smallstep
diff --git a/‎.github/workflows/actionlint.yml‎
Lines changed: 17 additions & 0 deletions b/‎.github/workflows/actionlint.yml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎.github/workflows/dependabot-auto-merge.yml‎
Lines changed: 3 additions & 14 deletions b/‎.github/workflows/dependabot-auto-merge.yml‎
Lines changed: 3 additions & 14 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/release.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 6 additions & 6 deletions b/‎.goreleaser.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 89 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 89 additions & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 42 additions & 30 deletions b/‎README.md‎
Lines changed: 42 additions & 30 deletions
diff --git a/‎acme/account.go‎
Lines changed: 1 addition & 0 deletions b/‎acme/account.go‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,17 @@
+name: Lint GitHub Actions workflows
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  actionlint:
+    uses: smallstep/workflows/.github/workflows/actionlint.yml@main
+    secrets: inherit
@@ -6,17 +6,6 @@ permissions:
   pull-requests: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/[email protected]
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+  dependabot-auto-merge:
+    uses: smallstep/workflows/.github/workflows/dependabot-auto-merge.yml@main
+    secrets: inherit
@@ -45,12 +45,12 @@ jobs:
           echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
+          tag_name: ${{ github.ref_name }}
+          name: Release ${{ github.ref_name }}
           draft: false
           prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
 
 
@@ -1,6 +1,6 @@
-# This is an example .goreleaser.yml file with some sane defaults.
-# Make sure to check the documentation at http://goreleaser.com
+# Documentation: https://goreleaser.com/customization/
 project_name: step-ca
+version: 2
 
 before:
   hooks:
@@ -98,7 +98,7 @@ signs:
 - cmd: cosign
   signature: "${artifact}.sig"
   certificate: "${artifact}.pem"
-  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
+  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
   artifacts: all
 
 snapshot:
@@ -180,7 +180,7 @@ release:
 
     Those were the changes on {{ .Tag }}!
 
-    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.
+    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.
 
   # You can disable this pipe in order to not upload any artifacts.
   # Defaults to false.
@@ -268,7 +268,7 @@ winget:
     # Release notes URL.
     #
     # Templates: allowed
-    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{.Version}}"
+    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{ .Tag }}"
 
     # Create the PR - for testing
     skip_upload: auto
@@ -283,7 +283,7 @@ winget:
     repository:
       owner: smallstep
       name: winget-pkgs
-      branch: step
+      branch: "step-ca-{{.Version}}"
 
       # Optionally a token can be provided, if it differs from the token
       # provided to GoReleaser
 
@@ -25,6 +25,94 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
+## [0.27.2] - 2024-07-18
+
+### Added
+
+- `--console` option to default step-ssh config (smallstep/certificates#1931)
+
+
+## [0.27.1] - 2024-07-12
+
+### Changed
+
+- Enable use of strict FQDN with a flag (smallstep/certificates#1926)
+    - This reverses a change in 0.27.0 that required the use of strict FQDNs (smallstep/certificate#1910)
+
+
+## [0.27.0] - 2024-07-11
+
+### Added
+
+- Support for validity windows in templates (smallstep/certificates#1903)
+- Create identity certificate with host URI when using any provisioner (smallstep/certificates#1922)
+
+### Changed
+
+- Do strict DNS lookup on ACME (smallstep/certificates#1910)
+
+### Fixed
+
+- Handle bad attestation object in deviceAttest01 validation (smallstep/certificates#1913)
+
+
+## [0.26.2] - 2024-06-13
+
+### Added
+
+- Add provisionerID to ACME accounts (smallstep/certificates#1830)
+- Enable verifying ACME provisioner using provisionerID if available (smallstep/certificates#1844)
+- Add methods to Authority to get intermediate certificates (smallstep/certificates#1848)
+- Add GetX509Signer method (smallstep/certificates#1850)
+
+### Changed
+
+- Make ISErrNotFound more flexible (smallstep/certificates#1819)
+- Log errors using slog.Logger (smallstep/certificates#1849)
+- Update hardcoded AWS certificates (smallstep/certificates#1881)
+
+
+## [0.26.1] - 2024-04-22
+
+### Added
+
+- Allow configuration of a custom SCEP key manager (smallstep/certificates#1797)
+
+### Fixed
+
+- id-scep-failInfoText OID (smallstep/certificates#1794)
+- CA startup with Vault RA configuration (smallstep/certificates#1803)
+
+
+## [0.26.0] - 2024-03-28
+
+### Added 
+
+- [TPM KMS](https://github.com/smallstep/crypto/tree/master/kms/tpmkms) support for CA keys (smallstep/certificates#1772)
+- Propagation of HTTP request identifier using X-Request-Id header (smallstep/certificates#1743, smallstep/certificates#1542)
+- Expires header in CRL response (smallstep/certificates#1708)
+- Support for providing TLS configuration programmatically (smallstep/certificates#1685)
+- Support for providing external CAS implementation (smallstep/certificates#1684)
+- AWS `ca-west-1` identity document root certificate (smallstep/certificates#1715)
+- [COSE RS1](https://www.rfc-editor.org/rfc/rfc8812.html#section-2) as a supported algorithm with ACME `device-attest-01` challenge (smallstep/certificates#1663)
+
+### Changed 
+
+- In an RA setup, let the CA decide the RA certificate lifetime (smallstep/certificates#1764)
+- Use Debian Bookworm in Docker containers (smallstep/certificates#1615)
+- Error message for CSR validation (smallstep/certificates#1665)
+- Updated dependencies
+
+### Fixed
+
+- Stop CA when any of the required servers fails to start (smallstep/certificates#1751). Before the fix, the CA would continue running and only log the server failure when stopped.
+- Configuration loading errors when not using context were not returned. Fixed in [cli-utils/109](https://github.com/smallstep/cli-utils/pull/109).
+- HTTP_PROXY and HTTPS_PROXY support for ACME validation client (smallstep/certificates#1658).
+
+### Security
+
+- Upgrade to using cosign v2 for signing artifacts
+
 ## [0.25.1] - 2023-11-28
 
