This is a bugfix release

The latest 7.14.0 release included some bugs that prevented main components from properly working:

• The tenant API version negotiation had a bug where it could negotiate the version 3.0 when --push-model is provided. The tenant does not support that version, and broke.
• The DB migration script was not compatible with MySQL
• There were missing sane defaults for session_lifetime that made the authentication tokens to expire immediately when the configuration option was missing
• Some verifier configuration options were misplaced in the template, making them not effective

This gives us enough reason to create a bugfix release, otherwise Keylime would not work as intended.

This new release also includes the addition of Subject Alternative Names to the certificates automatically generated by the verifier, making it easier to test without disabling the hostname verification during TLS handshake.

What's Changed

• Test fixes by @sergio-correia in #1848
• tenant: Exclude API version 3.0 from tenant version negotiation by @ansasaki in #1847
• Fix session token migration failure on MySQL by @ansasaki in #1849
• Add sane default for verifier session_lifetime configuration option by @ansasaki in #1850
• config: move push-mode options to [verifier] section in template by @sergio-correia in #1851
• ca: Add Subject Alternative Names to auto-generated TLS certificates by @ansasaki in #1852
• Bump to version 7.14.1 by @ansasaki in #1853

Full Changelog: v7.14.0...v7.14.1

This is a security fix release

A Critical security issue was discovered, affecting Keylime versions >=7.12.0, <=7.13.0.

Please see the Security Advisory GHSA-4jqp-9qjv-57m2 for further details.

This also includes:

• The agent-driven push-attestation support
• The new API v2.5, with the new /verify/evidence endpoint (a.k.a. one-shot attestation endpoint), with support for AMD SEV-SNP attestation evidence verification
• Added API version negotiation to the tenant for better compatibility
• Bug fixes and other improvements

What's Changed

• verify/evidence: Add evidence types, SEV-SNP verification by @tylerfanelli in #1788
• verifier, tenant: Use timeout set via request_timeout for HTTP requests by @ansasaki in #1799
• New manpages for keylime_verifier, keylime_registrar, keylime_agent, keylime-policy by @msafarik in #1802
• Add support for specific cryptographic algorithm variants by @sergio-correia in #1803
• Remove deprecated disabled_signing_algorithms configuration option by @sarroutbi in #1804
• [Automatic] Update Keylime base image (2025-10-01) by @github-actions[bot] in #1805
• tests: Test keylime-policy both for filelist-ext.xml match and mismatch by @kkaarreell in #1806
• Improve ECC support by @sergio-correia in #1808
• Apply limit on keylime-policy workers by @kkaarreell in #1811
• tests: Enable more TPM tests in CI by @kkaarreell in #1807
• docs: Fix man page RST formatting for rst2man compatibility by @sergio-correia in #1813
• [Automatic] Update Keylime base image (2025-11-01) by @github-actions[bot] in #1816
• Add agent-driven (push) attestation protocol with PULL mode regression fixes by @sarroutbi in #1814
• Add push model authentication (challenge-response protocol) by @sergio-correia in #1817
• Fix Database race conditions and SQLAlchemy 2.0 compatibility by @sarroutbi in #1823
• Include new attestation information fields by @sarroutbi in #1818
• [Automatic] Update Keylime base image (2025-12-01) by @github-actions[bot] in #1824
• Fix registrar duplicate UUID vulnerability by @sarroutbi in #1825
• Remove operational_state field from status response in push mode by @sarroutbi in #1829
• Fix PUSH mode attestation status race condition by @sarroutbi in #1830
• Do not require wheel for building by @hroncok in #1832
• Increase maximum_attestation_interval by @sarroutbi in #1831
• Fix TypeError when using -m flag without IMA measurement list path by @sergio-correia in #1827
• [Automatic] Update Keylime base image (2025-12-14) by @github-actions[bot] in #1834
• verify/evidence: Add claims to JSON response by @tylerfanelli in #1810
• [Automatic] Update Keylime base image (2026-01-05) by @github-actions[bot] in #1835
• workflows: Separate upstream test suite from e2e coverage by @kkaarreell in #1836
• mba: Fix linting warnings on measured boot code by @ansasaki in #1840
• Fix attestations API endpoint errors by @sergio-correia in #1839
• Introduce API version 2.5 with version negotiation support by @ansasaki in #1838
• Misc fixes for templates, verifier routing, and TPM engine validation by @ansasaki in #1841
• [Automatic] Update Keylime base image (2026-02-03) by @github-actions[bot] in #1842
• fix: Update oneshot attestation script for API v2.5 and fix policy handling by @ansasaki in #1844
• tenant: Negotiate API version with the registrar by @ansasaki in #1845
• keylime_oneshot_attestation: Encode base64 measured boot log as UTF-8 string by @ansasaki in #1846

New Contributors

• @tylerfanelli made their first contribution in #1788
• @hroncok made their first contribution in #1832

Full Changelog: v7.13.0...v7.14.0

This is a security fix release

A Critical security issue was discovered, affecting Keylime versions >=7.12.0, <=7.13.0.

