The ST team is happy to announce a new collection release: st-1.3.0. The tar archive and a corresponding signature can be downloaded at https://dist.system-transparency.org/ Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ The signature can be verified using the command ssh-keygen -Y verify -n file \ -f allowed-ST-release-signers \ -I releases@system-transparency.org \ -s st-1.3.0.tar.gz.sig < st-1.3.0.tar.gz The NEWS file in the tar archive summarizes changes since the previous release. An excerpt from the latest NEWS-file entry is included below for convenience. The tar archive also includes documentation that gets rendered at https://docs.system-transparency.org/st-1.3.0/ If you find any bugs, please file issues in the affected component repositories or report them on the System Transparency discuss list. https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.li... Cheers, The ST team --- NEWS for st-1.3.0 This collection release provides a few minor fixes and two major features: support for Secure Boot provisioning and Sigsum logged OS packages. The release is intended to be backwards compatible, except for a new build-time requirement on Go version 1.23 or later. The code components of st-1.3.0 are stboot v0.6.5, stmgr v0.6.6, and stprov v0.5.4. Documentation is included in the collection, and it is also published at https://docs.system-transparency.org/st-1.3.0/. Features: * stprov: provisioning of Secure Boot variables PK, KEK, db, and dbx. Associated HOW-TO guides are available in the documentation. * stprov: it is optional to supply a file with TLS root certificates. * stboot: support multiple OS package signing roots. * stboot, stmgr: support for Sigsum signed OS packages. In other words, it is now possible to use signatures that are transparent. * stmgr: new subcommands for verifying OS packages and creating ISOs from already existing UKIs. Miscellaneous: * stprov: improved logging, e.g., exactly what is being written to EFI NVRAM when and whether the different subcommands succeeded. * stmgr: more helpful error messages on invalid command-line input.