Skip to content

Commit 49ff74b

Browse files
avrabeclaude
andcommitted
release: v0.8.1 — audit-driven hardening
Bumps Cargo.toml, MODULE.bazel, src/cli/BUILD.bazel, and Cargo.lock to 0.8.1. Adds CHANGELOG.md (new file, repo did not have one) with the full release notes. This release closes 26 of 33 findings from the 2026-04-30 14-perspective audit. Specific fix-PRs are #96 (STPA-Sec / docs), #97 (hygiene), #98 (parser hardness), #99 (formal-verif honesty + CI), #100 (keyless / OIDC hardening). Two findings (cert-pinning enforcement, no_std verifier) are deferred to issue #95 and issue #79 respectively. Note on H-8 (version drift): MODULE.bazel and src/cli/BUILD.bazel were at 0.2.7 on main; this commit takes them straight to 0.8.1. PR #97 also bumps these to 0.8.0 as part of its H-8 fix; whichever PR merges last has a trivial conflict that resolves to 0.8.1. Trace: skip Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 02e3f54 commit 49ff74b

5 files changed

Lines changed: 148 additions & 7 deletions

File tree

CHANGELOG.md

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
# Changelog
2+
3+
All notable changes to sigil are documented here. The project follows
4+
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
5+
6+
## [0.8.1] — 2026-04-30
7+
8+
Audit-driven hardening release. Closes 26 of 33 findings from the
9+
2026-04-30 14-perspective audit of the repository (`audit/2026-04-30/`).
10+
No public-API changes. Two findings (cert-pinning enforcement, no_std
11+
verifier) are deferred to issue #95 and issue #79 respectively.
12+
13+
### Security
14+
15+
- **JWT algorithm-confusion hardening** (audit C-6). The OIDC parser now
16+
validates the JWT `alg` field against an allowlist of asymmetric
17+
algorithms (RS256/384/512, ES256/384/512) **before** any payload claim
18+
is parsed. `none` and HMAC variants (`HS256/384/512`) are rejected
19+
outright. Closes a textbook algorithm-confusion path where forged
20+
tokens could be trusted by `parse_issuer()` / `parse_identity()`.
21+
- **OIDC issuer-validation env var clarified** (audit H-4). The
22+
`WSC_EXPECTED_OIDC_ISSUER` env var no longer treats an empty value as
23+
"disable validation". Disabling validation now requires an explicit
24+
`WSC_DISABLE_OIDC_ISSUER_CHECK=1`.
25+
- **Rekor SET cache poisoning prevention** (audit H-5). Rekor entries
26+
with empty `signed_entry_timestamp` or empty `inclusion_proof` are
27+
now rejected before any cache write, so subsequent verifications
28+
cannot hit a cache populated by a partial Rekor response.
29+
- **Single-owner zeroize discipline** (audit M-5, M-6). `OidcToken` is
30+
no longer `Clone`. JWT payload buffers are wrapped in
31+
`Zeroizing<String>` so they zero on every return path.
32+
33+
### Hardening
34+
35+
- **Bounded WASM section iteration** (audit H-1). New
36+
`MAX_SECTIONS = 4096` constant in `src/lib/src/wasm_module/mod.rs`
37+
caps the parser; `WSError::TooManySections(usize)` returned beyond.
38+
- **Bounded x509 chain depth** (audit H-2). New
39+
`MAX_CHAIN_DEPTH = 8` constant gates `verify_cert_chain` in
40+
`src/lib/src/signature/keyless/format.rs` before x509 / WebPKI
41+
invocation; `WSError::ChainTooDeep(usize)` returned beyond.
42+
- **DSSE envelope fuzz target added** (audit H-7). New
43+
`fuzz/fuzz_targets/fuzz_dsse_envelope.rs` with a parse → serialise →
44+
re-parse equality oracle, registered in `fuzz/Cargo.toml`.
45+
- **`PAYLOAD_TYPE_SLSA` mime-type fix** (audit H-6). The constant in
46+
`src/attestation/src/dsse.rs` is now
47+
`"application/vnd.slsa.provenance+json"`, no longer colliding with
48+
`PAYLOAD_TYPE_INTOTO`.
49+
50+
### Honesty
51+
52+
- **Verus `theorem_*` admits relabelled** (audit C-1). Verus functions
53+
ending in `assume(false)` in `src/lib/src/verus_proofs/dsse_proofs.rs`
54+
and `merkle_proofs.rs` are now annotated as **SPECIFICATION ONLY**
55+
with explicit doc-comments stating the open proof obligation. No
56+
proof was discharged in this release; the labelling is now honest.
57+
- **Lean status table corrected** (audit C-2). `lean/Ed25519.lean`
58+
status table at the top of the file matches the proof bodies.
59+
`verification_equation_complete` and `basepoint_prime_order` are
60+
marked `sorry` / open. `verification_equation_sound` (which IS
61+
proved) is unchanged.
62+
- **Rocq pipeline status clarified** (audit C-3). New
63+
`verification/rocq/README.md` states the directory holds Rust
64+
extraction stubs only; no `.v` files have been written.
65+
- **Phantom DO-178C / ISO 26262 trace claims softened** (audit L-3).
66+
`SECURITY.md` now distinguishes between modelled compliance frames
67+
(ISO/SAE 21434, IEC 62443, CRA, UNECE R155-156) and aspirational ones
