v7.0.5

encrypt v7.0.5

• Decision: patch
• Key Changes:
  • Fix: Updated the GCM example to correctly use a 12-byte IV.
  • Fix: Added explicit detection of encrypted PEM private keys in RSAKeyParser, throwing an actionable FormatException instead of failing with cryptic ASN.1 parsing errors.
  • Docs: Overhauled README with more accurate documentation on secure random keys/IVs, IV persistence, GCM usage, and platform notes.
  • Tests: Added "battle tests" for CBC IV persistence and GCM IV enforcement.
  • Chore: Formatted code to 120 line length.
• Breaking Changes: None.
• New Features: None.
• References:
  • fix(security): GCM example IV, encrypted PEM detection, README overhaul

Changelog

[7.0.5] - 2026-02-24

Added

• Added actionable error messages when attempting to parse passphrase-encrypted PEM private keys
• Added extensive README updates covering secure random IVs, IV persistence, GCM mode, and platform compliance notes
• Added battle tests for CBC IV persistence and GCM IV enforcement

Changed

• Applied dart format with 120 line length across modified files

Fixed

• Fixed AES-GCM example to correctly use a 12-byte IV instead of 16-byte

Security

• Enforced correct IV usage in GCM examples and clarified IV persistence in documentation to prevent nonce-reuse vulnerabilities

---

Full Changelog

---

Full Changelog | CHANGELOG.md

v7.0.4

encrypt v7.0.4

Maintenance release — 2026-02-24

This release focuses on strengthening our continuous integration pipeline. We have upgraded runtime_ci_tooling to v0.13.0, which splits the previously combined analysis and testing phases into separate jobs. Most notably, we have enabled a comprehensive 6-platform test matrix (Ubuntu x64/arm64, macOS x64/arm64, Windows x64/arm64) utilizing organization-managed runners to ensure robust cross-platform compatibility.

Maintenance & CI

• Upgrade CI Tooling — Upgraded runtime_ci_tooling dev_dependency to ^0.13.0.
• Expanded Test Matrix — Split analyze-and-test into separate jobs and enabled a 6-platform test matrix using org-managed runners for enhanced validation.

Upgrade

dart pub upgrade encrypt

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Issues Addressed

No linked issues for this release.

Full Changelog

v7.0.3...v7.0.4

---

Full Changelog | CHANGELOG.md

v7.0.3

encrypt v7.0.3

Maintenance release — 2026-02-24

Maintenance

• Repository cleanup — Updated the .gitignore file to properly exclude new local development artifacts, such as .claude/, .dart_tool/, and custom_lint.log, ensuring cleaner subsequent commits. (292c1e7)

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Issues Addressed

No linked issues for this release.

Upgrade

dart pub upgrade encrypt

Full Changelog

v7.0.2...v7.0.3

---

Full Changelog | CHANGELOG.md

v7.0.2

encrypt v7.0.2

Bug fix release — 2026-02-24

Bug Fixes

• Prevent upstream leakage during issue triage — Added shell-level organization guards (open-runtime and pieces-app) and explicit --repo arguments to the .gemini/commands/triage.toml tool command. This prevents gh commands from resolving to upstream repositories when executed within fork contexts and adds duplicate checking logic to prevent redundant triage comments.

Upgrade

dart pub upgrade encrypt

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Issues Addressed

No linked issues for this release.

Full Changelog

v7.0.1...v7.0.2

---

Full Changelog | CHANGELOG.md

v7.0.1

encrypt v7.0.1

Bug fix release — 2026-02-24

Bug Fixes

• CI pipeline stability — Bumps the runtime_ci_tooling dev dependency to ^0.12.0 (picking up v0.12.1). This fixes an issue where create-release pull --rebase would fail during the automated release process if previous pipeline steps left unstaged changes.

Upgrade

dart pub upgrade encrypt

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Issues Addressed

No linked issues for this release.

