Skip to content

v1.4.0

Latest
Latest

Choose a tag to compare

View all tags
@jevonearth jevonearth released this 10 Mar 19:30
v1.4.0
This tag was signed with the committer’s verified signature.
jevonearth Jev Björsell
SSH Key Fingerprint: eGVuogmFtd1kOqHXH/s+J759C+OILnuLn8i7fbHqRVA
Verified
Learn about vigilant mode.
1c87b21
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Observability

This release brings a major overhaul to Signatory's metrics and operational visibility:

  • Sign handler metrics: New sign_handler_request_duration_milliseconds histogram and sign_handler_requests_total counter for the signing endpoint, labeled by address, status, and request type (#738)
  • Watermark operation metrics: New watermark_check_duration_milliseconds histogram and counters for watermark check success/errors across file, DynamoDB, and Firestore backends (#737)
  • Consensus round visibility: New consensus_round_total Prometheus counter with address, operation_type, chain_id, and round labels. Consensus round is now included in log output for block, attestation, and preattestation operations. Includes a Grafana dashboard panel for round distribution. (#785)
  • Metrics correctness: Fixed signing_ops_total not incrementing for non-generic operations (#723). Fixed incorrect metric behavior on failed sign requests, including proper chain_id labeling and error-only counter increments on failures (#727)
  • Metrics documentation: New docs/metrics.md reference with example PromQL queries

Security & Hardening

  • Non-root container: Signatory Docker images now run as user signatory (UID 10000) instead of root (see Migration Notes) (#732)
  • JWT hardening: Constant-time comparison for JWT authentication, mutex protection for the JWT credential map, and nil middleware guard when JWT is disabled (#729, #774)
  • Dependency hygiene: Inlined AES Key Wrap (KWP) from the archived Google Tink module, removing the dependency (#770). Upgraded golang.org/x/net to v0.51.0 (GO-2026-4559) (#773)
  • Panic removal: Replaced panic() calls in production code paths with proper error returns (#769)
  • Defensive fixes: Guarded against nil dereference in GenerateToken and bare type assertion in watermark rejection metrics (#787)

Improvements

  • Cloud KMS resilience: Configurable timeout and max_retries for Google Cloud KMS signing operations with exponential backoff (#728)
  • KMS key discovery: Signatory now gracefully skips inaccessible, disabled, or permission-denied keys during AWS KMS and Google Cloud KMS vault iteration instead of failing entirely (#739)
  • Public key listing: New signatory-cli list-keys support (#735)
  • Ballot sub-kind validation: Fixed a regression where ballot:yay, ballot:nay, and ballot:pass were rejected in allow.generic policy configuration. Thanks to @vch9 for the initial fix. (#755, #768)
  • Block round validation: Upgraded gotez to v2.4.3 to fix block round validation (#764)
  • Nitro Enclave permissions: Replaced --privileged Docker flag with a scoped seccomp profile for VSock support (#736)

Portable Standalone Binaries

Release archive binaries are now built with zig cc targeting glibc 2.17+, making them portable across virtually all Linux distributions. This fixes the glibc 2.38 dependency in earlier builds that broke Amazon Linux 2023 and other older distributions. Unlike static linking, these binaries support dlopen, so PKCS11/CloudHSM works in standalone mode without Docker. (#777, #779)

Documentation

  • Expanded Nitro Enclave page into a full deployment guide covering AWS infrastructure prerequisites, combined KMS + Nitro configuration examples, systemd service units, KMS key policy with PCR0 attestation, remote baker connectivity patterns, and a deployment verification checklist (#776)

Build & Dependencies

  • Go 1.25 and GoReleaser v2 (#761)
  • gotez v2.4.3 (#764)
  • Removed Darwin and Linux/ARMv6 build targets. ARMv7 and ARM64 builds continue to ship; Raspberry Pi 2+ remains supported. (#763)
  • CI workflow cleanup: concurrency controls, pinned third-party actions (#767)
  • Bumped AWS SDK, GCP KMS, gRPC, and Google API dependencies (#786)

Migration Notes

Non-root container: The Docker image now runs as user signatory (UID 10000) instead of root. If you volume-mount directories for watermark files, configuration, or TLS certificates, ensure they are readable (and writable where needed) by UID/GID 10000. You can customize the UID/GID at build time with --build-arg UID=<uid> --build-arg GID=<gid>. The base image has also changed from debian:buster-slim to ubuntu:24.04. (#732)

Nitro Enclave users: If you run Signatory in Docker with VSock access, the recommended approach is now a scoped seccomp profile instead of --privileged. See the updated Nitro Enclave documentation for details. (#736)

No breaking API or configuration changes. Existing configurations continue to work without modification.

New Contributors

  • @vch9 made their first contribution in #755

Docker

docker pull ecadlabs/signatory:v1.4.0
docker pull ecadlabs/signatory:latest
Assets 6
Loading