v1.2.1

What's Changed

Fixes

• Fix Go potential bugs and maintainability by @roger2hk in #1496

Dependency update

• Bump google.golang.org/grpc from 1.63.2 to 1.64.0 by @dependabot in #1482

Full Changelog: v1.2.0...v1.2.1

v1.2.0

What's Changed

CTFE Storage Saving: Extra Data Issuance Chain Deduplication

To reduce CT/Trillian database storage by deduplication of the entire issuance chain (intermediate certificate(s) and root certificate) that is currently stored in the Trillian merkle tree leaf ExtraData field. Storage cost should be reduced by at least 33% for new CT logs with this feature enabled. Currently only MySQL/MariaDB is supported to store the issuance chain in the CTFE database.

Existing logs are not affected by this change.

Log operators can choose to opt-in this change for new CT logs by adding new CTFE configs in the LogMultiConfig and importing the database schema. See example.

• ctfe_storage_connection_string
• extra_data_issuance_chain_storage_backend

An optional LRU cache can be enabled by providing the following flags.

• cache_type
• cache_size
• cache_ttl

This change is tested in Cloud Build tests using the mysql:8.4 Docker image as of the time of writing.

• Add issuance chain storage interface by @roger2hk in #1430
• Add issuance chain cache interface by @roger2hk in #1431
• Add CTFE extra data storage saving configs to config.proto by @roger2hk in #1432
• Add new types PrecertChainEntryHash and CertificateChainHash for TLS marshal/unmarshal in storage saving by @roger2hk in #1435
• Add IssuanceChainCache LRU implementation by @roger2hk in #1454
• Add issuance chain service by @roger2hk in #1452
• Add CTFE extra data storage saving configs validation by @roger2hk in #1456
• Add IssuanceChainStorage MySQL implementation by @roger2hk in #1462
• Fix errcheck lint in mysql test by @roger2hk in #1464
• CTFE Extra Data Issuance Chain Deduplication by @roger2hk in #1477
• Fix incorrect deployment doc and server config by @roger2hk in #1494

Submission proxy: Root compatibility checking

• Adds the ability for a CT client to disable root compatibile checking by @aaomidi in #1258

Fixes

• Return 429 Too Many Requests for gRPC error code ResourceExhausted from Trillian by @roger2hk in #1401
• Safeguard against redirects on PUT request by @mhutchinson in #1418
• Fix CT client upload to be safe against no-op POSTs by @mhutchinson in #1424

Misc

• Prefix errors.New variables with the word "Err" by @aaomidi in #1399
• Remove lint exceptions and fix remaining issues by @silaselisha in #1438
• Fix invalid Go toolchain version by @roger2hk in #1471
• Regenerate proto files by @roger2hk in #1489