Full Changelog

v7.0.0...v7.0.1

---

Full Changelog | CHANGELOG.md

v7.0.0

encrypt v7.0.0

This major release introduces critical security enhancements to protect against timing side-channel attacks and brute-force vulnerabilities. It also adds strict validation for cryptographic primitives and introduces a helpful base64 URL-safe encoding utility.

Highlights

• CRITICAL Security Fixes — Mitigates timing side-channel attacks in Fernet HMAC verification and RSA signature verification using constant-time comparison.
• Enhanced PBKDF2 Defaults — Drastically improves resistance to brute-force attacks by raising the default Key.stretch iterations from 100 to 600,000 to align with OWASP recommendations.
• Strict Key/IV Validation — Prevents cryptographic misuse by strictly enforcing standard key lengths (16, 24, or 32 bytes) and IV lengths (12 bytes for GCM, 16 bytes for others) in AES algorithms.

Breaking Changes

2 breaking changes in this release.
See the full Migration Guide for step-by-step instructions.

Change	Quick Fix
PBKDF2 iteration count increased from 100 to 600,000 by default	iterationCount: 100
Strict validation for AES key and IV lengths has been added	Ensure valid lengths

Breaking Change 1: PBKDF2 Iteration Count

What changed: The default iteration count for Key.stretch has been changed from 100 to 600000. This is a breaking change because calling Key.stretch without specifying the iteration count will now produce a different derived key.

Before:

  Key stretch(int desiredKeyLength, {int iterationCount = 100, Uint8List? salt}) {

After:

  Key stretch(int desiredKeyLength, {int iterationCount = 600000, Uint8List? salt}) {

Migration: If your application relies on the previous default of 100 iterations to decrypt existing data, you must explicitly set iterationCount: 100 when calling Key.stretch().

Breaking Change 2: AES Key/IV Length Validation

What changed: Stricter validation for AES key and IV lengths will now throw an ArgumentError immediately if an invalid length is provided, whereas previously it might have failed later or produced undefined behavior.

Before:

  AES(this.key, {this.mode = AESMode.sic, this.padding = 'PKCS7'})
    : _streamCipher = padding == null && _streamable.contains(mode) ? StreamCipher('AES/${_modes[mode]}') : null {

After:

  AES(this.key, {this.mode = AESMode.sic, this.padding = 'PKCS7'})
    : _streamCipher = padding == null && _streamable.contains(mode) ? StreamCipher('AES/${_modes[mode]}') : null {
    if (key.bytes.length != 16 && key.bytes.length != 24 && key.bytes.length != 32) {
      throw ArgumentError(
        'AES key must be 16, 24, or 32 bytes (128, 192, or 256 bits). '
        'Got ${key.bytes.length} bytes.',
      );
    }

Migration: Ensure your AES keys are exactly 16, 24, or 32 bytes long, and your IVs are 12 bytes for GCM mode and 16 bytes for other modes. Provide valid length keys and IVs to prevent ArgumentError.

What's New

SecureRandom.base64Url

Added base64Url getter to SecureRandom for URL-safe base64 encoding without relying on external dependencies or manual conversions.

final random = SecureRandom(32);
print(random.base64Url);

Bug Fixes

• AES Validation — Validated AES key lengths (16/24/32 bytes) and IV lengths (12 bytes for GCM, 16 for others) to prevent misuse (#18, fixes #18)
• Fernet Timing Attack — Implemented constant-time XOR-accumulation comparison for Fernet HMAC verification to fix timing side-channel attacks (#16, fixes #16)
• RSA Timing Attack — Used constant-time XOR comparison for equal-length RSA signature verification to fix timing side-channel attacks (#16, fixes #16)

Issues Addressed

• #18 — fix(security): AES key/IV validation, SecureRandom.base64Url, GCM docs + tests (confidence: 100%)
• #16 — fix(security): 4 CRITICAL vulnerability fixes (confidence: 100%)

Deprecations

• AESMode.ecb is deprecated — use AESMode.gcm or AESMode.cbc instead. Will be removed in v8.0.0.

Upgrade

dart pub upgrade encrypt
dart fix --apply  # Automated fixes for breaking changes

Then follow the Migration Guide for any remaining manual changes.

