June 2025 - ST-announce - System Transparency mailing lists

st-1.3.0 release
by Rasmus Dahlberg 30 Jun '25

30 Jun '25

The ST team is happy to announce a new collection release: st-1.3.0. The tar archive and a corresponding signature can be downloaded at https://dist.system-transparency.org/ Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ The signature can be verified using the command ssh-keygen -Y verify -n file \ -f allowed-ST-release-signers \ -I releases(a)system-transparency.org \ -s st-1.3.0.tar.gz.sig < st-1.3.0.tar.gz The NEWS file in the tar archive summarizes changes since the previous release. An excerpt from the latest NEWS-file entry is included below for convenience. The tar archive also includes documentation that gets rendered at https://docs.system-transparency.org/st-1.3.0/ If you find any bugs, please file issues in the affected component repositories or report them on the System Transparency discuss list. https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… Cheers, The ST team --- NEWS for st-1.3.0 This collection release provides a few minor fixes and two major features: support for Secure Boot provisioning and Sigsum logged OS packages. The release is intended to be backwards compatible, except for a new build-time requirement on Go version 1.23 or later. The code components of st-1.3.0 are stboot v0.6.5, stmgr v0.6.6, and stprov v0.5.4. Documentation is included in the collection, and it is also published at https://docs.system-transparency.org/st-1.3.0/. Features: * stprov: provisioning of Secure Boot variables PK, KEK, db, and dbx. Associated HOW-TO guides are available in the documentation. * stprov: it is optional to supply a file with TLS root certificates. * stboot: support multiple OS package signing roots. * stboot, stmgr: support for Sigsum signed OS packages. In other words, it is now possible to use signatures that are transparent. * stmgr: new subcommands for verifying OS packages and creating ISOs from already existing UKIs. Miscellaneous: * stprov: improved logging, e.g., exactly what is being written to EFI NVRAM when and whether the different subcommands succeeded. * stmgr: more helpful error messages on invalid command-line input.

1 0

stmgr v0.6.6 release
by Rasmus Dahlberg 24 Jun '25

24 Jun '25

The ST team is happy to announce a new release of the stmgr program, tag v0.6.6, which succeeds the previous release at tag v0.5.2. The source code for this release is available from the git repository: git clone -b v0.6.6 https://git.glasklar.is/system-transparency/core/stmgr.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.6.6 The expectations and intended use of the stmgr program is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stmgr/-/blob/v0.6.6/RELEAS… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stmgr repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stmgr/-/issues system-transparency-core-stmgr-issues(a)incoming.glasklar.is Cheers, The ST team --- NEWS for stmgr v0.6.6 This release adds several new subcommands, most notably related to supporting OS packages that are transparently signed with Sigsum. New features: * Verify OS package signatures using the new subcommand "ospkg verify". * Attach Sigsum proofs to an OS package descriptor using the new subcommand "ospkg sigsum". * Add subcommand `uki to-iso` such that UKIs and ISOs can be created in separate steps (cf. creating in the same step using "uki -format iso"). Miscellaneous: * Improved error messages on invalid command-line input. Incompatible changes: * This version requires go version 1.23 or later when building. This release has been tested to work with: * All stprov tests which use stmgr, pre-release v0.5.3. https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.3/docs/… * All stboot tests which use stmgr, pre-release v0.6.4. https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.6.4/docs/… This release implements the specifications at: * https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.5.2/cont…

1 0

stboot v0.6.5 release
by Rasmus Dahlberg 24 Jun '25

24 Jun '25

The ST team is happy to announce a new release of the stboot bootloader, tag v0.6.5, which succeeds the previous release at tag v0.5.2. The source code for this release is available from the git repository: git clone -b v0.6.5 https://git.glasklar.is/system-transparency/core/stboot.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.6.5 The expectations and intended use of the stboot bootloader is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.6.5/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stboot repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stboot/-/issues system-transparency-core-stboot-issues(a)incoming.glasklar.is Cheers, The ST team --- NEWS for stboot v0.6.5 This release most notably allows operators to sign OS packages with Sigsum. Refer to https://www.sigsum.org/ to learn more about the Sigsum project. New features: * Support OS packages that are signed with Sigsum. This feature is optional and only enabled if the /etc/trust_policy/ospkg_trust_policy file exists. * Allow ospkg_signing_roots.pem to contain multiple X.509 certificates. This makes it possible to, e.g., have a flat key hierarchy with multiple non-CA keys signing OS packages directly (particularly useful for Sigsum). Incompatible changes: * This version requires go version 1.23 or later when building. This release has been tested to work with: * Artifacts produced by stmgr, pre-release v0.6.4. https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.6.4 * Systems provisioned with stprov, pre-release v0.5.3. https://git.glasklar.is/system-transparency/core/stprov/-/tree/v0.5.3 This release implements the specifications at: * https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.6.5/docs/… * https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.5.2/cont…

1 0

stprov v0.5.4 release
by Rasmus Dahlberg 24 Jun '25

24 Jun '25

The ST team is happy to announce a new release of the stprov software, tag v0.5.4, which succeeds the previous release at tag v0.4.2. The source code for this release is available from the git repository: git clone -b v0.5.4 https://git.glasklar.is/system-transparency/core/stprov.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.5.4 The expectations and intended use of the stprov software is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.4/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stprov repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stprov/-/issues system-transparency-core-stprov-issues(a)incoming.glasklar.is Cheers, The ST team --- NEWS for stprov v0.5.4 This release most notably helps operators provision Secure Boot keys. New features: * Secure Boot policy objects PK, KEK, db, and dbx can be provisioned. See stprov-manual and stprov-system, which also links to a few HOW-TO guides. * It is optional to provide a file with with X.509 certificate roots for HTTPS. If omitted, HEAD requests on HTTPS URLs will definitely fail. Miscellaneous: * Add INFO prints that clarify if the stprov commands succeeded or not. * Add INFO prints that clarify what is being provisioned in EFI NVRAM. Incompatible changes: * This version requires go version 1.23 or later when building. This release has been tested to work with: * stboot's provision mode, pre-release tag v0.6.2. https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.6.2 * ISO building using stmgr, pre-release tag v0.6.4. https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.6.4 This release implements the specifications at: * https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.4/docs/… * https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.4/docs/… * https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.5.2/cont…

1 0

2025

2024

2023

ST-announce June 2025