68+
(DO-178C, ISO 26262).
69+
- **Artifact `implementation-status` field added** (audit L-4). Sample
70+
of 7 `approved`-status SC/CCs now carry `implementation-status:
71+
design-only` (e.g. SC-26 SCT cryptographic verification).
72+
73+
### CI / Build
74+
75+
- **Audit C-7 partially closed** — Bazel CI now ATTEMPTS to run tests
76+
(`bazel test --build_tests_only //src/...`); previously only
77+
`bazel build //...` was invoked. The `continue-on-error: true` mask
78+
remains on formal-verification jobs but is now **per-job and
79+
documented**: each masked job carries an explicit `# WIP — see audit
80+
C-X` comment naming the blocking finding. Verus jobs cite C-1 (admits
81+
not yet discharged); Kani format/merkle/wasm_module cite C-7 partial
82+
closure (varint and dsse pass cleanly today and could be ungated
83+
selectively in a follow-up); Rocq cites C-3 (directory is a stub);
84+
the new Bazel `Test` step cites C-7 partial closure (macOS Bazel
85+
toolchain regressions observed in this batch). The audit's principle
86+
is now in place: masking is a tracked WIP list, not a blanket coverup.
87+
- **Path filters added to `rust.yml`** (audit M-9). Doc-only changes
88+
no longer fire the cross-OS cargo + bazel matrix.
89+
- **Memory-profile and TPM2 tests gated to `workflow_dispatch` +
90+
nightly** (audit M-8). Removes per-PR cost of two expensive jobs.
91+
- **`@main` action references pinned** (audit M-7).
92+
`pulseengine/rivet/.github/actions/compliance` now pinned to
93+
`@v0.6.0`.
94+
- **Crate-version drift collapsed to a single source** (audit H-8).
95+
`Cargo.toml`, `MODULE.bazel`, and `src/cli/BUILD.bazel` all read the
96+
same version (this release: 0.8.1). Comments cross-reference
97+
`Cargo.toml` as canonical.
98+
- **Dual-publish race fixed** (audit H-9). `release.yml`'s duplicate
99+
`publish-crates` job removed; `publish-to-crates-io.yml` is now the
100+
sole crates.io publisher with the `pulseengine/sigil` repo guard.
101+
- **Dockerfile.bytehound disclaimer** (audit L-6). Top-of-file note
102+
declares the image is intentionally outside the Nix flake's
103+
hermeticity guarantee.
104+
105+
### Developer experience
106+
107+
- **`build.rs` declares the `kani` cfg** (audit M-10). Five
108+
`unexpected cfg condition` warnings on every `cargo build` are
109+
gone.
110+
- **Stale `wasmsign2` references in user-facing docs corrected**
111+
(audit L-1). `docs/keyless.md` and `docs/bazel-build-guide.md` now
112+
use the current binary name and repo URL.
113+
- **README gained a "Quick Try" section** (audit L-2). Eight-byte
114+
WASM round-trip lets new contributors validate their build without
115+
any artefact.
116+
- **CLI verb normalised** (audit M-11). `verify_matrix`
117+
`verify-matrix` for tab-completion consistency.
118+
- **CLI help gained `EXAMPLES:` blocks** (audit L-5). `keygen`,
119+
`sign`, `verify`, and `bundle create` show invocation patterns
120+
inline.
121+
122+
### Deferred
123+
124+
The following audit findings require larger work and are tracked
125+
separately:
126+
127+
- **C-4 — enforce SPKI cert pinning** at the TLS layer. Requires
128+
migrating off `ureq` to a client that exposes
129+
`rustls::ServerCertVerifier`. Tracked at issue #95.
130+
- **M-1 / M-2 / M-3 / M-4 — `no_std` verifier path** for embedded
131+
/ cFS targets. Tracked at issue #79 (per-component cFS attestation)
132+
with audit context appended in the comments.
133+
134+
### Contributors
135+
136+
This release was driven by a parallel multi-agent audit + fix-PR
137+
pipeline. PRs in this release: #96 (STPA-Sec / docs), #97 (hygiene),
138+
#98 (parser hardness), #99 (formal-verif honesty + CI), #100
139+
(keyless / OIDC hardening).
140+
141+
[0.8.1]: https://github.com/pulseengine/sigil/compare/v0.8.0...v0.8.1

Cargo.lock

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ exclude = [
1111
]
1212

1313
[workspace.package]
14-
version = "0.8.0"
14+
version = "0.8.1"
1515
edition = "2024"
1616
authors = ["Frank Denis <github@pureftpd.org>", "Ralf Anton Beier <ralf_beier@me.com>"]
1717
license = "MIT"

MODULE.bazel

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
module(
44
name = "wsc",
55
# Keep in sync with [workspace.package].version in Cargo.toml.
6-
version = "0.8.0",
6+
version = "0.8.1",
77
)
88

99
# Dependencies

src/cli/BUILD.bazel

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ package(default_visibility = ["//visibility:public"])
1515

1616
# Version info - keep in sync with [workspace.package].version in Cargo.toml
1717
# and with the `version` field in MODULE.bazel.
18-
VERSION = "0.8.0"
18+
VERSION = "0.8.1"
1919

2020
rust_binary(
2121
name = "wasmsign_cli",

0 commit comments

Comments
 (0)