Changes since 1.0.5:
Version 1.06
* Add -P for overriding the password prompt we search for
* Add -v for verbose logging of the prompt detection prompt.
* Allow packagers and compilers to change the default password prompt.
* When giving -V, also print the default password prompt.
Also, add patch from FreeBSD to fix tty issue which prevents sshpass from
seeing the password prompt.
pkgsrc changes:
- Rename `xclip' PKG_OPTION to `x11' (and add a PKG_OPTIONS_LEGACY_OPTS
accordingly) and also depends on converters/base64 (needed by the `--clip'
option, like xclip) and qrencode (needed by the new `--qrcode' option).
- Add support for `test' target and adjust the part of the test suite for
gnupg>=2.2.5 via patches/patch-tests_t0300-reencryption.sh.
- sysutils/pwgen is no more needed, remove it from DEPENDS
(now `tr -dc '<characters>' < /dev/urandom' is used instead)
- Add patches/patch-contrib_dmenu_passmenu to fix `passmenu --type'
(at least xdotool-2.20110530.1 does not support any `--file' option used by
passmenu)
- Adjust PAX invocations in `do-install' target to ignore possible `*.orig'
and `.gitignore' files.
Changes
1.7.1
-----
== Bug Fixes ==
* Fix test suite on OS X
* Add compatibility with GnuPG 2.2.19
* Uniformly use the $GPG variable
* Do the correct thing with subkeys when reencrypting
1.7
---
== New Features ==
* Extensions: pass can now load user-defined extensions from a system
directory or a user directory. There's already a nice ecosystem of
extensions being built, even at this early stage. See the pass man page for
more information.
* Signatures: there is now an option to enforce signatures of the .gpg-id file
and extensions using an environment variable.
* QRCodes: generate and show have now learned the --qrcode/-q switch. Note to
package maintainers: this adds a dependency on the popular qrencode package.
* Password generation: rather than use pwgen, we now use /dev/urandom more
directly, which results in more assured password security, as well as
customizable character sets, via an environment variable. See the pass man
page for more information on this customization. Package maintainers: you
may now drop the dependency on pwgen.
* Importers: there now are several more importers. More and more folks are
moving to pass!
* Selectable clipping: you can now specify which line you wish to copy to the
clipboard or display with a qrcode when using -c or -q.
* Git discovery: The PASSWORD_STORE_GIT environment variable has been removed,
and instead pass will automatically choose the git repository closest to the
file being modified (but not out of the actual password store itself). This
should help people who like to nest git repos for different organizations.
* Bug fixes: too many to count.
== Note To Distros ==
* Drop the dependency of pwgen.
* Add the dependency of qrencode.
* The Makefile now does the right thing with DESTDIR, so you might want to
double check that your package recipe does the right thing.
* The semantics for auto-detection of bash completion has changed, with new
environment variables for such things. See INSTALL for details.
changes in version 2.2.7:
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
* gpg: Relax emitting of FAILURE status lines
* gpg: Add a status flag to "sig" lines printed with --list-sigs.
* gpg: Fix "Too many open files" when using --multifile.
* ssh: Return an error for unknown ssh-agent flags.
* dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
caches under Windows.
* dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed
mapping of keys.gnupg.net to sks-keyservers.net.
* dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours).
* dirmngr: Fallback to CRL if no default OCSP responder is configured.
* dirmngr: Implement CRL fetching via https. Here a redirection to
http is explictly allowed.
* dirmngr: Make LDAP searching and CRL fetching work under Windows.
This stopped working with 2.1.
* agent,dirmngr: New sub-command "getenv" for "getinfo" to ease
debugging.
6.02 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
0.060 2018-05-01
- bundled libtomcrypt update
- Math::BigInt::LTM - remove buggy tests failing with the latest Math::BigInt
- basically no changes to the perl modules
0.30 Tue May 1 2018
- Working windows library detection
- Actively testing on appveyor for windows now.
- work correctly on LibreSSL
0.29_03 Mon Apr 16 2018
- Add whirlpool hash support.
- Crypt::OpenSSL::Random is now required at comnpile-time.
- Use the new interface to RSA_generate_key if available
- Add library paths to LIBS from Crypt::OpenSSL::Guess
Remove hack for DragonFly/i386, DragonFly is 64-bit only nowadays.
Noteworthy changes in version 1.30 (2018-04-30) [C24/A24/R1]
-----------------------------------------------
* Fix for a hang on Windows when using gpgrt_poll under nPth.
* Build fix for Solaris. [#3869]
--------------
polkit 0.114
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.114.
Highlights:
Port to mozjs 52, the latest version of the firefox JavaScript engine.
Add gettext support for policy files
Fixes for various memory leaks
Build requirements
glib, gobject, gio >= 2.32
mozjs-52
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.113:
Anders Jonsson (2):
pkcheck: fix man typos
Add Swedish translation
Antoine Jacoutot (1):
Add support for OpenBSD
Christian Kirbach (1):
Add German translation
Colin Walters (3):
build: Pull in GCC warning infra from ostree
build: Use AC_USE_SYSTEM_EXTENSIONS
tests: Correct boundary test for overflow
Dariusz Gadomski (2):
Fix multi-line pam text info.