Dependency update

• Bump distroless/base-debian12 from 5eae9ef to 28a7f1f in /trillian/examples/deployment/docker/ctfe by @dependabot in #1388
• Bump github/codeql-action from 3.24.6 to 3.24.7 by @dependabot in #1389
• Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #1390
• Bump golang from 6699d28 to 7f9c058 in /integration by @dependabot in #1391
• Bump golang from 6699d28 to 7f9c058 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1392
• Bump golang from 6699d28 to 7a392a2 in /internal/witness/cmd/witness by @dependabot in #1393
• Bump golang from 6699d28 to 7a392a2 in /internal/witness/cmd/feeder by @dependabot in #1394
• Bump golang from 7a392a2 to d996c64 in /internal/witness/cmd/witness by @dependabot in #1395
• Bump golang from 7f9c058 to d996c64 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1396
• Bump golang from 7a392a2 to d996c64 in /internal/witness/cmd/feeder by @dependabot in #1397
• Bump golang from 7f9c058 to d996c64 in /integration by @dependabot in #1398
• Bump github/codeql-action from 3.24.7 to 3.24.8 by @dependabot in #1400
• Bump github/codeql-action from 3.24.8 to 3.24.9 by @dependabot in #1402
• Bump go.etcd.io/etcd/v3 from 3.5.12 to 3.5.13 by @dependabot in #1405
• Bump distroless/base-debian12 from 28a7f1f to 611d30d in /trillian/examples/deployment/docker/ctfe by @dependabot in #1406
• Bump golang from 1.22.1-bookworm to 1.22.2-bookworm in /trillian/examples/deployment/docker/ctfe by @dependabot in #1407
• Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #1408
• update govulncheck go version from 1.21.8 to 1.21.9 by @phbnf in #1412
• Bump golang from 1.22.1-bookworm to 1.22.2-bookworm in /integration by @dependabot in #1409
• Bump golang from 1.22.1-bookworm to 1.22.2-bookworm in /internal/witness/cmd/witness by @dependabot in #1410
• Bump golang.org/x/crypto from 0.21.0 to 0.22.0 by @dependabot in #1414
• Bump golang from 1.22.1-bookworm to 1.22.2-bookworm in /internal/witness/cmd/feeder by @dependabot in #1411
• Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #1415
• Bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in #1416
• Bump google.golang.org/grpc from 1.62.1 to 1.63.2 by @dependabot in #1417
• Bump github.com/fullstorydev/grpcurl from 1.8.9 to 1.9.1 by @dependabot in #1419
• Bump golang from 48b942a to 3451eec in /integration by @dependabot in #1421
• Bump golang from 48b942a to 3451eec in /trillian/examples/deployment/docker/ctfe by @dependabot in #1423
• Bump golang from 48b942a to 3451eec in /internal/witness/cmd/witness by @dependabot in #1420
• Bump golang from 3451eec to b03f3ba in /integration by @dependabot in #1426
• Bump golang from 3451eec to b03f3ba in /trillian/examples/deployment/docker/ctfe by @dependabot in #1425
• Bump golang from 48b942a to 3451eec in /internal/witness/cmd/feeder by @dependabot in #1422
• Bump golang from 3451eec to b03f3ba in /internal/witness/cmd/witness by @dependabot in #1427
• Bump golang from 3451eec to b03f3ba in /internal/witness/cmd/feeder by @dependabot in #1428
• Bump github/codeql-action from 3.24.10 to 3.25.0 by @dependabot in #1433
• Bump github/codeql-action from 3.25.0 to 3.25.1 by @dependabot in #1434
• Bump actions/upload-artifact from 4.3.1 to 4.3.2 by @dependabot in #1436
• Bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #1437
• Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @dependabot in #1440
• Bump github/codeql-action from 3.25.1 to 3.25.2 by @dependabot in #1441
• Bump golang from b03f3ba to d0902ba in /internal/witness/cmd/feeder by @dependabot in #1444
• Bump golang from b03f3ba to d0902ba in /trillian/examples/deployment/docker/ctfe by @dependabot in https://github...

v1.1.8

What's Changed

• Recommended Go version for development: 1.21
  • Using a different version can lead to presubmits failing due to unexpected diffs.

Monitoring

• Distribution metric to monitor the start of get-entries requests by @phbnf in #1364

Add support for AIX

• crypto/x509: add AIX operating system by @roger2hk in #1277

Fixes

• Use the appropriate HTTP response code for backend timeouts by @robstradling in #1313

Misc

• Move golangci-lint from Cloud Build to GitHub Action by @roger2hk in #1230
• Set golangci-lint GH action timeout to 5m by @roger2hk in #1231
• Added Slack channel details by @mhutchinson in #1246
• Improve fuzzing by @AdamKorcz in #1345

