v1.7.1

Added

• x509pop node attestor emits a new selector with the leaf certificate serial number (#4216)
• HTTPS server in the OIDC Discovery Provider can now be configured to use a certificate file (#4190)
• Option to log source information in server and agent logs (#4246)

Changed

• Agent now has an exponential backoff strategy when syncing with the server (#4279)

Fixed

• Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)
• SPIRE Agent cache bug resulting in workloads receiving JWT-SVIDs with incomplete audience set (#4309)
• The spire-server agent show command to properly show the "Can re-attest" attribute (#4288)

v1.6.5

Fixed

• Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)

v1.7.0

Added:

• AWS IID Node Attestor now supports all regions, including GovCloud and regions in China (#4124)

Fixed:

• Systemd workload attestor fails with error connection closed by user (#4165)
• Reduced SPIRE Agent CPU usage during kubernetes workload attestation (#4240)

Removed:

• Envoy SDSv2 API is deprecated and now disabled by default (#4228)

v1.6.4

Added

• ARM64 binaries are now included in the release artifacts (#4143)
• Various build script improvements (#4062, #4081, #4096, #4127)
• Various doc improvements (#4076)
• Workload API hint support (#3993, #4074)
• Improved performance when listing queries for PostgreSQL (#4111)
• Support for SPIFFE bundle sequence numbers (#4061)
• New Systemd Workload Attestor plugin (#4058)
• New BundlePublisher plugin type (#4022)
• New agent purge command for removing stale agent records (#3982)

Fixed

• Bug determining if an entry was unique (#4063)

v1.6.3

Added:

• Entry API responses now include the created_at field (#3975)
• spire-server agent CLI commands and Agent APIs now show if agents can be re-attested and supports by_can_reattest filtering (#3880)
• Entry API along with spire-server entry create, spire-server entry show and spire-server entry update CLI commands now support hint information, allowing hinting to workloads the intended use of the SVID (#3926, #3787)

Fixed:

• The vault UpstreamAuthority plugin to properly set the URI SAN (#3971)
• Node selector data related to nodes is now cleaned when deleting a node (#3873)
• Clean stale node selector data from previously deleted nodes (#3941)
• Regression causing a failure to parse JSON formatted and verbose HCL configuration for plugins (#3939, #3999)
• Regression where some workloads with active FetchX509SVID streams were not notified when an entry is removed (#3923)
• The federated bundle updater now properly logs the trust domain name (#3927)
• Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they did not have a URI SAN (#3997)

v1.6.2

Security

• Updated to Go 1.20.3 to address CVE-2023-24534

v1.5.6

Added

• A log message in the k8s-workload-registrar webhook when validation fails (#4011)

Security

• Updated to Go 1.19.8 to address CVE-2023-24534

v1.6.1

Fixed

• Different CA TTL than configured (#3934)

v1.6.0

Added

• Support for customization of SVID and CA attributes through CredentialComposer plugins (#3819, #3832, #3862, #3869)
• Experimental support to validate container images signatures through sigstore selectors (#3159)
• Published scratch images now support ARM64 architecture (#3607)
• Published scratch images are now signed using Sigstore (#3707)
• spire-server mint and spire-server token generate CLI commands now support the -output flag (#3800)
• spire-agent api CLI command now supports the -output flag (#3818)
• Release images now include a non-root user and default folders (#3811)
• Agent accepts bootstrap bundles in SPIFFE format (#3753)
• Database index for registration entry hint column (#3828)

Changed

• Plugins are configured and executed in the order they are defined (#3797)
• Documentation improvements (#3826, #3842, #3870)

Fixed

• Server crash when authorization layer was unable to talk to the datastore (#3829)
• Timestamps in logs are now consistently in local time (#3734)
• Removed
• Non-scratch images are no longer published (#3785)
• k8s-workload-registar is no longer released and maintained (#3853)
• Unused database column x509_svid_ttl from registered_entries table (#3808)
• The deprecated enabled flag from InMem telemetry config (#3796)
• The deprecated default_svid_ttl configurable (#3795)
• The deprecated omit_x509svid_uid configurable (#3794)

v1.5.5

Security

• Updated to Go 1.19.6 and golang.org/x/net v0.7.0 to address CVE-2022-41723, CVE-2022-41724, CVE-2022-41725.