Skip to content

Releases: signalapp/libsignal

v0.21.1

20 Oct 20:46
Compare
Choose a tag to compare
- attest: add INTEL-SA-00657 to acceptable advisories
- Java: Change SenderCertificate#getSender to always return UUID

v0.21.0

14 Oct 21:07
Compare
Choose a tag to compare
- attest: Reject reports, even if valid, that contain all zeros in
  report data
- zkgroup: Removed v1 presentations
- iOS: Bump minimum supported iOS version to 12.2

v0.20.0

22 Aug 22:28
Compare
Choose a tag to compare
- Fix Android 4.4 compatibility
- attest: require dcap enclaves to not be in debug mode
- zkgroup: Move AuthCredential redemption time checking down to Rust.
  Only affects the server APIs
  - Java: removes zkgroup's InvalidRedemptionTimeException
  - Swift/Node: AuthCredential redemption times were not checked before
    by the Swift/Node zkgroup server APIs; now they are.

v0.19.3

04 Aug 18:39
Compare
Choose a tag to compare
- attest: CDS2 verification now checks that the quote collateral is
  valid at some point in the future (currently 24h) rather than now,
  mainly to address clock skew on the local device.

- attest: An API has been added for libsignal-server to extract
  attestation metrics from serialized evidence and endorsements.

v0.19.2

01 Aug 23:57
Compare
Choose a tag to compare
- device-transfer: Encoded private keys once again use PKCS#8 DER.
- Node: Restored compatibility with Apple Silicon Macs on NPM.
- Node: Restored compatibility with Ubuntu 16 on NPM.

v0.19.1

26 Jul 00:20
Compare
Choose a tag to compare
Fix the Docker build, and remove the dependency on the cargo-ndk tool.
No functionality change in libsignal itself.

v0.19.0

22 Jul 22:42
Compare
Choose a tag to compare
Intel DCAP-based attestation is now fully implemented for CDS2! The
"NOT_FOR_PRODUCTION" static methods on CdsiClient have been replaced
by normal constructors in Java and Swift and a plain 'new' method in
TypeScript.

Additional changes:

- attest and device-transfer now depend on the 'boring' crate, which
  wraps BoringSSL. This may complicate cross-compilation; only
  Signal's supported platforms have been tested, plus light testing
  of Arm64 Windows and Linux.

- Node: Expose missing IdentityKeyPair.deserialize().

- zkgroup: the generate-server-params binary target allows updating
  your private server parameters in a backwards-compatible way. Only
  useful if you run your own group server.

- Rust: in libsignal-protocol, device IDs and pre-key IDs now use
  strongly-typed wrapper structs rather than plain integers.

v0.18.1

29 Jun 18:40
Compare
Choose a tag to compare
- Deprecate zkgroup methods operating on PniCredentials
- node: Expose AuthCredentialWithPni and ExpiringProfileKeyCredential
  through '@signalapp/libsignal/zkgroup'.

v0.18.0: This release introduces two new credentials in zkgroup,

22 Jun 23:02
Compare
Choose a tag to compare
ExpiringProfileKeyCredential and AuthCredentialWithPni. Both
credentials have presentations usable with the existing
ProfileKeyPresentation and AuthCredentialPresentation variant types,
respectively. There have been some corresponding changes to existing
APIs:

- zkgroup's RedemptionTime type has been renamed to
  CoarseRedemptionTime, and ReceiptExpirationTime to plain Timestamp.
  These fields were previously treated opaquely, but are now expected
  to be days and seconds since the Unix epoch, respectively. (This
  matches how they're used in Signal.)

- Node: ReceiptCredential.getReceiptExpirationTime() and
  ReceiptCredentialPresentation.getReceiptExpirationTime() now return
  a number rather than a bigint, since any valid expiration time fits
  within MAX_SAFE_INTEGER.

- AuthCredentialPresentation.getRedemptionTime() now returns
  Instant (Java), Date (Swift), Date (TypeScript), or
  zkgroup::Timestamp (Rust). Previously it returned a 32-bit integer.
  Likewise, verifyAuthCredentialPresentation() now takes an
  Instant/Date/Date/Timestamp to represent the current time.

- AuthCredentialPresentation.getPniCiphertext() has been added,
  returning null for older credential versions.

- verifyProfileKeyCredentialPresentation() now takes an
  Instant (Java), Date (Swift), Date (TypeScript), or
  zkgroup::Timestamp (Rust) representing the current time. This is an
  optional parameter in every language but Rust; if omitted, the
  current time will be used.

- getStructurallyValidV1PresentationBytes() has been added to
  ProfileKeyCredentialPresentation to smooth over a use case where
  presentations are read by other clients and not just the server.

- The server "zkgroup parameters" have grown and will need updating.
  The new parameters are backwards-compatible with the old parameters
  as long as the values for existing keys are not changed.

Other changes:

- The 'needsPniSignature' field in SessionRecords has been removed.

- Node: zkgroup "ByteArray" types are now correctly distinguished by
  the TypeScript compiler instead of being treated as interchangeable.

v0.17.0

13 May 21:47
Compare
Choose a tag to compare
Introduces initial, not-for-production client bindings for CDS2, the upcoming version of Signal’s Contact Discovery Service. CDS2 runs on Intel SGX over a Noise channel, similar to how HsmEnclave runs on HSMs over a Noise channel. The existing ‘hsm-enclave’ crate has been merged into the new ‘attest’ crate.

Additional changes:
- Node: Test with plain 'mocha' instead of 'electron-mocha'
- Java: Fix Dockerfile for an actually-reproducible build
- Rust: Update our fork of curve25519-dalek to match upstream 3.2.1