Dependency update

• Bump golang from 20f9ab5 to 5ee1296 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1216
• Bump golang from 20f9ab5 to 5ee1296 in /internal/witness/cmd/witness by @dependabot in #1217
• Bump golang from 20f9ab5 to 5ee1296 in /internal/witness/cmd/feeder by @dependabot in #1218
• Bump k8s.io/klog/v2 from 2.100.1 to 2.110.1 by @dependabot in #1219
• Bump golang from 20f9ab5 to 5ee1296 in /integration by @dependabot in #1220
• Bump golang from 5ee1296 to 5bafbbb in /integration by @dependabot in #1221
• Bump golang from 5ee1296 to 5bafbbb in /internal/witness/cmd/feeder by @dependabot in #1222
• Bump golang from 5ee1296 to 5bafbbb in /internal/witness/cmd/witness by @dependabot in #1223
• Bump golang from 5ee1296 to 5bafbbb in /trillian/examples/deployment/docker/ctfe by @dependabot in #1224
• Update the minimal image to gcr.io/distroless/base-debian12 by @roger2hk in #1148
• Bump jq from 1.6 to 1.7 by @roger2hk in #1225
• Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #1226
• Bump golang.org/x/time from 0.3.0 to 0.4.0 by @dependabot in #1227
• Bump github.com/mattn/go-sqlite3 from 1.14.17 to 1.14.18 by @dependabot in #1228
• Bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in #1229
• Bump golang from 1.21.3-bookworm to 1.21.4-bookworm in /trillian/examples/deployment/docker/ctfe by @dependabot in #1232
• Bump golang from 1.21.3-bookworm to 1.21.4-bookworm in /internal/witness/cmd/witness by @dependabot in #1233
• Bump golang from 1.21.3-bookworm to 1.21.4-bookworm in /integration by @dependabot in #1234
• Bump golang from 1.21.3-bookworm to 1.21.4-bookworm in /internal/witness/cmd/feeder by @dependabot in #1235
• Bump go-version-input from 1.20.10 to 1.20.11 in govulncheck.yml by @roger2hk in #1238
• Bump golang.org/x/net from 0.17.0 to 0.18.0 by @dependabot in #1236
• Bump github/codeql-action from 2.22.5 to 2.22.6 by @dependabot in #1240
• Bump github/codeql-action from 2.22.6 to 2.22.7 by @dependabot in #1241
• Bump golang from 85aacbe to dadce81 in /integration by @dependabot in #1243
• Bump golang from 85aacbe to dadce81 in /internal/witness/cmd/feeder by @dependabot in #1242
• Bump golang from 85aacbe to dadce81 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1244
• Bump golang from 85aacbe to dadce81 in /internal/witness/cmd/witness by @dependabot in #1245
• Bump golang from dadce81 to 52362e2 in /internal/witness/cmd/witness by @dependabot in #1247
• Bump golang from dadce81 to 52362e2 in /integration by @dependabot in #1248
• Bump golang from dadce81 to 52362e2 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1249
• Bump golang from dadce81 to 52362e2 in /internal/witness/cmd/feeder by @dependabot in #1250
• Bump github/codeql-action from 2.22.7 to 2.22.8 by @dependabot in #1251
• Bump golang.org/x/net from 0.18.0 to 0.19.0 by @dependabot in #1252
• Bump golang.org/x/time from 0.4.0 to 0.5.0 by @dependabot in #1254
• Bump alpine from eece025 to 34871e7 in /internal/witness/cmd/feeder by @dependabot in #1256
• Bump alpine from eece025 to 34871e7 in /trillian/examples/deployment/docker/envsubst by @dependabot in #1257
• Bump go-version-input from 1.20.11 to 1.20.12 in govulncheck.yml by @roger2hk in #1264
• Bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #1261
• Bump golang from 1.21.4-bookworm to 1.21.5-bookworm in /internal/witness/cmd/witness by @dependabot in #1259
• Bump golang from 1.21.4-bookworm to 1.21.5-bookworm in /integration by @dependabot in #1263
• Bump golang from 1.21.4-bookworm to 1.21.5-bookworm in /internal/witness/cmd/feeder by @dependabot in #1262
• Bump golang from 1.21.4-bookworm to 1.21.5-bookworm in /trillian/examples/deployment/docker/ctfe by @dependabot in #1260
• Bump go.etcd.io/etcd/v3 from 3.5.10 to 3.5.11 by @dependabot in #1266
• Bump github/codeql-action from 2.22.8 to 2.22.9 by @dependabot in #1269
• Bump alpine from 34871e7 to 51b6726 in /internal/witness/cmd/feeder by @dependabot in #1270
• Bump alpine from 3.18 to 3.19 in /trillian/examples/deployment/docker/envsubst by @dependabot in #1271
• Bump golang from a6b787c to 2d3b13c in /internal/witness/cmd/feeder by @dependabot in #1272
• Bump golang from a6b787c to 2d3b13c in /internal/witness/cmd/witness by @dependabot in #1273
• Bump golang from a6b787c to 2d3b13c in /integration by @dependabot in #1274
• Bump golang from a6b787c to 2d3b13c in /trillian/examples/deployment/docker/ctfe by @dependabot in #1275
• Bump github/codeql-action from 2.22.9 to 2.22.10 by @dependabot in #1278
• Bump google.golang.org/grpc from 1.59.0 to 1.60.0 by @dependabot in #1279
• Bump github/codeql-action from 2.22.10 to 3.22.11 by @dependabot in #1280
• Bump distroless/base-debian12 from 1dfdb5e to 8a0bb63 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1281
• Bump github.com/google/trillian from 1.5.3 to 1.5.4-0.20240110091238-00ca9abe023d by @mhutchinson in #1297
• Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #1282
• Bump github/codeql-action from 3.22.11 to 3.23.0 by @dependabot in #1295
• Bump github.com/mattn/go-sqlite3 from 1.14.18 to 1.14.19 by @dependabot in #1283
• Bump golang from 1.21.5-bookworm to 1.21.6-bookworm in /integration by @dependabot in #1300
• Bump d...

