Skip to content

Releases: foundriesio/fioctl

Release v0.43

19 Nov 23:19
v0.43
Compare
Choose a tag to compare
Release Notes:

* EdgeLock2GO is no longer offered as a part of FoundriesFactory.
  An el2g command was removed from this version of Fioctl.
  For old versions of Fioctl el2g command returns a server side generated error.

Features:

* Add ability to operate devices by UUID in all commands accepting the device name as a parameter.
* Add an option to specify a local OSTree repo source directory when generating offline update bundle.
* Add flags to set updates config tag and apps to preset values.

Fixes:

* Support absence of apps when generating an offline update bundle.
  Before the fix, use cases resulting into no apps download URI were yielding an error.
* Preserve arch and image-file fields when adding targets.
  These fields were removed from a target before the change.
* Set default values for uri, origUri and origUriApps when adding targets.
  For custom apps target, origUri is set while uri and origUriApps are empty.
  For custom OSTree target, origUriApps is set while uri and origUri are empty.

Changes:

* Remove el2g command; feature is no longer supported.
* Remove updates_list command; it was deprecated since 2021.
* Error out when user specifies a ~ character in --creds-path parameter to configure-git command.
  When using `--creds-path ~/.config` the shell makes expansion, so that way it works well.
  When using `--creds-path=~/.config` there is no expansion, so the command fails.
  Before the change, a command would try to use a folder containing verbatim ~ in its name, that is wrong.
* Error out generating offline update bundle if OSTree repo does not contain target hash.
  An offline bundle created in such way would fail installation.
* Clean up help and error messages for all commands.

Release v0.42

28 May 17:44
v0.42
Compare
Choose a tag to compare
Release Notes:

* License changed from Apache v2 to BSD-3 Clause

Features:

* Add support for multi target Offline Update bundles.
  Added targets are now catalogued in a signed `bundle-targets.json` inside a bundle.
  This allows offline update clients to more accurately select a target to install.
* Add a command to sign Offline Update bundle with more than one offline targets key.
* Add a command to print the detail about an Offline Update bundle.
* Add a flag to filter device list for only production or only non-production devices.

Fixes:

* Pull production targets when user creates an Offline Update bundle for a Wave.
* Disable compression in default transport.
  Since CloudFlare started compressing responses by default recently,
  artifacts download is broken without this fix.
* Properly escape special characters when filtering device list by name or uuid pattern.

Changes:

* An Offline Update bundle is now checked for integrity at each command modifying it.
  User is notified about any actions they need to take to correct it.
* Remove the (re-)installing field from factory and wave status output.
  This field is no longer being calculated by the API.

Release v0.41

29 Feb 18:21
v0.41
Compare
Choose a tag to compare
Features:

* Support creating an offline update from wave targets.

Fixes:

* Do not add keyEncipherment or keyAgreement to the device gateway TLS certificate.
  These key usages are disallowed for ECDSA certificates by the latest X.509 standard.
* Always compare apps to latest apps in config when validating new updates config.
  Apps reported as installed by the device are shown to the user, but not used for validation.
* Properly check if production target exists for a given tag when creating an offline update.

Changes:

* Dynamically build source URL used by a Git helper in MEDS.
* Dynamically build registry URL used by a Docker helper in MEDS.
* Improve a human readable error shown when factory PKI is not initialized.
* Improve a human readable error shown when TUF private keys are missing.
* Fetch apps for offline update from the published run if it is present.
* Improve UX of the SBOM conversion process.

Release v0.40

22 Dec 15:29
v0.40
Compare
Choose a tag to compare
Features:

* Support TUF signature re-signing for active waves on TUF key rotations.
  This feature actually consists of several related improvements:

  - Allow rotating offline TUF targets signing key when there are active waves.
  - Allow rotating online TUF signing keys when there are active waves.
  - Allow changing TUF targets signature threshold when there are active waves.
  - Allow staring a new wave when there are any of the above TUF root updates in progress.
  - Automatically re-sign wave targets when one of the offline TUF keys (used to sign them) is being rotated.
    This improvement covers the `fioctl keys tuf updates rotate-offline-key` command.
  - Automatically re-sign wave targets when one of the online TUF keys is being rotated.
    This improvement covers the `fioctl keys tuf updates rotate-online-key` command.
  - Allow manually (re-)signing wave targets during TUF root updates.
    This improvement covers the `fioctl keys tuf updates sign-prod-targets` command.