 ### Added
@@ -36,7 +124,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Generation of first provisioner name on `step ca init` in (smallstep/certificates#1566)
 - Processing of SCEP Get PKIOperation requests in (smallstep/certificates#1570)
-- Support for signing identity certificate during SSH sign by skipping URI validation in  (smallstep/certificates#1572)
+- Support for signing identity certificate during SSH sign by skipping URI validation in (smallstep/certificates#1572)
 - Dependency on `micromdm/scep` and `go.mozilla.org/pkcs7` to use Smallstep forks in (smallstep/certificates#1600)
 - Make the Common Name validator for JWK provisioners accept values from SANs too in (smallstep/certificates#1609)
 
 
@@ -147,7 +147,7 @@ lint:
 # Install
 #########################################
 
-INSTALL_PREFIX?=/usr/
+INSTALL_PREFIX?=/usr/local/
 
 install: $(PREFIX)bin/$(BINNAME)
 	$Q install -D $(PREFIX)bin/$(BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(BINNAME)
 
@@ -1,49 +1,62 @@
-# Step Certificates
+# step-ca
 
-`step-ca` is an online certificate authority for secure, automated certificate management. It's the server counterpart to the [`step` CLI tool](https://github.com/smallstep/cli).
+[![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest)
+[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates)
+[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates)
 
-You can use it to:
-- Issue X.509 certificates for your internal infrastructure:
-  - HTTPS certificates that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html) ([RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/) compliance)
-  - TLS certificates for VMs, containers, APIs, mobile clients, database connections, printers, wifi networks, toaster ovens...
-  - Client certificates to [enable mutual TLS (mTLS)](https://smallstep.com/hello-mtls) in your infra. mTLS is an optional feature in TLS where both client and server authenticate each other. Why add the complexity of a VPN when you can safely use mTLS over the public internet?
+`step-ca` is an online certificate authority for secure, automated certificate management for DevOps.
+It's the server counterpart to the [`step` CLI tool](https://github.com/smallstep/cli) for working with certificates and keys.
+Both projects are maintained by [Smallstep Labs](https://smallstep.com).
+
+You can use `step-ca` to:
+- Issue HTTPS server and client certificates that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html) ([RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/) compliance)
+- Issue TLS certificates for DevOps: VMs, containers, APIs, database connections, Kubernetes pods...
 - Issue SSH certificates:
-  - For people, in exchange for single sign-on ID tokens
+  - For people, in exchange for single sign-on identity tokens
   - For hosts, in exchange for cloud instance identity documents
 - Easily automate certificate management:
-  - It's an ACME v2 server
-  - It has a JSON API
+  - It's an [ACME server](https://smallstep.com/docs/step-ca/acme-basics/) that supports all [popular ACME challenge types](https://smallstep.com/docs/step-ca/acme-basics/#acme-challenge-types)
   - It comes with a [Go wrapper](./examples#user-content-basic-client-usage)
   - ... and there's a [command-line client](https://github.com/smallstep/cli) you can use in scripts!
 