v1.1.7

What's Changed

• Recommended Go version for development: 1.20

  • This is the version used by the Cloud Build presubmits. Using a different version can lead to presubmits failing due to unexpected diffs.

• Bump golangci-lint from 1.51.1 to 1.55.1 (developers should update to this version).

Add support for WASI port

• Add build tags for wasip1 GOOS by @flavio in #1089

Add support for IBM Z operating system z/OS

• Add build tags for zOS by @onlywork1984 in #1088

Log List

• Add support for "is_all_logs" field in loglist3 by @phbnf in #1095

Documentation

• Improve Dockerized Test Deployment documentation by @roger2hk in #1179

Misc

• Escape forward slashes in certificate Subject names when used as user quota id strings by @robstradling in #1059
• Search whole chain looking for issuer match by @mhutchinson in #1112
• Use proper check per @AGWA instead of buggy check introduced in #1112 by @mhutchinson in #1114
• Build the ctfe/ct_server binary without depending on glibc by @roger2hk in #1119
• Migrate CTFE Ingress manifest to support GKE version 1.23 by @roger2hk in #1086
• Remove Dependabot ignore configuration by @roger2hk in #1097
• Add "github-actions" and "docker" Dependabot config by @roger2hk in #1101
• Add top level permission in CodeQL workflow by @roger2hk in #1102
• Pin Docker image dependencies by @roger2hk in #1110
• Remove GO111MODULE from Dockerfile and Cloud Build yaml files by @roger2hk in #1113
• Add docker Dependabot config by @roger2hk in #1126
• Export is_mirror = 0.0 for non mirror instead of nothing by @phbnf in #1133
• Add govulncheck GitHub action by @roger2hk in #1145
• Spelling by @jsoref in #1144