* Support filtering waves by status and/or tag in `fioctl waves list`.

Fixes:

* Show user who created the config in `fioctl [device] config show`.
* Properly clean up signing key owners in TUF root when the key is deleted or rotated out.

Changes:

* Support loading oauth-url from the config file.
* Support absolute executable path for docker-credential-helper.

Release v0.39

14 Nov 15:53
v0.39
5cf0426
Compare
Choose a tag to compare
Features:

* Ability to disable or revoke a device CA via a crypto-signed CRL.

  - When a device CA is disabled, devices with client certificates it issued can no longer be registered.
  - When a device CA is revoked, they cannot connect to the backend in addition to the above.

Release v0.38

20 Oct 11:30
v0.38
Compare
Choose a tag to compare
Features:

* Support HSM based factory root CA for "el2go config-device-gateway" and "est authorize".
* Support TLS certificate rotation for device gateway and OSTree server using "keys ca rotate-tls".
* Support adding more than 1 online or local device CA using "keys ca add-device-ca".

Changes:

* Check if target directory contains update data before generating offline update using "targets offline-update".
  Added an option to allow or deny overwriting update data if it is present (denied by default).
* Don't show "last connection" field for El2Go devices list using "el2go devices".
* Support Subject Key ID and Authority Key ID X.509 extensions in "keys ca show".

Fixes:

* Clean tag duplicates when re-tagging using "targets tag".
* Deny empty positional arguments like "" or '' for all commands.
  Such arguments were passing validation and could lead to undefined behavior in some commands.
* Do not overwrite the online device CA in PKI directory when running "el2go config-device-gateway".
  An El2Go device CA needs not be written to disk at all; it is send to the cloud API instead.
* Require the "--pki-dir" argument in "el2go config-device-gateway".
  It defaulted to the current directory in the past, that would usually fail when running the command.

Notes:

* In v0.37 the "el2go config-device-gateway" and "est authorize" were still using Bash scripts to generate certificates.
  That would not work for new customers, and did not support the HSM based factory root CA for old customers.
  Those two commands were modified to use the same Golang based PKI as all "keys ca" subcommands in v0.38.

Release v0.37

06 Oct 18:02
v0.37
ba783a0
Compare
Choose a tag to compare
Features:

* Switch factory PKI management to pure Golang implementation for all platforms.
  Disabled a Bash based implementation which downloaded PKI scripts from the API and executed them on user's machine.
* Added the ability to store factory root CA inside the HSM device for all supported platforms.
  User needs to install OpenSC pkcs11-tool for this feature to work.

Changes:

* The "keys ca create" now always creates Factory PKI files with read-only permissions.
* The "keys ca create" now always requires a user to provide the token label when using the HSM device.
* Warn users when they create a wave for a target which has not static deltas defined.
* Multiple CI improvements (dependabot, testing, linting, makefile).

Fixes:

* The "keys ca create" was failing to sign TLS certificate when storing factoru root CA on the HSM device.
* The "keys ca create" on Windows was creating the TLS certificate with CA extension.
* The "devices list" column "current-update" was misspelled as "curent-update".

Notes:

* A device list column "curent-update" was fixed to "current-update".
  If you have a script using misspelled column name - it needs to be updated.

Release v0.36

26 Sep 12:53
v0.36
5405c0e
Compare
Choose a tag to compare
* Added TUF based self-update `version --update-to`
* Fix for initial TUF targets key rotation
* Fix Git credential helper setup bug on Windows
* UX improvement for el2g device IDs

Release v0.35

11 Aug 17:20
v0.35
Compare
Choose a tag to compare
Changes:

* Track offline TUF keys ownership in a signed root.json field.

Notes:

* When someone upgraded to this version or higher, and made changes to TUF root,
  other users trying to make changes to TUF root will be required to upgrade as well by the API.
  This is a safety belt which prevents an accidental erase of the TUF keys ownership information.

Release v0.34.2

11 Aug 16:52
v0.34.2
Compare
Choose a tag to compare
Changes:

* Docs: fixed new Fioctl TUF commands help to render well with Sphinx