Please see the Security Advisory GHSA-4jqp-9qjv-57m2 for further details.

Full Changelog: v7.13.0...v7.13.1

This is a security fix release

A Critical security issue was discovered, affecting Keylime versions >=7.12.0, <=7.13.0.

Please see the Security Advisory GHSA-4jqp-9qjv-57m2 for further details.

Full Changelog: v7.12.1...v7.12.2

What's Changed

New features and significant changes

• Extend meta_data field in verifierdb by @Isaac-Matthews in #1750
• Initial version of verify evidence enhancement by @mpeters in #1753
• Add 2.5 templates including Push Model agent changes by @sarroutbi in #1783
• Remove unnecessary configuration values by @sarroutbi in #1792

Bugfixes and improvements

• Remove excessive logging on exception by @kaifeng in #1735
• registrar: Log API versions during startup by @ansasaki in #1741
• tpm_util: fix quote signature extraction for ECDSA by @THS-on in #1746
• Fix pylint invalid name warnings (C0103) by @msafarik in #1758
• Fix create_runtime_policy in python < 3.12 by @mpeters in #1765
• templates: duplicate str_to_version() in the adjust script by @sergio-correia in #1768
• docker: Remove tpm2-tools compilation from base image by @ansasaki in #1767
• tenant: Add --push-model option to avoid requests to agents by @sarroutbi in #1770
• fix: Use fork as multiprocessing start method by @kkaarreell in #1773
• verifier: Gracefully shutdown webhook workers during signal handling by @ansasaki in #1784
• fix: Resolve database connection leaks causing QueuePool limit errors by @ansasaki in #1782
• Misc fixes by @sergio-correia in #1785
• mb: support vendor_db as logged by newer shim versions by @sergio-correia in #1791
• mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events by @sergio-correia in #1793
• models: Do not re-encode certificate stored in DB by @ansasaki in #1794
• policy/sign: use print() when writing to /dev/stdout by @sergio-correia in #1795
• registrar: Do not store corrupted certificate in the DB by @ansasaki in #1798

Base image updates

• [Automatic] Update Keylime base image (2025-03-10) by @github-actions[bot] in #1745
• [Automatic] Update Keylime base image (2025-04-01) by @github-actions[bot] in #1752
• [Automatic] Update Keylime base image (2025-04-04) by @github-actions[bot] in #1755
• [Automatic] Update Keylime base image (2025-05-02) by @github-actions[bot] in #1757
• [Automatic] Update Keylime base image (2025-06-02) by @github-actions[bot] in #1763
• [Automatic] Update Keylime base image (2025-06-04) by @github-actions[bot] in #1769
• [Automatic] Update Keylime base image (2025-07-01) by @github-actions[bot] in #1776
• [Automatic] Update Keylime base image (2025-08-01) by @github-actions[bot] in #1787
• [Automatic] Update Keylime base image (2025-09-01) by @github-actions[bot] in #1796

Documentation improvements

• docs: add GitHub PR template with documentation reminders by @Yizhi-W in #1748
• docs: migrate issue templates to GitHub's new directory structure by @Yizhi-W in #1751
• Docs: expand security/threat model page by @stringlytyped in #1704
• Manpage for keylime_tenant binary by @msafarik in #1786
• Fix minor typo (exponantial->exponential) by @sarroutbi in #1780

Testing/CI

• scripts: Fix coverage information downloading script by @ansasaki in #1738
• tests: change test_mba_parsing to not need keylime installed by @sergio-correia in #1736
• lint: Fix mypy warnings by @ansasaki in #1742
• packit: Add compatibility/api_version_compatibility test by @ansasaki in #1744
• CI: Enable CONTAINER_ENGINE to allow alternative container engines by @sarroutbi in #1771
• CI: Enable test add-agent-with-malformed-ek-cert by @kkaarreell in #1797

Other

• Bump version to 7.13.0 by @ansasaki in #1801

New Contributors

• @Yizhi-W made their first contribution in #1748
• @msafarik made their first contribution in #1758

Full Changelog: v7.12.1...v7.13.0

This is a security fix release

A Moderate security issue was discovered, affecting Keylime version 7.12.0.

