- ST-announce - System Transparency mailing lists

st-1.3.0 release
by Rasmus Dahlberg 30 Jun '25

30 Jun '25

The ST team is happy to announce a new collection release: st-1.3.0. The tar archive and a corresponding signature can be downloaded at https://dist.system-transparency.org/ Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ The signature can be verified using the command ssh-keygen -Y verify -n file \ -f allowed-ST-release-signers \ -I releases(a)system-transparency.org \ -s st-1.3.0.tar.gz.sig < st-1.3.0.tar.gz The NEWS file in the tar archive summarizes changes since the previous release. An excerpt from the latest NEWS-file entry is included below for convenience. The tar archive also includes documentation that gets rendered at https://docs.system-transparency.org/st-1.3.0/ If you find any bugs, please file issues in the affected component repositories or report them on the System Transparency discuss list. https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… Cheers, The ST team --- NEWS for st-1.3.0 This collection release provides a few minor fixes and two major features: support for Secure Boot provisioning and Sigsum logged OS packages. The release is intended to be backwards compatible, except for a new build-time requirement on Go version 1.23 or later. The code components of st-1.3.0 are stboot v0.6.5, stmgr v0.6.6, and stprov v0.5.4. Documentation is included in the collection, and it is also published at https://docs.system-transparency.org/st-1.3.0/. Features: * stprov: provisioning of Secure Boot variables PK, KEK, db, and dbx. Associated HOW-TO guides are available in the documentation. * stprov: it is optional to supply a file with TLS root certificates. * stboot: support multiple OS package signing roots. * stboot, stmgr: support for Sigsum signed OS packages. In other words, it is now possible to use signatures that are transparent. * stmgr: new subcommands for verifying OS packages and creating ISOs from already existing UKIs. Miscellaneous: * stprov: improved logging, e.g., exactly what is being written to EFI NVRAM when and whether the different subcommands succeeded. * stmgr: more helpful error messages on invalid command-line input.

1 0

stmgr v0.6.6 release
by Rasmus Dahlberg 24 Jun '25

24 Jun '25

The ST team is happy to announce a new release of the stmgr program, tag v0.6.6, which succeeds the previous release at tag v0.5.2. The source code for this release is available from the git repository: git clone -b v0.6.6 https://git.glasklar.is/system-transparency/core/stmgr.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.6.6 The expectations and intended use of the stmgr program is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stmgr/-/blob/v0.6.6/RELEAS… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stmgr repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stmgr/-/issues system-transparency-core-stmgr-issues(a)incoming.glasklar.is Cheers, The ST team --- NEWS for stmgr v0.6.6 This release adds several new subcommands, most notably related to supporting OS packages that are transparently signed with Sigsum. New features: * Verify OS package signatures using the new subcommand "ospkg verify". * Attach Sigsum proofs to an OS package descriptor using the new subcommand "ospkg sigsum". * Add subcommand `uki to-iso` such that UKIs and ISOs can be created in separate steps (cf. creating in the same step using "uki -format iso"). Miscellaneous: * Improved error messages on invalid command-line input. Incompatible changes: * This version requires go version 1.23 or later when building. This release has been tested to work with: * All stprov tests which use stmgr, pre-release v0.5.3. https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.3/docs/… * All stboot tests which use stmgr, pre-release v0.6.4. https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.6.4/docs/… This release implements the specifications at: * https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.5.2/cont…

1 0

stboot v0.6.5 release
by Rasmus Dahlberg 24 Jun '25

24 Jun '25

The ST team is happy to announce a new release of the stboot bootloader, tag v0.6.5, which succeeds the previous release at tag v0.5.2. The source code for this release is available from the git repository: git clone -b v0.6.5 https://git.glasklar.is/system-transparency/core/stboot.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.6.5 The expectations and intended use of the stboot bootloader is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.6.5/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stboot repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stboot/-/issues system-transparency-core-stboot-issues(a)incoming.glasklar.is Cheers, The ST team --- NEWS for stboot v0.6.5 This release most notably allows operators to sign OS packages with Sigsum. Refer to https://www.sigsum.org/ to learn more about the Sigsum project. New features: * Support OS packages that are signed with Sigsum. This feature is optional and only enabled if the /etc/trust_policy/ospkg_trust_policy file exists. * Allow ospkg_signing_roots.pem to contain multiple X.509 certificates. This makes it possible to, e.g., have a flat key hierarchy with multiple non-CA keys signing OS packages directly (particularly useful for Sigsum). Incompatible changes: * This version requires go version 1.23 or later when building. This release has been tested to work with: * Artifacts produced by stmgr, pre-release v0.6.4. https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.6.4 * Systems provisioned with stprov, pre-release v0.5.3. https://git.glasklar.is/system-transparency/core/stprov/-/tree/v0.5.3 This release implements the specifications at: * https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.6.5/docs/… * https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.5.2/cont…

