Conversation
Breaking changes from v0.7.0: - SecretKey::to_bytes() returns Zeroizing<Vec<u8>> (was Vec<u8>) - SecretKey::to_pem() returns Zeroizing<String> (was String) - SecretKey::to_der() returns Zeroizing<Vec<u8>> (was Vec<u8>) - SecretKey and KeyPair no longer implement Clone, Hash, Eq, PartialEq - TranscodingPredicateBuilder::build() returns Result (was direct value) - Rust MSRV bumped to 1.91.0 Security fixes (17): - Air-gapped verifier fails closed without time source - Key material zeroization on serialization - Malformed certificate/signature parsing fails instead of silent skip - WASM section payload bounds checking - Grace period capped at 365 days with checked arithmetic - SCT verification marked as structural-only - Production panic (assert_eq!) replaced with error return - Negative integrated_time rejected before cast - Cache size bounded (10K max entries) - Build env PATH resolution logged - MCUboot partial-image attack mitigation Infrastructure: - wasmtime 29 → 43 (eliminates 7 CVEs) - SPKI cert pinning (survives Sigstore cert rotation) - STPA-Sec artifacts updated with 3 new hazards/constraints/scenarios Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Kani's 21 proofs across varint, merkle, DSSE, format, and wasm_module were exceeding the 60-minute step timeout, causing the job to be marked as failed even with continue-on-error: true (cancelled steps count as failures for overall job status). Doubling to 120 minutes gives the solver headroom to complete without wasting CI minutes on a hung solver. The job-level default timeout remains at GitHub's 360-minute cap. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security: - rustls-webpki 0.103.10 → 0.103.12 (RUSTSEC-2026-0098, 0099) URI/DNS subtree name constraint bypasses — reachable only after signature verification succeeds (post-issuance misuse scenarios) - Ignore RUSTSEC-2026-0097 (rand unsound with custom logger) Does not affect wsc — we don't use custom rand loggers. Transitive via regorus (policy engine) and uuid. CI: - Split Kani proofs into 5 parallel matrix jobs by module (varint, merkle, dsse, format, wasm_module) with --harness prefix. Previous single-job approach exceeded 60/120-min step timeout. Matrix runs in parallel so wall-clock time drops significantly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…owup The proof_consistency_validation_agrees_with_detection proof was taking over an hour in Kani CI. Root cause: calling the real validate_format_consistency() forces the SMT solver to symbolically reason about the format!() macro call in the unreachable error branch, which blows up the state space. Solution: inline the validation logic in the proof. When declared == detected (by construction), the error branch is unreachable, so proving detect() purity transitively proves validate_format_consistency returns Ok. Same security guarantee, completes in seconds instead of hours. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v0.8.0
Security hardening release with 17 fixes, wasmtime upgrade, and SPKI cert pinning.
Breaking Changes
SecretKey::to_bytes()→Zeroizing<Vec<u8>>(DereftoVec<u8>, most callers unaffected)SecretKey::to_pem()→Zeroizing<String>SecretKey::to_der()→Zeroizing<Vec<u8>>SecretKey/KeyPairno longer implementClone,Hash,Eq,PartialEqTranscodingPredicateBuilder::build()returnsResult<TranscodingPredicate, WSError>Security Fixes (17)
See PRs #80, #81, #82 for full details.
Infrastructure
Test plan
cargo build+cargo test— 766 passed🤖 Generated with Claude Code