Dependency update

• Bump Go from 1.19 to 1.20 by @roger2hk in #1146
• Bump golangci-lint from 1.51.1 to 1.55.1 by @roger2hk in #1214
• Bump go.etcd.io/etcd/v3 from 3.5.8 to 3.5.9 by @dependabot in #1083
• Bump golang.org/x/crypto from 0.8.0 to 0.9.0 by @dependabot in #108
• Bump github.com/mattn/go-sqlite3 from 1.14.16 to 1.14.17 by @dependabot in #1092
• Bump golang.org/x/net from 0.10.0 to 0.11.0 by @dependabot in #1094
• Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 by @dependabot in #1098
• Bump google.golang.org/protobuf from 1.30.0 to 1.31.0 by @dependabot in #1099
• Bump golang.org/x/net from 0.11.0 to 0.12.0 by @dependabot in #1108
• Bump actions/checkout from 3.1.0 to 3.5.3 by @dependabot in #1103
• Bump github/codeql-action from 2.1.27 to 2.20.3 by @dependabot in #1104
• Bump ossf/scorecard-action from 2.0.6 to 2.2.0 by @dependabot in #1105
• Bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #1106
• Bump github/codeql-action from 2.20.3 to 2.20.4 by @dependabot in #1115
• Bump github/codeql-action from 2.20.4 to 2.21.0 by @dependabot in #1117
• Bump golang.org/x/net from 0.12.0 to 0.14.0 by @dependabot in #1124
• Bump github/codeql-action from 2.21.0 to 2.21.2 by @dependabot in #1121
• Bump github/codeql-action from 2.21.2 to 2.21.4 by @dependabot in #1125
• Bump golang from fd9306e to eb3f9ac in /integration by @dependabot in #1127
• Bump alpine from 3.8 to 3.18 in /trillian/examples/deployment/docker/envsubst by @dependabot in #1129
• Bump golang from fd9306e to eb3f9ac in /trillian/examples/deployment/docker/ctfe by @dependabot in #1128
• Bump alpine from 82d1e9d to 7144f7b in /internal/witness/cmd/feeder by @dependabot in #1130
• Bump golang from fd9306e to eb3f9ac in /internal/witness/cmd/witness by @dependabot in #1131
• Bump golang from 1.19-alpine to 1.21-alpine in /internal/witness/cmd/feeder by @dependabot in #1132
• Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1134
• Bump github/codeql-action from 2.21.4 to 2.21.5 by @dependabot in #1135
• Bump distroless/base from 73deaaf to 46c5b9b in /trillian/examples/deployment/docker/ctfe by @dependabot in #1136
• Bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #1137
• Bump golang.org/x/net from 0.14.0 to 0.15.0 by @dependabot in #1139
• Bump github.com/rs/cors from 1.9.0 to 1.10.0 by @dependabot in #1140
• Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1141
• Bump golang from 445f340 to 96634e5 in /internal/witness/cmd/feeder by @dependabot in #1142
• Bump github/codeql-action from 2.21.5 to 2.21.6 by @dependabot in #1149
• Bump Docker golang base images to 1.21.1 by @roger2hk in #1147
• Bump github/codeql-action from 2.21.6 to 2.21.7 by @dependabot in #1150
• Bump github/codeql-action from 2.21.7 to 2.21.8 by @dependabot in #1152
• Bump golang from d3114db to a0b3bc4 in /internal/witness/cmd/feeder by @dependabot in #1155
• Bump golang from d3114db to a0b3bc4 in /internal/witness/cmd/witness by @dependabot in #1157
• Bump golang from d3114db to a0b3bc4 in /integration by @dependabot in #1156
• Bump golang from d3114db to a0b3bc4 in /trillian/examples/deployment/docker/ctfe by @dependabot in #1158
• Bump golang from e06b3a4 to 114b9cc in /integration by @dependabot in #1159
• Bump golang from a0b3bc4 to 114b9cc in /internal/witness/cmd/feeder by @dependabot in #1160
• Bump golang from a0b3bc4 to 114b9cc in /internal/witness/cmd/witness by @dependabot in #1161
• Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #1162
• Bump golang from 114b9cc to 9c7ea4a in /internal/witness/cmd/feeder by @dependabot in #1163
• Bump golang from 114b9cc to 9c7ea4a in /integration by @dependabot in #1166
• Bump golang from 114b9cc to 9c7ea4a in /trillian/examples/deployment/docker/ctfe by @dependabot in #1165
• Bump golang from 114b9cc to 9c7ea4a in /internal/witness/cmd/witness by @dependabot in #1164
• Bump github/codeql-action from 2.21.8 to 2.21.9 by @dependabot in #1169
• Bump golang from 9c7ea4a to 61f84bc in /integration by @dependabot in #1168
• Bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 by @dependabot in #1...

v1.1.6

What's Changed

Deployments

• Update manual deploy docs by @AlCutter in #1061
• Docker compose config for demo CTFE by @mhutchinson in #1062
• Add command for starting ctfe to ManualDeploy doc by @AlCutter in #1069

Repo config

• Update and rename scorecards.yml to scorecard.yml by @AlCutter in #1068
• Enable all linters for ct-go by @mhutchinson in #1064

Dependency update

• Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 by @dependabot in #1066
• Bump golang.org/x/net from 0.9.0 to 0.10.0 by @dependabot in #1070
• Bump github.com/transparency-dev/merkle from 0.0.1 to 0.0.2 by @dependabot in #1071
• Bump github.com/google/trillian to v1.5.2 by @phbnf in #1072

Misc

• Update CHANGELOG.md for v1.1.5 release by @phbnf in #1063

Full Changelog: v1.1.5...v1.1.6

v1.1.5

Key management

• If a public key has been configured for a log, check that it is consistent with the private key by @robstradling in #1044
• Don't allow the same private key to be used by more than one configured log by @robstradling in #1046

Log list

• Remove v2 log list package files by @roger2hk in #1004
• Delete v1 and v2 log list testdata by @roger2hk in #1003
• Fix broken tests due to deleted v1 log list in testdata by @roger2hk in #1007