-Whatever your use case, `step-ca` is easy to use and hard to misuse, thanks to [safe, sane defaults](https://smallstep.com/docs/step-ca/certificate-authority-server-production#sane-cryptographic-defaults).
-
 ---
 
-**Don't want to run your own CA?**
-To get up and running quickly, or as an alternative to running your own `step-ca` server, consider creating a [free hosted smallstep Certificate Manager authority](https://info.smallstep.com/certificate-manager-early-access-mvp/).
+### Comparison with Smallstep's commercial product
+
+`step-ca` is optimized for a two-tier PKI serving common DevOps use cases.
+
+As you design your PKI, if you need any of the following, [consider our commerical CA](http://smallstep.com):
+- Multiple certificate authorities
+- Active revocation (CRL, OSCP)
+- Turnkey high-volume, high availability CA
+- An API for seamless IaC management of your PKI
+- Integrated support for SCEP & NDES, for migrating from legacy Active Directory Certificate Services deployments
+- Device identity — cross-platform device inventory and attestation using Secure Enclave & TPM 2.0
+- Highly automated PKI — managed certificate renewal, monitoring, TPM-based attested enrollment
+- Seamless client deployments of EAP-TLS Wi-Fi, VPN, SSH, and browser certificates
+- Jamf, Intune, or other MDM for root distribution and client enrollment
+- Web Admin UI — history, issuance, and metrics
+- ACME External Account Binding (EAB)
+- Deep integration with an identity provider
+- Fine-grained, role-based access control
+- FIPS-compliant software
+- HSM-bound private keys
+
+See our [full feature comparison](https://smallstep.com/step-ca-vs-smallstep-certificate-manager/) for more.
+
+You can [start a free trial](https://smallstep.com/signup) or [set up a call with us](https://go.smallstep.com/request-demo) to learn more.
 
 ---
 
 **Questions? Find us in [Discussions](https://github.com/smallstep/certificates/discussions) or [Join our Discord](https://u.step.sm/discord).**
 
 [Website](https://smallstep.com/certificates) |
-[Documentation](https://smallstep.com/docs) |
+[Documentation](https://smallstep.com/docs/step-ca) |
 [Installation](https://smallstep.com/docs/step-ca/installation) |
-[Getting Started](https://smallstep.com/docs/step-ca/getting-started) |
 [Contributor's Guide](./CONTRIBUTING.md)
 
-[![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest)
-[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates)
-[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates)
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates)
-
-[![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg?style=social)](https://github.com/smallstep/certificates/stargazers)
-[![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs)
-
-![star us](https://github.com/smallstep/certificates/raw/master/docs/images/star.gif)
-
 ## Features
 
 ### 🦾 A fast, stable, flexible private CA
@@ -52,7 +65,6 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
 
 - Choose key types (RSA, ECDSA, EdDSA) and lifetimes to suit your needs
 - [Short-lived certificates](https://smallstep.com/blog/passive-revocation.html) with automated enrollment, renewal, and passive revocation
-- Capable of high availability (HA) deployment using [root federation](https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html) and/or multiple intermediaries
 - Can operate as [an online intermediate CA for an existing root CA](https://smallstep.com/docs/tutorials/intermediate-ca-new-ca)
 - [Badger, BoltDB, Postgres, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)
 
@@ -127,5 +139,5 @@ and visiting http://localhost:8080.
 
 ## Feedback?
 
-* Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space.
-* Tell us about a feature you'd like to see! [Add a feature request Issue](https://github.com/smallstep/certificates/issues/new?assignees=&labels=enhancement%2C+needs+triage&template=enhancement.md&title=), [ask on Discussions](https://github.com/smallstep/certificates/discussions), or hit us up on [Twitter](https://twitter.com/smallsteplabs).
+* Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space. [Join our Discord](https://u.step.sm/discord) or [GitHub Discussions](https://github.com/smallstep/certificates/discussions)
+* Tell us about a feature you'd like to see! [Request a Feature](https://github.com/smallstep/certificates/issues/new?assignees=&labels=enhancement%2C+needs+triage&template=enhancement.md&title=)
@@ -21,6 +21,7 @@ type Account struct {
 	OrdersURL              string           `json:"orders"`
 	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
 	LocationPrefix         string           `json:"-"`
+	ProvisionerID          string           `json:"-"`
 	ProvisionerName        string           `json:"-"`
 }
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ type Account struct {`
`21`	`21`	OrdersURL string `json:"orders"`
`22`	`22`	ExternalAccountBinding interface{} `json:"externalAccountBinding,omitempty"`
`23`	`23`	LocationPrefix string `json:"-"`
	`24`	+ ProvisionerID string `json:"-"`
`24`	`25`	ProvisionerName string `json:"-"`
`25`	`26`	`}`
`26`	`27`