- Go checksum database error on installation due to deleting a tag
- Dependabot updates
v1.2.1 includes a minor bug fix to set the SignedData version value in a timestamp response as per the RFC.
- Bump digitorus/timestamp version to pick up RFC correctness fix (#584)
v1.2.0 is based on Go 1.21.3.
- Support other hash algs for pre-signed timestamp besides SHA256 (#488)
- new http-ping-only flag for 'timestamp-server serve' (#474)
- Fix bug where TSA signing fails if cert hash != content hash. (#465)
- expand README on Cloud KMS deployment (#476)
- upgrade to Go1.21 (#471)
- Billy Lynch
- Carlos Tadeu Panato Junior
- Dmitry Savintsev
- Hayden B
1.1.2 fixes a signing related hash function bug and a typo.
- Fix hash function hardcoding bug by updating dependency (#452)
- Carlos Tadeu Panato Junior
- Dmitry Savintsev
- Meredith Lancaster
1.1.1 fixes a bug in the JSON format request code.
- Update how the JSON body is parsed (#343)
- Meredith Lancaster
1.1.0 now supports making timestamp requests in JSON format in addition to DER encoded format.
- Support timestamp requests in JSON format (#247)
- Fix typo in README (#294)
- Andrea Cosentino
- Meredith Lancaster
1.0 release of the timestamp authority. No changes from the previous release candidate.
Thank you to all contributors!
Note: This is a prerelease for 1.0. Please try it out and file issues!
- Upgrade to go 1.20.1 (#245)
- Carlos Tadeu Panato Junior
- Hayden B
- Meredith Lancaster
Note: This is a prerelease for 1.0. Please try it out and file issues!
SLSA provenance is now uploaded with each release. Use slsa-verifier to verify the release.
- Mock NTP client (#217)
- Carlos Tadeu Panato Junior
- Hayden B
- Meredith Lancaster
0.2.1 now rejects timestamp requests that use SHA-1. For server operators, it now defaults to using NTP monitoring.
- Generate slsa provenance (#193)
- Use default NTP monitoring configuration (#186)
- Reject requests that use SHA-1 (#202)
- Update README with more details (#188)
- Hayden B
- Hector Fernandez
- Meredith Lancaster
0.2.0 improves the verification library (#121). The library now verifies the full certificate chain and additional properties of the timestamp.
- Start adding more verification with VerificationOpts struct (#153)
- Verify command returns the parsed timestamp (#174)
- Add intermediate and root verify flags (#180)
- Verify full certificate chain (#181)
- Hayden Blauzvern
- Meredith Lancaster
- Added an optional feature to compare the local time with a set of trusted ntp servers (#143)
- inspect: remove format flag (#155)
- Fredrik Skogman
- Hector Fernandez
- Meredith Lancaster
- neilnaveen
- Fix a bug where certChain was not set correctly (#140)
- Ville Aikas
- Require the file signer to specify the certificate chain (#137)
- Fix hashed message verification (#118)
- Update fetch TSA certs script for Tink (#111)
- Hayden Blauzvern
- Hector Fernandez
Initial release of sigstore/timestamp-authority
See the README for instructions on how to run the timestamp authority and fetch and verify signed timestamps.
- Carlos Tadeu Panato Junior (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- Meredith Lancaster (@malancas)