1 0

stprov v0.5.4 release
by Rasmus Dahlberg 24 Jun '25

24 Jun '25

The ST team is happy to announce a new release of the stprov software, tag v0.5.4, which succeeds the previous release at tag v0.4.2. The source code for this release is available from the git repository: git clone -b v0.5.4 https://git.glasklar.is/system-transparency/core/stprov.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.5.4 The expectations and intended use of the stprov software is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.4/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stprov repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stprov/-/issues system-transparency-core-stprov-issues(a)incoming.glasklar.is Cheers, The ST team --- NEWS for stprov v0.5.4 This release most notably helps operators provision Secure Boot keys. New features: * Secure Boot policy objects PK, KEK, db, and dbx can be provisioned. See stprov-manual and stprov-system, which also links to a few HOW-TO guides. * It is optional to provide a file with with X.509 certificate roots for HTTPS. If omitted, HEAD requests on HTTPS URLs will definitely fail. Miscellaneous: * Add INFO prints that clarify if the stprov commands succeeded or not. * Add INFO prints that clarify what is being provisioned in EFI NVRAM. Incompatible changes: * This version requires go version 1.23 or later when building. This release has been tested to work with: * stboot's provision mode, pre-release tag v0.6.2. https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.6.2 * ISO building using stmgr, pre-release tag v0.6.4. https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.6.4 This release implements the specifications at: * https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.4/docs/… * https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.5.4/docs/… * https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.5.2/cont…

1 0

ANNOUNCE: st-1.2.0
by Niels Möller 14 Mar '25

14 Mar '25

The System Transparency project is happy to announce a new ST collection release, st-1.2.0. See NEWS entries below for a summary of changes. The documentation for this release is available at https://docs.system-transparency.org/st-1.2.0/ A release tar file is published at https://dist.system-transparency.org/st/st-1.2.0.tar.gz https://dist.system-transparency.org/st/st-1.2.0.tar.gz.sig The release keys used for both the release tar file and the corresponding git tags are published at https://www.system-transparency.org/keys This collection release corresponds to the manifest file https://git.glasklar.is/system-transparency/core/system-transparency/-/blob… Project homepage and contact information can be found at https://www.system-transparency.org/ Cheers, The System Transparency team NEWS for st-1.2.0 This is an update to the st-1.1.0 collection release, with a few new features requested by users. It is intended to be backwards compatible with the st-1.0.0 and st-1.1.0 collections except for a new build-time requirement on go-1.22 or later. The code components of st-1.2.0 are stboot v0.5.2, stmgr v0.5.2, and stprov v0.4.2 (also listed, with corresponding commit hashes, in the manifest file). Corresponding documentation is included in the collection, and it is also published at https://docs.system-transparency.org/st-1.2.0/. Bug fixes: * stprov: Don't add any extra dot when using default hostname (neither -h or -H specified on the command line). * stmgr: Properly assign the issuer and subject in generated X.509 certificates. Features: * stboot: Add support for encrypted OS packages. * stprov: For network autoselect (-A), prefer the fastest network interface. * stboot, stprov: Improvements to logging. * stboot, stprov: Display and populate the new (and optional) "description" field in the host configuration. * stmgr: The uki subcommand can now produce both .uki and .iso in the same run. For more details, see the NEWS files and documentation for respective component.

