64: + - v1 - id: step-awskms-init env: @@ -73,7 +75,8 @@ builds: binary: bin/step-awskms-init ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - goamd64: v1 + goamd64: + - v1 archives: - From 605a959029d1a05dbfdb4a3f1c5fcf8a62d788fd Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 19 Apr 2022 14:53:47 -0700 Subject: [PATCH 5/7] [action] attempt to pin goreleaser version --- .github/workflows/release.yml | 2 +- .goreleaser.yml | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ab7084d..c90d949a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -139,7 +139,7 @@ jobs: name: Run GoReleaser uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0 with: - version: latest + version: 'v1.7.0' args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.PAT }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 74c269e0..7d57e657 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -29,8 +29,6 @@ builds: binary: bin/step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - goamd64: - - v1 - id: step-cloudkms-init env: @@ -52,8 +50,6 @@ builds: binary: bin/step-cloudkms-init ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - goamd64: - - v1 - id: step-awskms-init env: @@ -75,8 +71,6 @@ builds: binary: bin/step-awskms-init ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - goamd64: - - v1 archives: - @@ -236,5 +230,3 @@ scoop: # Your app's license # Default is empty. license: "Apache-2.0" - - goamd64: v1 From 97b64aa8512f2d1bb587e6358f762d8be5e46f0c Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 20 Apr 2022 09:24:53 -0700 Subject: [PATCH 6/7] Cosmetic fix for consistency in the startup messages --- ca/ca.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ca/ca.go b/ca/ca.go index 0d4f1578..0380d166 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -321,7 +321,7 @@ func (ca *CA) Run() error { log.Printf("X.509 Root Fingerprint: %s", x509util.Fingerprint(crt)) } if authorityInfo.SSHCAHostPublicKey != nil { - log.Printf("SSH Host CA Key is %s\n", authorityInfo.SSHCAHostPublicKey) + log.Printf("SSH Host CA Key: %s\n", authorityInfo.SSHCAHostPublicKey) } if authorityInfo.SSHCAUserPublicKey != nil { log.Printf("SSH User CA Key: %s\n", authorityInfo.SSHCAUserPublicKey) From 340aa3206c1b01177292eb9347c17d851e806370 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 20 Apr 2022 09:48:06 -0700 Subject: [PATCH 7/7] We now have an armv5 step-ca build; remove guard clause from RA install script --- scripts/install-step-ra.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scripts/install-step-ra.sh b/scripts/install-step-ra.sh index 1da64ed6..74aa1914 100644 --- a/scripts/install-step-ra.sh +++ b/scripts/install-step-ra.sh @@ -38,11 +38,6 @@ case $arch in armv7*) arch="armv7" ;; esac -if [ "$arch" = "armv5" ]; then - echo "This script doesn't work on armv5 machines" - exit 1 -fi - if ! hash jq &> /dev/null; then echo "This script requires the jq commmand; please install it." exit 1