The ST team is happy to announce a new collection release: st-1.3.0. The tar archive and a corresponding signature can be downloaded at
https://dist.system-transparency.org/
Authoritative ST release signing keys are published at
https://www.system-transparency.org/keys/
The signature can be verified using the command
ssh-keygen -Y verify -n file \ -f allowed-ST-release-signers \ -I releases@system-transparency.org \ -s st-1.3.0.tar.gz.sig < st-1.3.0.tar.gz
The NEWS file in the tar archive summarizes changes since the previous release. An excerpt from the latest NEWS-file entry is included below for convenience.
The tar archive also includes documentation that gets rendered at
https://docs.system-transparency.org/st-1.3.0/
If you find any bugs, please file issues in the affected component repositories or report them on the System Transparency discuss list.
https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.li...
Cheers, The ST team
--- NEWS for st-1.3.0
This collection release provides a few minor fixes and two major features: support for Secure Boot provisioning and Sigsum logged OS packages. The release is intended to be backwards compatible, except for a new build-time requirement on Go version 1.23 or later.
The code components of st-1.3.0 are stboot v0.6.5, stmgr v0.6.6, and stprov v0.5.4. Documentation is included in the collection, and it is also published at https://docs.system-transparency.org/st-1.3.0/.
Features:
* stprov: provisioning of Secure Boot variables PK, KEK, db, and dbx. Associated HOW-TO guides are available in the documentation. * stprov: it is optional to supply a file with TLS root certificates. * stboot: support multiple OS package signing roots. * stboot, stmgr: support for Sigsum signed OS packages. In other words, it is now possible to use signatures that are transparent. * stmgr: new subcommands for verifying OS packages and creating ISOs from already existing UKIs.
Miscellaneous:
* stprov: improved logging, e.g., exactly what is being written to EFI NVRAM when and whether the different subcommands succeeded. * stmgr: more helpful error messages on invalid command-line input.