1 0

ANNOUNCE: stmgr-v0.5.2
by Niels Möller 07 Mar '25

07 Mar '25

The ST team is happy to announce a new release of the stmgr program, tag v0.5.2, which succeeds the previous release at tag v0.4.1. The source code for this release is available from the git repository: git clone -b v0.5.2 https://git.glasklar.is/system-transparency/core/stmgr.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.5.2 The expectations and intended use of the stmgr program is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stmgr/-/blob/main/RELEASES… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stmgr repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stmgr/-/issues Cheers, The ST team NEWS for stmgr v0.5.2 New features and improvements: * stmgr uki: The create subcommand now accepts a comma-separated list for the -format option, to produce multiple output files. E.g., use -format iso,uki to produce both a .uki file (a UEFI executable) and the same file wrapped in a bootable .iso image. Bug fixes: * stmgr keygen: The certificate subcommand now assigns issuer and subject in generated X.509 certificates. The certificate's subject is assigned a CommonName based on the public key hash. For CA certs, the issuer is set to the same value, while for non-CA certificates, the issuer is set to the subject of the parent certificate. This makes generated certs comply with RFC 5280, and work correctly with tools such as openssl verify. Incompatible changes: * This version requires go version 1.22 or later when building. * The default log-level is changed from "error" to "info". Compatibility: * This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.4.1/cont… * Artifacts generated by this release of stmgr are tested with stboot release version v0.5.2, https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.5.2.

1 0

ANNOUNCE: stprov v0.4.2
by Niels Möller 07 Mar '25

07 Mar '25

The ST team is happy to announce a new release of the stprov software, tag v0.4.2, which succeeds the previous release at tag v0.3.9. The source code for this release is available from the git repository: git clone -b v0.4.2 https://git.glasklar.is/system-transparency/core/stprov.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.4.2 The expectations and intended use of the stprov software is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.4.2/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stprov repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stprov/-/issues system-transparency-core-stprov-issues(a)incoming.glasklar.is Cheers, The ST team NEWS for stprov v0.4.2 Bug fixes: * Without -h and -H, use default hostname, e.g., "localhost.local", without prepending an extra dot. New features: * For network autoselect (-A), prefer the fastest network interface. * Log the IP addresses used for the OS package HEAD request. * Populate the new host config description field with stprov version and timestamp, e.g., "stprov version v0.4.0-13-g50ea7c2; timestamp 2025-01-30T13:49:01Z" This is the successor of the timestamp field, that was removed in v0.3.5. Incompatible changes: * This version requires go version 1.22 or later when building. This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.4.1/cont… This release has been tested to work with: * stboot's provision mode, release tag v0.5.2: https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.5.2 * ISO building using stmgr, pre-release tag v0.5.0: https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.5.0

1 0

ANNOUNCE: stboot v0.5.2
by Niels Möller 14 Feb '25

14 Feb '25

The ST team is happy to announce a new release of the stboot bootloader, tag v0.5.2, which succeeds the previous release at tag v0.4.3. The source code for this release is available from the git repository: git clone -b v0.5.2 https://git.glasklar.is/system-transparency/core/stboot.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.5.2 The expectations and intended use of the stboot bootloader is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stboot/-/blob/main/RELEASE… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stboot repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stboot/-/issues Cheers, The ST team NEWS for stboot v0.5.2 This release of stboot includes several new features. Except for the removal of experimental TPM measurements, it is intended to be fully backwards compatible with stboot v0.4.3. New features and improvements: * Display stboot version when booting. See README.md for how to override the version string at build time. * Increase reboot delay to 30s. * Log IP addresses used when downloading the OS package. * Log expiry dates of root and OS package certificates. Fail early if all root certificates are expired. * Add support for encrypted OS packages. See docs/stboot-system.md. * Log host configuration description string, if present. See https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.4.1/cont… Incompatible changes: * This version requires go version 1.22 or later when building. Unfortunately, the go 1.22 toolchain is not available in Debian bookworm. For Debian users, we suggest using the go packages from either bookworm-backports or testing. For an updated Build guide using bookworm-backports, see https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.4.1/cont…. * The experimental code to do TPM measurements has been deleted. Miscellaneous: * Improved documentation of backwards compatible host configuration. See doc/stboot-system.md. This release has been tested to work with: * Artifacts produced by stmgr v0.5.0 (pre-release version). https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.5.0 * Systems provisioned with stprov v0.4.0 (pre-release version) https://git.glasklar.is/system-transparency/core/stprov/-/tree/v0.4.0 This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.4.1/cont…