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Full Changelog

v6.0.2...v7.0.0

---

Full Changelog | CHANGELOG.md | Migration Guide

v6.0.2

encrypt v6.0.2

Bug fix release — 2026-02-23

Bug Fixes

• Updated CI workflows — Updated the CI tooling (runtime_ci_tooling) to version v0.11.2, replacing custom test and format runners with standard dart analyze, dart format, and dart test commands.

Upgrade

dart pub upgrade encrypt

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Issues Addressed

No linked issues for this release.

Full Changelog

v6.0.1...v6.0.2

---

Full Changelog | CHANGELOG.md

v6.0.1

encrypt v6.0.1

Maintenance release — 2026-02-23

Maintenance

• Workspace Tooling Update — Bumped runtime_ci_tooling dev_dependency to ^0.10.0 to ensure consistent dependency resolution across the workspace.

Issues Addressed

No linked issues for this release.

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Upgrade

dart pub upgrade encrypt

Full Changelog

v6.0.0...v6.0.1

---

Full Changelog | CHANGELOG.md

v6.0.0

encrypt v6.0.0

This major release modernizes the encrypt package and resolves all analyzer lint issues to ensure a cleaner and more stable codebase. As part of this effort, RSA encoding and digest enum values have been renamed to lowerCamelCase to comply with Dart's constant_identifier_names lint rule, necessitating a major version bump.

Highlights

• Standardized Constants — RSA encoding and digest enum values now use lowerCamelCase for compliance with Dart lint rules.
• Modernized Directives — Updated all part of directives to use URI syntax and removed the named library directive.
• Codebase Cleanliness — Resolved 42 analyzer lint issues across the package, enhancing overall reliability and maintainability.

Breaking Changes

1 breaking change in this release.
See the full Migration Guide for step-by-step instructions.

Change	Quick Fix
Renamed RSA and digest enum values	Replace uppercase enum usages like RSAEncoding.PKCS1 with RSAEncoding.pkcs1

Breaking Change 1: Renamed RSA and Digest Enum Values

What changed: RSAEncoding, RSADigest, and RSASignDigest enum values were renamed from uppercase to lowerCamelCase.

Before:

encrypter = Encrypter(
  RSA(
    publicKey: publicKey,
    privateKey: privKey,
    encoding: RSAEncoding.OAEP,
    digest: RSADigest.SHA256,
  )
);

After:

encrypter = Encrypter(
  RSA(
    publicKey: publicKey,
    privateKey: privKey,
    encoding: RSAEncoding.oaep,
    digest: RSADigest.sha256,
  )
);

Migration: Update all references to these enum values throughout your codebase to match the new lowerCamelCase formats (e.g., replace RSAEncoding.PKCS1 with RSAEncoding.pkcs1).

What's New

Modernized Dart Syntax and Directives

The library has been updated to take advantage of modern Dart syntax, such as use_super_parameters across constructors (IV, Key, RSA, and RSASigner) and null-aware assignment operators (??=) in the Fernet algorithm and Key.stretch. Furthermore, part of directives now use URI syntax instead of named libraries.

Bug Fixes

• Codebase Lint Errors — Fixed 42 analyzer lint issues across the library, including correcting unintentionally parsed HTML in documentation comments and proper usage of null-aware assignment operators.

Issues Addressed

No linked issues for this release.

Upgrade

dart pub upgrade encrypt
dart fix --apply  # Automated fixes for breaking changes

Then follow the Migration Guide for any remaining manual changes.

Contributors

Thanks to everyone who contributed to this release:

• @tsavo-at-pieces

Full Changelog

v5.1.11...v6.0.0

---

Full Changelog | CHANGELOG.md | Migration Guide

v5.1.11

encrypt v5.1.11

Version Bump: v5.1.11

Date: 2026-02-22T21:44:21.470805Z
Previous: v5.1.10
Commits: 1

Commits

a116a37 chore: add runtime_ci_tooling generated files

---

Full Changelog

---

Full Changelog | CHANGELOG.md