Release 1.4.0

Changes:

- Class `com.yubico.internal.util.WebAuthnCodecs` is no longer public.
  The package `com.yubico.internal.util` was already declared non-public
  in JavaDoc, but this is now also enforced via Java visibility rules.
- Class `com.yubico.webauthn.meta.Specification.SpecificationBuilder` is
  no longer public. It was never intended to be, although this was not
  documented explicitly.
- Default value for `RelyingParty.preferredPubKeyParams` changed from
  `[ES256, RS256]` to `[ES256, EdDSA, RS256]`
- Data classes no longer use `Optional` internally in field types. This
  should not meaningfully affect the public API, but might improve
  compatibility with frameworks that use reflection.

New features:

- Added support for Ed25519 signatures.
- New constants `COSEAlgorithmIdentifier.EdDSA` and
  `PublicKeyCredentialParameters.EdDSA`
- Artifacts are now built reproducibly; fresh builds from source should
  now be verifiable by signature files from Maven Central.

Security fixes:

- Bumped Jackson dependency to version 2.9.9.3 which has patched
  CVE-2019-12814, CVE-2019-14439, CVE-2019-14379

Author: emlun

.github/workflows/master.yml

@@ -0,0 +1,31 @@
+# This name is shown in the status badge in the README
+name: build
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  test:
+    name: JDK ${{matrix.java}}
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [8, 10, 11, 12]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Set up JDK
+      uses: actions/setup-java@v1
+      with:
+        java-version: ${{ matrix.java }}
+
+    - name: Run tests
+      run: ./gradlew check
+
+    - name: Build JavaDoc
+      run: ./gradlew assembleJavadoc

.github/workflows/release-verify-signatures.yml

@@ -0,0 +1,39 @@
+name: Verify release signatures
+
+on:
+  release:
+    types: [published, created, edited, prereleased]
+
+jobs:
+  verify:
+    name: Verify signatures (JDK ${{matrix.java}})
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [10, 11, 12]
+
+    steps:
+    - name: Download signatures
+      run: |
+        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${GITHUB_REF}/webauthn-server-attestation-${GITHUB_REF}.jar.asc
+        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${GITHUB_REF}/webauthn-server-core-${GITHUB_REF}.jar.asc
+
+    - name: check out code
+      uses: actions/checkout@v1
+
+    - name: Set up JDK
+      uses: actions/setup-java@v1
+      with:
+        java-version: ${{ matrix.java }}
+
+    - name: Build jars
+      run: ./gradlew jar
+
+    - name: Fetch keys
+      run: gpg --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+
+    - name: Verify signatures
+      run: |
+        gpg --verify webauthn-server-attestation-${GITHUB_REF}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${GITHUB_REF}.jar
+        gpg --verify webauthn-server-core-${GITHUB_REF}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${GITHUB_REF}.jar

.github/workflows/test.yml

@@ -0,0 +1,39 @@
+name: test
+
+on:
+  push:
+    branches:
+      - '*'
+      - '!master'
+    tags:
+      - '*'
+  pull_request:
+    branches:
+      - '*'
+      - '!master'
+    tags:
+      - '*'
+
+jobs:
+  test:
+    name: JDK ${{matrix.java}}
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [8, 10, 11, 12]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Set up JDK
+      uses: actions/setup-java@v1
+      with:
+        java-version: ${{ matrix.java }}
+
+    - name: Run tests
+      run: ./gradlew check
+
+    - name: Build JavaDoc
+      run: ./gradlew assembleJavadoc

.travis.yml

@@ -5,7 +5,6 @@ branches:
     - /^tmp-?.*/
 
 jdk:
-  - oraclejdk8
   - oraclejdk11
   - openjdk8
   - openjdk10
@@ -21,5 +20,8 @@ stages:
 jobs:
   include:
     - stage: mutation-test
-      jdk: oraclejdk8
+      jdk: oraclejdk11
       script: ./gradlew pitest coveralls
+
+      # Workaround to TLS issues in JDK 11, see https://github.com/kt3k/coveralls-gradle-plugin/issues/85
+      after_success: curl -F 'json_file=@build/coveralls/report.json' 'https://coveralls.io/api/v1/jobs'

NEWS

@@ -1,3 +1,33 @@
+== Version 1.4.0 ==
+
+Changes:
+
+* Class `com.yubico.internal.util.WebAuthnCodecs` is no longer public. The
+  package `com.yubico.internal.util` was already declared non-public in JavaDoc,
+  but this is now also enforced via Java visibility rules.
+* Class `com.yubico.webauthn.meta.Specification.SpecificationBuilder` is no
+  longer public. It was never intended to be, although this was not documented
+  explicitly.
+* Default value for `RelyingParty.preferredPubKeyParams` changed from `[ES256,
+  RS256]` to `[ES256, EdDSA, RS256]`
+* Data classes no longer use `Optional` internally in field types. This should
+  not meaningfully affect the public API, but might improve compatibility with
+  frameworks that use reflection.
+
+New features:
+
+* Added support for Ed25519 signatures.
+* New constants `COSEAlgorithmIdentifier.EdDSA` and
+  `PublicKeyCredentialParameters.EdDSA`
+* Artifacts are now built reproducibly; fresh builds from source should now be
+  verifiable by signature files from Maven Central.
+
+Security fixes:
+
+* Bumped Jackson dependency to version 2.9.9.3 which has patched CVE-2019-12814,
+  CVE-2019-14439, CVE-2019-14379
+
+
 == Version 1.3.0 ==
 
 Security fixes:

README

@@ -5,6 +5,7 @@ java-webauthn-server
 :toc-title:
 
 image:https://travis-ci.org/Yubico/java-webauthn-server.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/java-webauthn-server"]
+image:https://github.com/Yubico/java-webauthn-server/workflows/build/badge.svg["Build Status", link="https://github.com/Yubico/java-webauthn-server/actions"]
 image:https://coveralls.io/repos/github/Yubico/java-webauthn-server/badge.svg["Coverage Status", link="https://coveralls.io/github/Yubico/java-webauthn-server"]
 
 Server-side https://www.w3.org/TR/webauthn/[Web Authentication] library for
@@ -327,13 +328,33 @@ version is derived from the most recent Git tag. Builds done on a tagged commit
 will have a plain `x.y.z` version number, while a build on any other commit will
 result in a version number containing the abbreviated commit hash.
 
+Starting in version `1.4.0-RC2`, artifacts are built reproducibly. Fresh builds from
+tagged commits should therefore be verifiable by signatures from Maven Central:
+
+```
+$ git checkout 1.4.0-RC2
+$ ./gradlew :webauthn-server-core:jar
+$ wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/1.4.0-RC2/webauthn-server-core-1.4.0-RC2.jar.asc
+$ gpg --verify webauthn-server-core-1.4.0-RC2.jar.asc webauthn-server-core/build/libs/webauthn-server-core-1.4.0-RC2.jar
+```
+
+Note that building with a different JDK may produce a different artifact. To
+ensure binary reproducibility, please build with the same JDK as specified in
+the release notes.
+
+Official Yubico software signing keys are listed on the
+https://developers.yubico.com/Software_Projects/Software_Signing.html[Yubico
+Developers site].
+
+
 To run the tests:
 
 ----------
 $ ./gradlew check
 ----------
 
-To run the http://pitest.org/[PIT mutation tests]:
+To run the http://pitest.org/[PIT mutation tests] (this may take upwards of 30
+minutes):
 
 ----------
 $ ./gradlew pitest