5.0.0-dev2

• Updated llhttp from 6.0.9 to 9.0.1.
• Updated fmt library from 9.1.0 to 10.1.1.
• Updated QCBOR from 1.1 to 1.2.
• Updated nghttp2 from 1.51.0 to 1.55.1.
• Converted SNP attestation UVM endorsements from integer to arbitrary string.
• Updated Intel SGX PSW from 2.17 to 2.20 (#5616)
• Path to the enclave file should now be passed as --enclave-file CLI argument to cchost, rather than enclave.file entry within configuration file. A potential SNP security context directory environment variable override, where desired, should now be passed as --snp-security-context-dir-var CLI argument to cchost, rather than attestation.environment.security_context_directory entry within configuration file. This is to ensure that these values are attested on Confidential Containers/SNP, even if the configuration itself is provided from un-attested storage, such as an external mount. The configuration entries are deprecated, and will be removed in a future release.
• Added ccf.SnpAttestation.verifySnpAttestation() endpoint for TypeScript apps. (#5653)
• Secret sharing used for ledger recovery now relies on a much simpler implementation that requires no external dependencies. Note that while the code still accepts shares generated by the old code for now, it only generates shares with the new implementation. As a result, a DR attempt that would downgrade the code to a version that pre-dates this change, after having previously picked it up, would not succeed if a reshare had already taken place (#5655).

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

4.0.9

• Secret sharing used for ledger recovery now relies on a much simpler implementation that requires no external dependencies. Note that while the code still accepts shares generated by the old code for now, it only generates shares with the new implementation. As a result, a DR attempt that would downgrade the code to a version that pre-dates this change, after having previously picked it up, would not succeed if a reshare had already taken place (#5655).

4.0.8

• SGX builds now use OpenSSL 3.1.1 by default (#5481).
• Converted SNP attestation UVM endorsements from integer to arbitrary string.
• Add /node/ready/app and /node/ready/gov endpoints for the use of load balancers wanting to check if a node is ready to accept application or governance transactions. See Operator RPC API for details.
• Updated llhttp from 6.0.9 to 9.0.1.
• Updated fmt library from 9.1.0 to 10.1.1.
• Updated QCBOR from 1.1 to 1.2.
• Updated nghttp2 from 1.51.0 to 1.55.1.
• Updated Intel SGX PSW from 2.17 to 2.20 (#5616)

5.0.0-dev1

• Added support for reusing JS interpreters, persisting global state. See docs for more detail.

• Note: Full support for this requires an update to the set_js_app action in the constitution. The modification to the sample constitution is visible here.

5.0.0-dev0

• Add HMAC support to JS API. Call with ccf.crypto.sign({"name": "HMAC", "hash": "SHA-256"}, key, data).
• Add /node/ready/app and /node/ready/gov endpoints for the use of load balancers wanting to check if a node is ready to accept application or governance transactions. See Operator RPC API for details.
• SGX builds now use OpenSSL 3.1.1 inside the enclave by default (#5481).
• JWT verifiers are now automatically cached, for increased performance (#5575).
• GET /api/metrics now correctly returns templated endpoint paths (#5539).
• Fix TLS bug that could cause TLS handshakes to fail (#5482).

4.0.7

• Expose COSESign1 content for user_cose_sign1 authenticated endpoints in JavaScript/TypeScript apps (#5465).

3.0.13

• Updated Open Enclave to 0.19.3 (#5472).
• Updated to clang-11 for SGX builds (#5472).
• Updated to clang-15 for Virtual builds (#5472).

4.0.6

• Updated Open Enclave to 0.19.3.

4.0.5

• Debug logging is now available in non-SGX builds by default, and controlled by a run-time CLI argument (--enclave-log-level). On SGX this remains a build-time decision (#5375).
• Supporting intermediate cert chain included in TLS handshake, where previously only server leaf certificate was present (#5453).
• Added getVersionOfPreviousWrite to TypeScript TypedKvMap interface (#5451).

4.0.4

• Added TypeScript interfaces UserCOSESign1AuthnIdentity and MemberCOSESign1AuthnIdentity, to be used with user_cose_sign1 and member_cose_sign1 authentication policies.