Vulnerability management

• Replace Travis build status with CodeQL workflow in README.md by @roger2hk in #1057
• Create codeql.yml by @AlCutter in #996
• Fix CodeQL warnings by @AlCutter in #997
• Configure OSSF scorecard security scanner by @AlCutter in #995
• Pin GitHub actions to git hashes by @AlCutter in #1005

Fixes

• client/ctclient: Fix doubled https in --log_name by @acohn in #990
• Fix typo in comment by @AlCutter in #1013
• Fix the missing exit code when go test is failed in presubmit script by @roger2hk in #1008
• [Scanner] Retry on errors fetching updated STHs by @AlCutter in #1022
• Fix go gen race condition in Cloud Build for master branch by @roger2hk in #1024
• Remove flaky ratelimiter by @roger2hk in #1015

Cleanups

• Update CHANGELOG.md for v1.1.3 and v1.1.4 releases by @roger2hk in #991
• Clean up Travis related content by @roger2hk in #1058
• Add missing package docs by @AlCutter in #1012
• Regenerate proto go files with protoc by @roger2hk in #1010
• Downgrade fetcher logging to verbose 1 by @mhutchinson in #1031
• Send CloudBuild logs to logging bucket by @AlCutter in #998
• Revert exclude package-comments in golangci-lint by @roger2hk in #1011
• Add Go 1.20 Compatibility by @roger2hk in #1035

Dependency updates

• Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in #992
• Bump github.com/mattn/go-sqlite3 from 1.14.15 to 1.14.16 by @dependabot in #993
• Bump go.etcd.io/etcd/v3 from 3.5.5 to 3.5.6 by @dependabot in #1001
• Upgrade golangci-lint from 1.48.0 to 1.50.1 by @roger2hk in #1006
• Update the version of golangci-lint and protoc in README.md by @roger2hk in #1009
• Update to Trillian v1.5.1 by @AlCutter in #1014
• Bump golang.org/x/net from 0.3.0 to 0.4.0 by @dependabot in #1016
• Bump github.com/rs/cors from 1.8.2 to 1.8.3 by @dependabot in #1018
• Bump Go version from 1.17 to 1.19 by @roger2hk in #1017
• Bump golang.org/x/crypto from 0.4.0 to 0.5.0 by @dependabot in #1020
• Bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #1036
• Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 by @dependabot in #1025
• Bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 by @dependabot in #1023
• Bump go.etcd.io/etcd/v3 from 3.5.6 to 3.5.7 by @dependabot in #1026
• Bump golang.org/x/crypto from 0.5.0 to 0.6.0 by @dependabot in #1034
• Bump golang.org/x/time from 0.0.0-20220922220347-f3bd1da661af to 0.3.0 by @dependabot in #1038
• Bump golang.org/x/crypto from 0.6.0 to 0.7.0 by @dependabot in #1040
• Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 by @dependabot in #1041
• Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #1050
• Bump golang.org/x/crypto from 0.7.0 to 0.8.0 by @dependabot in #1048
• Bump github.com/rs/cors from 1.8.3 to 1.9.0 by @dependabot in #1052
• Bumped etcd deps from v3.5.7 to v3.5.8 by @mhutchinson in #1055

New Contributors

• @acohn made their first contribution in #990
• @robstradling made their first contribution in #1044

Full Changelog: v1.1.4...v1.1.5

v1.1.4

Log list

• Update to use the loglist v3 schema everywhere by @aarongable in #925
• Cleanup log list v1 dependencies by @roger2hk in #977

Logging

• Switch from glog to klog by @jdolitsky in #962
• Log test output with glog. by @phbnf in #944
• Capture variables in tests and add logging. by @phbnf in #942

Cleanup

• Format code using gofmt with Go version 1.18.1 by @roger2hk in #930
• Format code according to go1.19rc2 by @mhutchinson in #961
• Remove vendor code section in README.md by @roger2hk in #934
• Replace deprecated golint with revive by @roger2hk in #931
• Migrate off of deprecated ioutil by @AlCutter in #969
• Moved tools.go to its own directory to be consistent with other repos by @mhutchinson in #938
• Removed some GOPATH stuff that pre-dates go module usage by @mhutchinson in #949
• Removed references to etcdiscover tool by @mhutchinson in #948
• Skip consistency check when root is size zero by @hickford in #960

