v2.3.0

Changed

• Empty bundles are now supported, in alignment with the SPIFFE specification (#288)

v2.2.0

Changed

• Upgraded to go-jose v4 which has a stronger security posture than v3. Go-spiffe was not impacted by the security weaknesses of v3 due to stringing algorithm checking that is now handled by go-jose v4 (#276)

Fixed

• Makefile invocation for Apple Silicon-based Macs (#275)

Added

• Support Ed25519 keys for Workload SVIDs (#248)

v2.1.7

Fixed

• Panic if the Workload API returned a malformed JWT-SVID (#233)
• Race that causes WaitForUpdate to return immediately after watcher is initialized even if there is no update (#260)

v2.1.6

Added

• Name convenience method to the spiffeid.TrustDomain type (#228)

v2.1.5

Added

• PeerIDFromConnectionState method for extracting the peer ID from TLS connection state (#225)

Changed

• The tlsconfig to enforce a minimum TLS version of TLS1.2 (#226)

Fixed

• Panic when failing to parse raw SVID response returned from the Workload API (#223)

v2.1.4

Added

• Support for the SVID hints obtained from the Workload API (#220)

v2.1.3

Changed

• JoinPathSegments properly disallows dot segments (#221)

Added

• ValidatePathSegment function for validating an individual path segment (#221)

v2.1.2

Changed

• Minimum supported go version to 1.17 (#209)

v2.1.1

Added

• Support for dialing named pipes using an npipe URL scheme (#198)

v2.1.0

Added

• The workloadapi.WatchX509Bundles method which watches X.509 bundles from the Workload API (#192)
• The workloadapi.WithNamedPipeName option to support connecting to the Workload API via named pipes (#190)
• The workloadapi.FetchJWTSVIDs method which fetches multiple JWT-SVIDs from the Workload API, instead of just the first (#187)
• The x509bundle.ParseRaw method for creating a bundle from raw ASN.1 encoded certificates (#192)

Changed

• The spiffeid.ID String() method no longer causes an allocation (#185)