OpenFGA v0.4.3 is released with signed release artifacts and Software Bill of Materials (SBOM)

[adriantam]

Hey folks!

We just released OpenFGA v0.4.3. It includes signed signed release artifacts, software bill of materials (SBOM).

If you are running through docker:

If you are targeting latest, make sure to update by running docker pull openfga/openfga
If you are targeting pinned releases, make sure to set your pinned version to: openfga/openfga:v0.4.3

Changes in this release

Added

• Release artifacts are now signed and include a Software Bill of Materials (SBOM) (#683)

  The SBOM (Software Bill of Materials) is included in each Github release using Syft and is exported in SPDX format.

  Developers will be able to verify the signature of the release artifacts with the following workflow(s):

  wget https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt
  
  cosign verify-blob \
    --certificate-identity 'https://github.com/openfga/openfga/.github/workflows/release.yml@refs/tags/<tag>' \
    --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
    --cert https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt.pem \
    --signature https://github.com/openfga/openfga/releases/download/<tag>/checksums.txt.sig \
    ./checksums.txt

  If the checksums.txt validation succeeds, it means the checksums included in the release were not tampered with, so we can use it to verify the hashes of other files using the sha256sum utility. You can then download any file you want from the release, and verify it with, for example:

  wget https://github.com/openfga/openfga/releases/download/<tag>/openfga_<version>_linux_amd64.tar.gz.sbom
  wget https://github.com/openfga/openfga/releases/download/<tag>/openfga_<version>_linux_amd64.tar.gz
  
  sha256sum --ignore-missing -c checksums.txt

  And both should say "OK".

  You can then inspect the .sbom file to see the entire dependency tree of the binary.

  Developers can also verify the Docker image signature. Cosign actually embeds the signature in the image manifest, so we only need the public key used to sign it in order to verify its authenticity:

  cosign verify -key cosign.pub openfga/openfga:<tag>

• openfga migrate now accepts reading configuration from a config file and environment variables like the openfga run command (#655) - thanks @suttod!

• The --trace-service-name command-line flag has been added to allow for customizing the service name in traces (#652) - thanks @jmiettinen

Fixed

• Postgres and MySQL implementations have been fixed to avoid ordering relationship tuple queries by ulid when it is not needed. This can improve read query performance on larger OpenFGA stores (#677)
• Synchronize concurrent access to in-memory storage iterators (#587)
• Improve error logging in the openfga migrate command (#663)
• Fix middleware ordering so that requestid middleware is registered earlier(#662)

Changed

• Bumped up to Go version 1.20 (#664)

• Default model schema versions to 1.1 (#669)

  In preparation for sunsetting support for models with schema version 1.0, the WriteAuthorizationModel API will now interpret any model provided to it as a 1.1 model if the schema_version field is omitted in the request. This shouldn't affect default behavior since 1.0 model support is enabled by default.