Misc

• Add test leaf template with serverAuth EKU by @pavelkalinnikov in #893
• Fix S1039: unnecessary use of fmt.Sprintf in presubmit lint messages by @roger2hk in #932
• Update Go version and remove log list v1, v2 in README.md by @roger2hk in #979
• Add missing license header by @AlCutter in #970
• Downgrade 429 errors to verbosity 2 (#957) by @mhutchinson in #963
• Update to testdata.SampleLogList3 in distributor_test.go by @roger2hk in #966
• Update linter, fix errors, delete travis config by @mhutchinson in #940
• Add CODEOWNERS with default team assignment by @AlCutter in #939

Dependency updates

• Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 by @dependabot in #943
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #952
• Bump go from 1.16 to 1.17 in go.mod by @roger2hk in #953
• Bump github.com/google/trillian from 1.4.1 to 1.4.2 by @dependabot in #959
• Bump github.com/fullstorydev/grpcurl from 1.8.6 to 1.8.7 by @dependabot in #965
• Update Trillian to 0a389c4 by @AlCutter in #968
• Update golangci-lint to latest (v1.48.0) by @AlCutter in #971
• Bump github.com/mattn/go-sqlite3 from 1.14.10 to 1.14.15 by @dependabot in #973
• Bump k8s.io/klog/v2 from 2.70.1 to 2.80.0 by @dependabot in #976
• Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 by @dependabot in #981
• Bump k8s.io/klog/v2 from 2.80.0 to 2.80.1 by @dependabot in #980
• Bump go.etcd.io/etcd/etcdctl/v3 from 3.5.4 to 3.5.5 by @dependabot in #984
• Bump go.etcd.io/etcd/v3 from 3.5.4 to 3.5.5 by @dependabot in #982
• Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in #987
• Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 by @roger2hk in #937

Full Changelog: v1.1.3...v1.1.4

v1.1.3

New features

• #867: Add package for (un)marshalling the loglist3 schema
• #927: Add readonly logs mode to CTFE configuration
• Add experimental (not exported from the Go module) implementation of CT witness. Running witnesses by multiple independent organisations allows detecting and preventing split-view attacks.

Improvements / bug fixes

• #852: migrillian: Return error if context was canceled
• #896: jsonclient: retry POSTs after getting HTTP 429
• #901: ctclient: Use Cobra library for command-line tools
• #920: Set is_master metric to 0 for when starting up
• #928: Do not print context canceled errors

Slightly breaking changes

• #881: Terminate hammer early if the context is cancelled
• #903, #921: Move PEMCertPool from CTFE package to x509util

Dependency updates

• Switch Merkle tree code to use github.com/transparency-dev/merkle@v0.0.1 [#874, ..., #924]
• Trillian: v1.4.0 -> v1.4.1 [#924]
• Replace juju/ratelimit with x/time/rate [#800]
• protoc: v3.12.4 -> v3.20.1 [#923]
• github.com/fullstorydev/grpcurl: 1.8.2->1.8.6 [#860, #891]
• github.com/google/go-cmp: 0.5.6->0.5.8 [#879, #917]
• github.com/mattn/go-sqlite3: 1.14.8->1.14.10 [#873]
• github.com/rs/cors: 1.8.0->1.8.2 [#872]
• go.etcd.io/etcd/v3: 3.5.0->3.5.4 [#859, #887, #913]
• google.golang.org/grpc: v1.40.0 -> v1.46.0 [#914]

Full Changelog: v1.1.2...v1.1.3

v1.1.2

CTFE

• Removed the -by_range flag.

Updated dependencies

• Trillian from v1.3.11 to v1.4.0
• protobuf to v2

v1.1.1

Tools

CT Hammer

Added a flag (--strict_sth_consistency_size) which when set to true enforces the current behaviour of only request consistency proofs between tree sizes for which the hammer has seen valid STHs.
When setting this flag to false, if no two usable STHs are available the hammer will attempt to request a consistency proof between the latest STH it's seen and a random smaller (but > 0) tree size.

CTFE

Caching

The CTFE now includes a Cache-Control header in responses containing purely
immutable data, e.g. those for get-entries and get-proof-by-hash. This allows
clients and proxies to cache these responses for up to 24 hours.

