The ST team is happy to announce a new release of the stmgr programm, tag v0.3.3, which succeeds the previous release at tag v0.2.2. The source code for this release is available from the git repository:
git clone -b v0.3.3 https://git.glasklar.is/system-transparency/core/stmgr.git
Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command
git -c gpg.format=ssh -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.3.3
The expectations and intended use of the stmgr program is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see:
https://git.glasklar.is/system-transparency/core/stmgr/-/blob/main/RELEASES....
Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience.
If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stmgr repository:
https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.li... https://git.glasklar.is/system-transparency/core/stmgr/-/issues
Cheers, The ST team
NEWS for stmgr v0.3.3
This release is an update to match the stboot-0.3.6 release. The main new features relate to signing: UKI executables can now be signed for Secure Boot. Signatures on OS packages and certificates can now use private keys accessed via the ssh-agent protocol, enabling use of keys residing on a more secure hardware device.
Incompatible changes:
* Generation of UKI files no longer defaults to using /usr/lib/systemd/boot/efi/linuxx64.efi.stub. It now defaults to a stub file embedded at stmgr compile time. (See uki/stub/README for which version is embedded).
* The out-of-date "stmgr provision" subcommand has been deleted.
New features and improvements:
* Signing OS packages (stmgr ospkg sign) can now use ssh-agent to access the private signing key, see docs/manual.md.
* Creating certificates (stmgr keygen certificate) used to always create a new keypair as part of the process. That key generation is now optional. More precisely, a root certificate can be created for a private key specified with the -rootKey option, including support for ssh-agent to access the private key. A leaf certificate can be created with the new -leafKey option specifying the public key to be certified.
* Host config validation (stmgr hostconfig check) has been updated to match recent changes in stboot, including backwards compatibility. Submission of additional host config files to check in stmgr regression tests are welcome.
* The command "stmgr uki create" can now optionally sign the generated UKI for Secure Boot; new flags: -signkey, -signcert.
* Improved documentation, new docs/manual.md.
Miscellaneous:
* Improved integration tests.
Compatibility:
* This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/v0.2.0/conte...
* Artifacts generated by this release of stmgr are tested with stboot pre-release version v0.3.5, and are expected to work with the stboot release v0.3.6. https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.3.6