Skip to content

Releases: foundriesio/fioctl

Release v0.42

28 May 17:44
v0.42
Compare
Choose a tag to compare
Release Notes:

* License changed from Apache v2 to BSD-3 Clause

Features:

* Add support for multi target Offline Update bundles.
  Added targets are now catalogued in a signed `bundle-targets.json` inside a bundle.
  This allows offline update clients to more accurately select a target to install.
* Add a command to sign Offline Update bundle with more than one offline targets key.
* Add a command to print the detail about an Offline Update bundle.
* Add a flag to filter device list for only production or only non-production devices.

Fixes:

* Pull production targets when user creates an Offline Update bundle for a Wave.
* Disable compression in default transport.
  Since CloudFlare started compressing responses by default recently,
  artifacts download is broken without this fix.
* Properly escape special characters when filtering device list by name or uuid pattern.

Changes:

* An Offline Update bundle is now checked for integrity at each command modifying it.
  User is notified about any actions they need to take to correct it.
* Remove the (re-)installing field from factory and wave status output.
  This field is no longer being calculated by the API.

Release v0.41

29 Feb 18:21
v0.41
Compare
Choose a tag to compare
Features:

* Support creating an offline update from wave targets.

Fixes:

* Do not add keyEncipherment or keyAgreement to the device gateway TLS certificate.
  These key usages are disallowed for ECDSA certificates by the latest X.509 standard.
* Always compare apps to latest apps in config when validating new updates config.
  Apps reported as installed by the device are shown to the user, but not used for validation.
* Properly check if production target exists for a given tag when creating an offline update.

Changes:

* Dynamically build source URL used by a Git helper in MEDS.
* Dynamically build registry URL used by a Docker helper in MEDS.
* Improve a human readable error shown when factory PKI is not initialized.
* Improve a human readable error shown when TUF private keys are missing.
* Fetch apps for offline update from the published run if it is present.
* Improve UX of the SBOM conversion process.

Release v0.40

22 Dec 15:29
v0.40
Compare
Choose a tag to compare
Features:

* Support TUF signature re-signing for active waves on TUF key rotations.
  This feature actually consists of several related improvements:

  - Allow rotating offline TUF targets signing key when there are active waves.
  - Allow rotating online TUF signing keys when there are active waves.
  - Allow changing TUF targets signature threshold when there are active waves.
  - Allow staring a new wave when there are any of the above TUF root updates in progress.
  - Automatically re-sign wave targets when one of the offline TUF keys (used to sign them) is being rotated.
    This improvement covers the `fioctl keys tuf updates rotate-offline-key` command.
  - Automatically re-sign wave targets when one of the online TUF keys is being rotated.
    This improvement covers the `fioctl keys tuf updates rotate-online-key` command.
  - Allow manually (re-)signing wave targets during TUF root updates.
    This improvement covers the `fioctl keys tuf updates sign-prod-targets` command.

* Support filtering waves by status and/or tag in `fioctl waves list`.

Fixes:

* Show user who created the config in `fioctl [device] config show`.
* Properly clean up signing key owners in TUF root when the key is deleted or rotated out.

Changes:

* Support loading oauth-url from the config file.
* Support absolute executable path for docker-credential-helper.

Release v0.39

14 Nov 15:53
v0.39
5cf0426
Compare
Choose a tag to compare
Features:

* Ability to disable or revoke a device CA via a crypto-signed CRL.

  - When a device CA is disabled, devices with client certificates it issued can no longer be registered.
  - When a device CA is revoked, they cannot connect to the backend in addition to the above.

Release v0.38

20 Oct 11:30
v0.38
Compare
Choose a tag to compare
Features:

* Support HSM based factory root CA for "el2go config-device-gateway" and "est authorize".
* Support TLS certificate rotation for device gateway and OSTree server using "keys ca rotate-tls".
* Support adding more than 1 online or local device CA using "keys ca add-device-ca".

Changes:

* Check if target directory contains update data before generating offline update using "targets offline-update".
  Added an option to allow or deny overwriting update data if it is present (denied by default).
* Don't show "last connection" field for El2Go devices list using "el2go devices".
* Support Subject Key ID and Authority Key ID X.509 extensions in "keys ca show".

Fixes:

* Clean tag duplicates when re-tagging using "targets tag".
* Deny empty positional arguments like "" or '' for all commands.
  Such arguments were passing validation and could lead to undefined behavior in some commands.
* Do not overwrite the online device CA in PKI directory when running "el2go config-device-gateway".
  An El2Go device CA needs not be written to disk at all; it is send to the cloud API instead.
* Require the "--pki-dir" argument in "el2go config-device-gateway".
  It defaulted to the current directory in the past, that would usually fail when running the command.

Notes:

* In v0.37 the "el2go config-device-gateway" and "est authorize" were still using Bash scripts to generate certificates.
  That would not work for new customers, and did not support the HSM based factory root CA for old customers.
  Those two commands were modified to use the same Golang based PKI as all "keys ca" subcommands in v0.38.

Release v0.37

06 Oct 18:02
v0.37
ba783a0
Compare
Choose a tag to compare
Features:

* Switch factory PKI management to pure Golang implementation for all platforms.
  Disabled a Bash based implementation which downloaded PKI scripts from the API and executed them on user's machine.
* Added the ability to store factory root CA inside the HSM device for all supported platforms.
  User needs to install OpenSC pkcs11-tool for this feature to work.

Changes:

* The "keys ca create" now always creates Factory PKI files with read-only permissions.
* The "keys ca create" now always requires a user to provide the token label when using the HSM device.
* Warn users when they create a wave for a target which has not static deltas defined.
* Multiple CI improvements (dependabot, testing, linting, makefile).

Fixes:

* The "keys ca create" was failing to sign TLS certificate when storing factoru root CA on the HSM device.
* The "keys ca create" on Windows was creating the TLS certificate with CA extension.
* The "devices list" column "current-update" was misspelled as "curent-update".

Notes:

* A device list column "curent-update" was fixed to "current-update".
  If you have a script using misspelled column name - it needs to be updated.

Release v0.36

26 Sep 12:53
v0.36
5405c0e
Compare
Choose a tag to compare
* Added TUF based self-update `version --update-to`
* Fix for initial TUF targets key rotation
* Fix Git credential helper setup bug on Windows
* UX improvement for el2g device IDs

Release v0.35

11 Aug 17:20
v0.35
Compare
Choose a tag to compare
Changes:

* Track offline TUF keys ownership in a signed root.json field.

Notes:

* When someone upgraded to this version or higher, and made changes to TUF root,
  other users trying to make changes to TUF root will be required to upgrade as well by the API.
  This is a safety belt which prevents an accidental erase of the TUF keys ownership information.

Release v0.34.2

11 Aug 16:52
v0.34.2
Compare
Choose a tag to compare
Changes:

* Docs: fixed new Fioctl TUF commands help to render well with Sphinx

Release v0.34.1

26 Sep 12:52
v0.34.1
Compare
Choose a tag to compare
Changes:

* Docs: fixed new Fioctl TUF commands help to render well with Sphinx
* Security: set buildmode PIE (Position Independent Executable) to improve run-time security
  No effect on Windows (uses ASLR) and Arm Darwin platforms (uses PIE by default).
  Enables PIE for Linux and Amd64 Darwin platforms.
  Additionally enables RELRO (Read-Only Relocation) for Linux platforms.