EKU Filtering

⚠️ It is not yet recommended to enable this option in a production CT Log!

CTFE now supports filtering logging submissions by leaf certificate EKU.
This is enabled by adding an extKeyUsage list to a log's stanza in the
config file.

The format is a list of strings corresponding to the supported golang x509 EKUs:

Config string	Extended Key Usage
Any	ExtKeyUsageAny
ServerAuth	ExtKeyUsageServerAuth
ClientAuth	ExtKeyUsageClientAuth
CodeSigning	ExtKeyUsageCodeSigning
EmailProtection	ExtKeyUsageEmailProtection
IPSECEndSystem	ExtKeyUsageIPSECEndSystem
IPSECTunnel	ExtKeyUsageIPSECTunnel
IPSECUser	ExtKeyUsageIPSECUser
TimeStamping	ExtKeyUsageTimeStamping
OCSPSigning	ExtKeyUsageOCSPSigning
MicrosoftServerGatedCrypto	ExtKeyUsageMicrosoftServerGatedCrypto
NetscapeServerGatedCrypto	ExtKeyUsageNetscapeServerGatedCrypto

When an extKeyUsage list is specified, the CT Log will reject logging
submissions for leaf certificates that do not contain an EKU present in this
list.

When enabled, EKU filtering is only performed at the leaf level (i.e. there is
no 'nested' EKU filtering performed).

If no list is specified, or the list contains an Any entry, no EKU
filtering will be performed.

GetEntries

Calls to get-entries which are at (or above) the maximum permitted number of
entries whose start parameter does not fall on a multiple of the maximum
permitted number of entries, will have their responses truncated such that
subsequent requests will align with this boundary.
This is intended to coerce callers of get-entries into all using the same
start and end parameters and thereby increase the cachability of
these requests.

e.g.:

Old behaviour:
             1         2         3
             0         0         0
Entries>-----|---------|---------|----...
Client A -------|---------|----------|...
Client B --|--------|---------|-------...
           ^        ^         ^
           `--------`---------`---- requests

With coercion (max batch = 10 entries):
             1         2         3
             0         0         0
Entries>-----|---------|---------|----...
Client A ----X---------|---------|...
Client B --|-X---------|---------|-------...
             ^
             `-- Requests truncated

This behaviour can be disabled by setting the --align_getentries
flag to false.

Flags

The ct_server binary changed the default of these flags:

• by_range - Now defaults to true

The ct_server binary added the following flags:

• align_getentries - See GetEntries section above for details

Added backend flag to migrillian, which now replaces the deprecated
"backend" feature of Migrillian configs.

FixedBackendResolver Replaced

This was previously used in situations where a comma separated list of
backends was provided in the rpcBackend flag rather than a single value.

It has been replaced by equivalent functionality using a newer gRPC API.
However this support was only intended for use in integration tests. In
production we recommend the use of etcd or a gRPC load balancer.

LogList

Log list tools updated to use the correct v2 URL (from v2_beta previously).

Libraries

x509 fork

Merged upstream Go 1.13 and Go 1.14 changes (with the exception
of golang/go@14521198679e, to allow
old certs using a malformed root still to be logged).

asn1 fork

Merged upstream Go 1.14 changes.

ctutil

Added VerifySCTWithVerifier() to verify SCTs using a given ct.SignatureVerifier.

Configuration Files

Configuration files that previously had to be text-encoded Protobuf messages can
now alternatively be binary-encoded instead.

JSONClient

• PostAndParseWithRetry error logging now includes log URI in messages.

Minimal Gossip Example

All the code for this, except for the x509ext package, has been moved over
to the trillian-examples repository.

This keeps the code together and removes a circular dependency between the
two repositories. The package layout and structure remains the same so
updating should just mean changing any relevant import paths.

Dependencies

A circular dependency on the monologue repository has been removed.

A circular dependency on the trillian-examples repository has been removed.

The version of trillian in use has been updated to 1.3.11. This has required
various other dependency updates including gRPC and protobuf. This code now
uses the v2 proto API. The Travis tests now expect the 3.11.4 version of
protoc.

The version of etcd in use has been switched to the one from go.etcd.io.

Most of the above changes are to align versions more closely with the ones
used in the trillian repository.