Refactor send_to_helper usage
Gabor Kelemen (1):
Add initial Hungarian translation, and add hu to LINGUAS
Jeremy Linton (5):
change mozjs interface module to c++
Switch to hard requiring mozjs24
Fix warnings caused by building with C++
Replace autocompartment
test: Add a test case to handle actions without explicit rules
Jiří Klimeš (1):
trivial: fix deprecated indication for polkit_agent_register_listener()
Matthias Clasen (1):
Add gettext support for .policy files
Miloslav Trmač (21):
Post-release version bump to 0.114
Consistently use HAVE_NETGROUP_H instead of HAVE_OPENBSD
Fix a memory leak of PolkitAgentListener's Server object
Remove polkitbackendconfigsource.[ch]
Add Slovak translation by Dusan Kazik <prescott66@gmail.com>
Add Indonesian translation by Andika Triwidada
Add Chinese (Taiwan) translation
Fix a typo in polkit(8)
Simplify GVariant reference counting
Fix a memory leak on an error path of lookup_asv (twice)
Fix a memory leak in server_handle_register_authentication_agent_with_options
Fix a memory leak in server_handle_unregister_authentication_agent
Fix a memory leak in server_handle_authentication_agent_response{,2}
Fix memory leaks in server_handle_*_temporary_authorizations
Fix error handling in polkit_authority_enumerate_temporary_authorizations_finish
Fix a memory leak per agent authentication
Fix a memory leak on agent authentication cancellation
Audit and fix GVariant reference counting
Fix help for (pkttyagent -s)
Fix a race condition when terminating runaway_killer_thread
Move to current GLib
Mingye Wang (Arthur2e5) (1):
Add zh_CN translation
Muhammet Kara (1):
Added Turkish translation
OBATA Akio (1):
Add support for NetBSD
Peter Hutterer (1):
gettext: switch to default-translate "no"
Philip Withnall (3):
polkit: Add g_autoptr() support for GObject-derived polkit types
data: Set GIO_USE_VFS=local in the environment
polkitbackend: Fix typos in a couple of initialisation error messages
Piotr Drąg (1):
Add Polish translation
Rafael Fontenelle (1):
Add Brazilian Portuguese translation
Ray Strode (34):
configure: bump mozjs requirement to 52
jsauthority: fix how classes are defined
jsauthority: use JS_FN instead of JS_FS
jsauthority: get rid of JSRuntime
jsauthority: change how setVersion is called
jsauthority: call JS_Init
jsauthority: call JS_InitSelfHostedCode
jsauthority: change how JIT is disabled
jsauthority: JS::SetWarningReporter instead of JS_SetErrorReporter
jsauthority: add UTF8 suffix to renamed functions
jsauthority: pass "%s" format string to report functions
jsauthority: s/JSBool/bool/
jsauthority: s/jsval/JS::Value/
jsauthority: s/JSVAL_NULL/JS::NullValue()/
jsauthority: s/JSVAL_VOID/JS::UndefinedValue()/
jsauthority: s/OBJECT_TO_JSVAL/JS::ObjectValue/
jsauthority: s/STRING_TO_JSVAL/JS::StringValue/
jsauthority: s/BOOLEAN_TO_JSVAL/JS::BooleanValue/
jsauthority: JSVAL_TO_OBJECT (o) to o.toObjectOrNull()
jsauthority: JSVAL_TO_STRING (s) to s.toString()
jsauthority: JSVAL_IS_STRING (s) to s.isString()
jsauthority: JSVAL_IS_NULL (o) to o.isNull()
jsauthority: Fix up JS_CallFunctionName invocations
jsauthority: use InterruptCallback api instead of OperationCallback
jsauthority: redo how global objects are set up
jsauthority: root some locals to the context
jsauthority: adapt arguments for new JS::Compile API
jsauthority: adapt arguments for new JS_ExecuteScript API
jsauthority: use JS::Evaluate instead of JS_EvaluateScript
jsauthority: fix up set_property methods
jsauthority: stop using JS_GetStringCharsZ
jsauthority: switch from JS_ConvertArguments to JS::CallArgsFromVp
jsauthority: re-enable JIT
Port JavaScript authority to mozjs52
Rui Matos (1):
polkitpermission: Fix a memory leak on authority changes
Sebastien Bacher (1):
Support polkit session agent running outside user session
Stef Walter (2):
polkitagent: Fix access after dereference on hashtable
polkitagent: No double warnings in polkit_agent_listener_register()
Sven Eden (1):
configure: enable elogind support in PolicyKit
Yuri Chornoivan (1):
Add Ukrainian translation
enkore (1):
Fix abnomal formatting of authentication header lines
muzena (1):
Add hr.po
Thanks to our contributors.