The fix is introduced by the commit ce29f56, included in this release 7.12.1

Please see the Security Advisory GHSA-9jxq-5x44-gx23 for further details.

What's Changed

• [Automatic] Update Keylime base image (2025-02-01) by @github-actions in #1732
• Simplify response check from registrar by @kaifeng in #1724
• Bump version to 7.12.1 by @ansasaki in #1737

Full Changelog: v7.12.0...v7.12.1

What's Changed

New features and significant changes

• verifier, tenant: make payload for agent completely optional by @THS-on in #1531
• Add new web framework and re-implement existing REST APIs by @stringlytyped in #1523
• mba: Support named measured boot policies by @niteeshkd in #1547
• tpm: Replace KDFs and ECDH implementations with python-cryptography by @ansasaki in #1585
• Enhancement 110: add tool to handle keylime policies by @sergio-correia in #1568
• ima: list names of the runtime policies by @niteeshkd in #1593
• Change check_tpm_origin check to a warning that does not prevent registration by @Isaac-Matthews in #1637
• End of term for @maugustosilva + propose @ansasaki by @maugustosilva in #1661
• keylime.conf: full removal by @THS-on in #1653
• Enable autocompletion using argcomplete by @ansasaki in #1709
• Add /version endpoint to Registrar by @ansasaki in #1717
• templates: Add the new agent.conf option 'api_versions' by @ansasaki in #1708
• docker: Automate base image updates by @ansasaki in #1594
• Bump version to 7.12.0 by @ansasaki in #1726

Bugfixes and improvements

• Fix certificate generation to follow RFC 5280 by @ansasaki in #1557
• tenant: add friendlier error message if mTLS CA is wrongly configured by @THS-on in #1563
• revocation_notifier: Explicitly add CA certificate bundle by @ansasaki in #1570
• docker: Update images to use Fedora 40 by @ansasaki in #1573
• cert_utils: add description why loading using cryptography might fail by @THS-on in #1558
• revocation_notifier: Take into account CA certificates added via configuration by @ansasaki in #1566
• mba: Add a skip custom policies option when loading mba. by @marcostork in #1607
• Lint: ignore reportArgumentType and reportInvalidTypeForm errors by @marcostork in #1618
• Sets absolute path for files inside a rootfs dir by @marcostork in #1625
• keylime_policy: setting log_hash_alg to sha1 (template-hash algo) by @marcostork in #1626
• policy/create_runtime_policy: fix handling of empty lines in exclude list by @sergio-correia in #1627
• Fix a couple of issues detected by newer version of pyright by @stefanberger in #1628
• keylime_policy: Use multiple threads to calculate file digests and other improvements by @ansasaki in #1638
• Improvments to Measured Boot by @THS-on in #1646
• create_runtime_policy: Fix log level for debug messages by @ansasaki in #1652
• installer.sh: update package list, add workaround for PEP 668 by @THS-on in #1665
• docs: Fix Runtime Policy JSON schema to reflect the reality by @ansasaki in #1642
• docs: add distro installation instructions and include IDevID also in sidebar by @THS-on in #1643
• keylime-policy: use consistent names for create runtime by @sergio-correia in #1648
• keylime_policy: Postpone decision on digest algorithm to use when sources are ambiguous by @ansasaki in #1649
• keylime-policy: add sign runtime and create measured-boot subcommands by @sergio-correia in #1657
• docs: add documentation for keylime-policy by @sergio-correia in #1713
• scripts/create_runtime_policy.sh: fix path for the exclude list by @sergio-correia in #1714
• docs: Add separate documentation for each API version by @ansasaki in #1716
• scripts: Download coverage data directly from Testing Farm by @ansasaki in #1723
• tenant: Correctly log number of tries when deleting by @ansasaki in #1697
• Fix installer script and restore image building by @ansasaki in #1682
• pylintrc: Ignore too-many-positional-arguments check by @ansasaki in #1651
• Misc fixes for keylime-policy by @sergio-correia in #1696
• installer.sh: update EPEL installer, readability by @UntriexTv in #1669
• PostgreSQL support for docker using psycopg2 by @bencorrado in #1673
• Drop pending SPDX-License-Identifier headers by @sarroutbi in #1655
• docker/release/base: Explicitly add the registry for base by @ansasaki in #1584
• docker: Install latest Keylime during image build by @ansasaki in #1620
• Revert "DO NOT MERGE, TEMPORARY COMMIT" by @ansasaki in #1619
• README: update meeting time to 16:00 UK time by @THS-on in #1640
• docs: update TCTI environment variable usage by @tuminoid in #1688
• docker/ci: Fix CI image build for dnf5 by @ansasaki in #1699
• docker/ci: Add xxd to the CI image by @ansasaki in #1701

