Releases: signalapp/libsignal
Releases · signalapp/libsignal
v0.21.1
- attest: add INTEL-SA-00657 to acceptable advisories - Java: Change SenderCertificate#getSender to always return UUID
v0.21.0
- attest: Reject reports, even if valid, that contain all zeros in report data - zkgroup: Removed v1 presentations - iOS: Bump minimum supported iOS version to 12.2
v0.20.0
- Fix Android 4.4 compatibility - attest: require dcap enclaves to not be in debug mode - zkgroup: Move AuthCredential redemption time checking down to Rust. Only affects the server APIs - Java: removes zkgroup's InvalidRedemptionTimeException - Swift/Node: AuthCredential redemption times were not checked before by the Swift/Node zkgroup server APIs; now they are.
v0.19.3
- attest: CDS2 verification now checks that the quote collateral is valid at some point in the future (currently 24h) rather than now, mainly to address clock skew on the local device. - attest: An API has been added for libsignal-server to extract attestation metrics from serialized evidence and endorsements.
v0.19.2
- device-transfer: Encoded private keys once again use PKCS#8 DER. - Node: Restored compatibility with Apple Silicon Macs on NPM. - Node: Restored compatibility with Ubuntu 16 on NPM.
v0.19.1
Fix the Docker build, and remove the dependency on the cargo-ndk tool. No functionality change in libsignal itself.
v0.19.0
Intel DCAP-based attestation is now fully implemented for CDS2! The "NOT_FOR_PRODUCTION" static methods on CdsiClient have been replaced by normal constructors in Java and Swift and a plain 'new' method in TypeScript. Additional changes: - attest and device-transfer now depend on the 'boring' crate, which wraps BoringSSL. This may complicate cross-compilation; only Signal's supported platforms have been tested, plus light testing of Arm64 Windows and Linux. - Node: Expose missing IdentityKeyPair.deserialize(). - zkgroup: the generate-server-params binary target allows updating your private server parameters in a backwards-compatible way. Only useful if you run your own group server. - Rust: in libsignal-protocol, device IDs and pre-key IDs now use strongly-typed wrapper structs rather than plain integers.
v0.18.1
- Deprecate zkgroup methods operating on PniCredentials - node: Expose AuthCredentialWithPni and ExpiringProfileKeyCredential through '@signalapp/libsignal/zkgroup'.
v0.18.0: This release introduces two new credentials in zkgroup,
ExpiringProfileKeyCredential and AuthCredentialWithPni. Both credentials have presentations usable with the existing ProfileKeyPresentation and AuthCredentialPresentation variant types, respectively. There have been some corresponding changes to existing APIs: - zkgroup's RedemptionTime type has been renamed to CoarseRedemptionTime, and ReceiptExpirationTime to plain Timestamp. These fields were previously treated opaquely, but are now expected to be days and seconds since the Unix epoch, respectively. (This matches how they're used in Signal.) - Node: ReceiptCredential.getReceiptExpirationTime() and ReceiptCredentialPresentation.getReceiptExpirationTime() now return a number rather than a bigint, since any valid expiration time fits within MAX_SAFE_INTEGER. - AuthCredentialPresentation.getRedemptionTime() now returns Instant (Java), Date (Swift), Date (TypeScript), or zkgroup::Timestamp (Rust). Previously it returned a 32-bit integer. Likewise, verifyAuthCredentialPresentation() now takes an Instant/Date/Date/Timestamp to represent the current time. - AuthCredentialPresentation.getPniCiphertext() has been added, returning null for older credential versions. - verifyProfileKeyCredentialPresentation() now takes an Instant (Java), Date (Swift), Date (TypeScript), or zkgroup::Timestamp (Rust) representing the current time. This is an optional parameter in every language but Rust; if omitted, the current time will be used. - getStructurallyValidV1PresentationBytes() has been added to ProfileKeyCredentialPresentation to smooth over a use case where presentations are read by other clients and not just the server. - The server "zkgroup parameters" have grown and will need updating. The new parameters are backwards-compatible with the old parameters as long as the values for existing keys are not changed. Other changes: - The 'needsPniSignature' field in SessionRecords has been removed. - Node: zkgroup "ByteArray" types are now correctly distinguished by the TypeScript compiler instead of being treated as interchangeable.
v0.17.0
Introduces initial, not-for-production client bindings for CDS2, the upcoming version of Signal’s Contact Discovery Service. CDS2 runs on Intel SGX over a Noise channel, similar to how HsmEnclave runs on HSMs over a Noise channel. The existing ‘hsm-enclave’ crate has been merged into the new ‘attest’ crate. Additional changes: - Node: Test with plain 'mocha' instead of 'electron-mocha' - Java: Fix Dockerfile for an actually-reproducible build - Rust: Update our fork of curve25519-dalek to match upstream 3.2.1