1 0

ANNOUNCE: st-1.1.0
by Niels Möller 29 Aug '24

29 Aug '24

The System Transparency project is happy to announce a new ST collection release, st-1.1.0. See NEWS entries below for a summary of changes. The documentation for this release is available at https://docs.system-transparency.org/st-1.1.0/ A release tar file is published at https://dist.system-transparency.org/st/st-1.1.0.tar.gz https://dist.system-transparency.org/st/st-1.1.0.tar.gz.sig The release keys used for both the release tar file and the corresponding git tags are published at https://www.system-transparency.org/keys This collection release corresponds to the manifest file https://git.glasklar.is/system-transparency/core/system-transparency/-/blob… Project homepage and contact information can be found at https://www.system-transparency.org/ Cheers, The System Transparency team NEWS for st-1.1.0 This is an update to the st-1.0.0 collection release, with one bug fix and a few new features requested by users. It is intended to be backwards compatible with the st-1.0.0 collection. Using a relative os_pkg_url for OS packages served (one of the new features) requires an stboot upgrade, or else the boot will fail. Bug fixes: * stboot: When stboot is started as the init process (pid 1), it now loads kernel modules *before* mounting the efivarfs. Previously, accessing EFI variables required that the efivarfs driver was compiled statically into the kernel, rather than as a module. See https://docs.system-transparency.org/st-1.1.0/docs/reference/stboot-system/… for init process alternatives and how to configure module loading when stboot is started as the init process. Features: * stboot: If a provisioning OS package is included in the stboot image, the operator can force stboot into provisioning mode by pressing Ctrl-C to interrupt normal boot, and stboot can similarly enter provisioning mode if normal boot fails for any other reason. See https://docs.system-transparency.org/st-1.1.0/docs/reference/stboot-system/… * stboot, stmgr: the OS package archive URL (os_pkg_url) can now be relative to the OS package pointer. Avoid use of this extension if backwards compatibility with older stboot versions is needed. See https://docs.system-transparency.org/st-1.1.0/docs/reference/os_package/#de… For information on how releases are made in System Transparency, see https://docs.system-transparency.org/st-1.1.0/docs/releases/ The included components and their versions are specified in the collection's manifest file. Documentation for the collection can be generated from the included components, see docs. Documentation is also published at https://docs.system-transparency.org/st-1.1.0/.

1 0

stboot-v0.4.3 release
by Rasmus Dahlberg 13 Jul '24

13 Jul '24

The ST team is happy to announce a new release of the stboot bootloader, tag v0.4.3, which succeeds the previous release at tag v0.3.6. The source code for this release is available from the git repository: git clone -b v0.4.3 https://git.glasklar.is/system-transparency/core/stboot.git Authoritative ST release signing keys are published at: https://www.system-transparency.org/keys The tag signature can be verified using the following command: git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.4.3 The expectations and intended use of the stboot bootloader is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stboot/-/blob/v0.4.3/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stboot repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stboot/-/issues Cheers, The ST team NEWS for stboot v0.4.3 This release of stboot includes bug fixes and new features. The most notable feature is the ability to enter provisioning mode even if a host configuration has already been provisioned on the system. Bug fixes: * When running stboot as the init process, load kernel modules before trying to mount /sys/firmware/efi/efivars. This ensures EFI variables will work when the efivarfs driver is provided as a loadable kernel module (rather than being built into the kernel). For users that use u-root as the init process: be aware that the same issue which has now been fixed in stboot still remains open in u-root, see https://github.com/u-root/u-root/issues/2993. * Properly wait for the selected network interfaces to reach state UP before considering the network to be configured successfully. This ensures stboot will not spend any of its retries due to interfaces that are not up yet. New features and improvements: * If a provisioning OS package is included in the stboot image, it is now possible to enter provisioning mode if the provisioned host configuration is invalid or if the user presses Ctrl-C. See docs/stboot-system.md for details and security implications. * The OS package descriptor now supports "os_pkg_url" to be relative to the descriptor's (absolute) base URI. Refer to the OS package specification for the exact resolution rules. This release has been tested to work with: * Artifacts produced by stmgr v0.4.0 (pre-release version). https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.4.0 * Systems provisioned with stprov v0.3.8 (pre-release version) https://git.glasklar.is/system-transparency/core/stprov/-/tree/v0.3.8 This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.3.0/cont…

1 0

2025

2024

2023

ST-announce