May 2024 - ST-announce - System Transparency mailing lists

st-1.0.0 collection release
by Rasmus Dahlberg 09 May '24

09 May '24

The ST team is happy to announce a new collection release: st-1.0.0. The tar archive and a corresponding signature can be downloaded at https://dist.system-transparency.org/ Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ The signature can be verified using the command ssh-keygen -Y verify -n file \ -f allowed-ST-release-signers \ -I releases(a)system-transparency.org \ -s st-1.0.0.tar.gz.sig < st-1.0.0.tar.gz The NEWS file in the tar archive summarizes changes since the previous release. An excerpt from the latest NEWS-file entry is included below for convenience. The tar archive also includes documentation that gets rendered at https://docs.system-transparency.org/st-1.0.0/ If you find any bugs, please file issues in the affected component repositories or report them on the System Transparency discuss list. https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… Cheers, The ST team NEWS for st-1.0.0 This is the first stable collection release of System Transparency. By "stable", we mean that subsequent releases within the same major version will be backwards compatible. The ST version 1 collection is supported for at least one year, until 2025-06-01. For information on how releases are made in System Transparency, see https://git.glasklar.is/system-transparency/project/docs/-/tree/main/conten…. The included components and their versions are specified in the collection's manifest file. Documentation for the collection can be generated from the included components, see docs. Documentation is also published at https://docs.system-transparency.org/st-1.0.0/. Compared to previous System Transparency releases that were more experimental, this collection release includes components with a few new features, improved backwards compatibility with systems provisioned using older tools and conventions, and much improved documentation. Some obsolete features with no known usage have been deleted. See the NEWS files of each component for details.

1 0

ANNOUNCE: stmgr-v0.3.3
by Niels Möller 07 May '24

07 May '24

The ST team is happy to announce a new release of the stmgr programm, tag v0.3.3, which succeeds the previous release at tag v0.2.2. The source code for this release is available from the git repository: git clone -b v0.3.3 https://git.glasklar.is/system-transparency/core/stmgr.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.3.3 The expectations and intended use of the stmgr program is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stmgr/-/blob/main/RELEASES… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stmgr repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stmgr/-/issues Cheers, The ST team NEWS for stmgr v0.3.3 This release is an update to match the stboot-0.3.6 release. The main new features relate to signing: UKI executables can now be signed for Secure Boot. Signatures on OS packages and certificates can now use private keys accessed via the ssh-agent protocol, enabling use of keys residing on a more secure hardware device. Incompatible changes: * Generation of UKI files no longer defaults to using /usr/lib/systemd/boot/efi/linuxx64.efi.stub. It now defaults to a stub file embedded at stmgr compile time. (See uki/stub/README for which version is embedded). * The out-of-date "stmgr provision" subcommand has been deleted. New features and improvements: * Signing OS packages (stmgr ospkg sign) can now use ssh-agent to access the private signing key, see docs/manual.md. * Creating certificates (stmgr keygen certificate) used to always create a new keypair as part of the process. That key generation is now optional. More precisely, a root certificate can be created for a private key specified with the -rootKey option, including support for ssh-agent to access the private key. A leaf certificate can be created with the new -leafKey option specifying the public key to be certified. * Host config validation (stmgr hostconfig check) has been updated to match recent changes in stboot, including backwards compatibility. Submission of additional host config files to check in stmgr regression tests are welcome. * The command "stmgr uki create" can now optionally sign the generated UKI for Secure Boot; new flags: -signkey, -signcert. * Improved documentation, new docs/manual.md. Miscellaneous: * Improved integration tests. Compatibility: * This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.2.0/cont… * Artifacts generated by this release of stmgr are tested with stboot pre-release version v0.3.5, and are expected to work with the stboot release v0.3.6. https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.3.6

1 0

stprov-v0.3.5 release
by Rasmus Dahlberg 03 May '24

03 May '24

The ST team is happy to announce a new release of the stprov software, tag v0.3.5, which succeeds the previous release at tag v0.2.1. The source code for this release is available from the git repository: git clone -b v0.3.5 https://git.glasklar.is/system-transparency/core/stprov.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.3.5 The expectations and intended use of the stprov software is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.3.5/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stprov repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stprov/-/issues system-transparency-core-stprov-issues(a)incoming.glasklar.is Cheers, The ST team NEWS for stprov v0.3.5 This release mainly improves documentation, test coverage, and fixes bugs. There are a few minor features added relating to the stprov command-line UI, and a little bit of clean-up as summarized in the miscellaneous section. Incompatible changes * The -b option no longer accepts interface names that contain comma. Security fixes: * The -a option in stprov remote-run accepts addresses in CIDR notation, but falls back on /32 if an address omits the subnet mask. The same subnet mask was used for IPv6, resulting in a much larger subnet. This issue has been fixed, such that the default IPv6 subnet-mask is /128. Bug fixes * Produce host configurations that are compatible with stboot (stprov and stboot diverged on how to handle empty values, which has now been fixed). * Correctly set the host configuration fields "bonding_mode" and "bond_name". The bonded interface name is always set to "bond0". * Add a Makefile option for setting custom OS-package URLs. The built-in default used to be hardcoded without a good way of changing it. * Read TLS roots from a location that is consistent with stboot. The consulted location is "/etc/trust_policy/tls_roots.pem". * Several nits and confusions in the stprov usage message were fixed. New features: * Options with multiple values can be specified as a comma-separated list (-e val,val) and/or by repeating the option (-e val -e val). This makes the UX consistent for the -a, -b, and other multi-value options. * The -r option can accept multiple OS-package URLs. * The -d option can accept multiple DNS servers. The built-in default has as a result also been updated to include Quad9's secondary server. New documentation: * System documentation has been added, see docs/stprov-system.md. * Usage manual has been added, see docs/stprov-manual.md. Miscellaneous: * The OS package URL (-r) and user/password (-u/-p) options are no longer mutually exclusive. The user and password options are instead silently ignored for OS package URLs without the "user:password" pattern. * The host configuration fields "authentication" and "identity" were removed. So, the dummy "foo" and "bar" values are no longer written. Note that stprov never supported any real use of the removed fields. * The host configuration field "timestamp" was removed. In other words, the platform's host configuration no longer indicates a provisioning date. * Failing HEAD requests on OS package URLs are treated as errors rather than warnings. This behavior can be overridden with the force flag (-f). * Major improvements to the QEMU test coverage, see integration/qemu.sh. This release implements the following specifications: * The system documentation in this repository (docs/stprov-system.md) * https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.2.0/cont… * https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.2.0/cont… * https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.2.0/cont… This release has been tested to work with: * stboot's provision mode, release tag v0.3.6: https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.3.6 * ISO building using stmgr, pre-release tag v0.3.2: https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.3.2

1 0

2024

2023

ST-announce May 2024

2024

2023

ST-announce May 2024 ----- 2024 ----- September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 ----- 2023 ----- December 2023 November 2023

ST-announce May 2024