Colin Walters and Miloslav Trmač,
April 2, 2017
DEPRECATIONS/CHANGES:
- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
mount can now see information about that mount, such as its type and
options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
entities but these would not be able to be used successfully (even locally)
in replicated scenarios. We have now disallowed entities and groups from
being created for local mounts in the first place.
FEATURES:
- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
client IP seen by Vault. See the TCP listener configuration
page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
modifying only some values in existing data at a K/V path, but uses
check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
local to the cluster. This enables performance secondaries to generate and
consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
and migration between key and encryption types, such as from AES-CBC to
AES-GCM, can be performed at the same time (where supported).
IMPROVEMENTS:
- auth/approle: Support for cluster local secret IDs. This enables secondaries
to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
revoke associated tokens, but while the entity is disabled they cannot be
used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines)
BUG FIXES:
- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
mounts
- identity: Fix error preventing authentication using local mounts on
performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
api calls. This should fix needing "update" capabilites to read IAM
credentials in the AWS secrets engine
0.30.0:
- Various small typos (Windows builds, Fix SSL.Connection.__del__)
- The project is now Linux-distribution agnostic
- Replace all old-style classes with the new ones (it shouldn't cause
any problems, but feel free to file an issue, if it does)
- Do not by-pass a potential transfer decoding in m2urllib2
- Update M2Crypto.six with 1.11.0 and replace our local workarounds with
new functions.
- SSLv3 just removed.
- Don't support Python 2.6 on Windows anymore. Windows users don't have
python as a system package, so they are usually more likely to upgrade
anyway.
Upstream changes:
1.04 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
Revision 0.2.1, released 23-11-2017
- Allow ANY DEFINED BY objects expanding automatically if requested
- Imports PEP8'ed
Revision 0.1.5, released 10-10-2017
- OCSP response blob fixed in test
- Fixed wrong OCSP ResponderID components tagging
Revision 0.1.4, released 07-09-2017
- Typo fixed in the dependency spec
Revision 0.1.3, released 07-09-2017
- Apparently, pip>=1.5.6 is still widely used and it is not PEP440
compliant. Had to replace the `~=` version dependency spec with a
sequence of simple comparisons to remain compatible with the aging pip.
Revision 0.1.2, released 07-09-2017
- Pinned to pyasn1 ~0.3.4
Revision 0.1.1, released 27-08-2017
- Tests refactored into proper unit tests
- pem.readBase64fromText() convenience function added
- Pinned to pyasn1 0.3.3
Release 1.12.2:
Added support for using pathlib objects as paths in calls to SFTP methods, in addition to Unicode and byte strings. This is mainly intended for use in constructing local paths, but it can also be used for remote paths as long as POSIX-style pathlib objects are used and an appropriate path encoding is set to handle the conversion from Unicode to bytes.
Changed server EXT_INFO message to only be sent after the first SSH key exchange, to match the specification recently published in RFC 8308.
Fixed edge case in TCP connection forwarding where data received on a forward TCP connection was not delivered if the connection was closed or half-closed before the corresponding SSH tunnel was fully established.
Made note about OpenSSH not properly handling send_signal more visible.
3.6.1:
New features
Added Google Wycheproof tests (https://github.com/google/wycheproof) for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC.
New parameter mac_len (length of MAC tag) for CMAC.
Resolved issues
In certain circumstances (at counter wrapping, which happens on average after 32 GBi) AES GCM produced wrong ciphertexts.
Method encrypt() of AES SIV cipher could be still called, whereas only encrypt_and_digest() should be allowed.
This is a development release, but gnutls needs at least 0.23.x,
so take the latest development release.
0.23.10 (devel)
* filter: Respect "write-protected" vendor-specific attribute in
PKCS#11 URI [PR#129]
* server: Improve shell integration and documentation [PR#107, PR#108]
* proxy: Reuse existing slot ID mapping in after fork() [PR#120]
* trust: Forcibly mark "Default Trust" read-only [PR#123]
* New function p11_kit_override_system_files() which can be used for
testing [PR#110]
* trust: Filter out duplicate extensions [PR#69]
* Update translations [PR#128]
* Bug fixes [PR#125, PR#126]
0.23.9 (devel)
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
0.23.8 (devel)
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
0.23.7 (devel)
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
0.23.6 (devel)
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
0.23.5 (devel)
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
0.23.4 (devel)
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
0.23.3 (devel)
* Install private executables in libexecdir [#98817]
* Fix link error of proxy module on macOS [#98022]
* Use new PKCS#11 URI specification for URIs [#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules [#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [#87192 ...]
0.23.2 (devel)
* Fix forking issues with libffi [#90289 ...]
* Updated translations
* Build fixes [#90827#89081#92434#92520#92445#92551#92843#92842#92807#93211 ...]
0.23.1 (devel)
* Use new PKCS#11 URI draft fields for URIs [#86474#87582]
* Add pem-directory-hash extract format
* Build fixes