Base image updates

• [Automatic] Update Keylime base image (2024-07-31) by @github-actions in #1596
• [Automatic] Update Keylime base image (2024-08-02) by @github-actions in #1605
• [Automatic] Update Keylime base image (2024-08-16) by @github-actions in #1621
• [Automatic] Update Keylime base image (2024-09-11) by @github-actions in #1631
• [Automatic] Update Keylime base image (2024-10-01) by @github-actions in #1658
• [Automatic] Update Keylime base image (2024-11-04) by @github-actions in #1676
• [Automatic] Update Keylime base image (2024-12-02) by @github-actions in #1695
• [Automatic] Update Keylime base image (2025-01-02) by @github-actions in #1711

Testing/CI

• Change Docker and Action Tags to Digests by @lukehinds in #1560
• Add Frizbee Action by @lukehinds in #1561
• Adds dependabot by @lukehinds in #1562
• build(deps): bump actions/checkout from 2.7.0 to 4.1.7 by @dependabot in #1574
• build(deps): bump actions/first-interaction from fb2402657b4a28582200150d0a145671d0e50597 to 3c71ce730280171fd1cfb57c00c774f8998586f7 by @dependabot in #1575
• ci: use CODECOV_TOKEN for coverage file upload by @kkaarreell in #1580
• ci: disable Packit testing for Rawhide by @kkaarreell in #1587
• build(deps): bump actions/setup-python from 2.3.4 to 5.1.1 by @dependabot in #1576
• build(deps): bump docker/login-action from 2.2.0 to 3.2.0 by @dependabot in #1578
• build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0 by @dependabot in #1581
• build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #1577
• build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 by @dependabot in #1588
• build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1 by @dependabot in #1590
• build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0 by @dependabot in #1591
• build(deps): bump docker/login-action from 3.2.0 to 3.3.0 by @dependabot in #1592
• workflows: Fix typo and add a sign-off on the automatic PR by @ansasaki in #1595
• build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 by @dependabot in #1597
• build(deps): bump docker/login-action from 3.2.0 to 3.3.0 by @dependabot in #1598
• build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0 by @dependabot in #1599
• docker: Build CI image together with the base image by @ansasaki in #1600
• workflow/base-image: Drop duplicate job ID by @ansasaki in #1601
• docker/ci: Add test dependency needed for ...

What's Changed

New features and significant changes:

• Add new /verify/identity API by @mpeters in #1532
• templates: Add version 2.3 by @ansasaki in #1539
• add config options for the persisted idevid and iak handles, passwords by @Isaac-Matthews in #1551

Bugfixes:

• Fix durable attestation in absence of mb_policy by @niteeshkd in #1537
• PSS padding fix - salt length set according to wrong length by @Isaac-Matthews in #1543

Testing/CI:

• tests: Fix coverage download by supporting new webdrives by @kkaarreell in #1538

Code Cleanup:

• Add require_allow_list_signature to the verfier config file by @stefanberger in #1482
• sign_runtime_policy: Display error message if non-EC key is provided by @stefanberger in #1536

Documentation:

NA

Administrative

• "Monthly" Release (7.11.0) by @maugustosilva in #1548

New Contributors

NA

Full Changelog: v7.10.0...v7.11.0

What's Changed

New features and significant changes:

• mba: Add a separate table for measured boot policies. by @niteeshkd in #1526

Bugfixes:

• templates: Fix typo on default measured boot log location by @ansasaki in #1527

Testing/CI:

• requirements: bump pyasn1-modules to 0.2.5 by @THS-on in #1524

Code Cleanup:

• elparser: add different escaping required for tpm2-tools >= 5.6 by @THS-on in #1525

Documentation:

• docs: update PCR monitoring example by @THS-on in #1529
• docs: fix rendering in PCR example by @THS-on in #1530
• user_guide: Add section about 'Key Learning to Verify Files' by @stefanberger in #1451

Administrative

• Monthly Release (7.10.0) by @maugustosilva in #1533

New Contributors

NA

Full Changelog: v7.9.0...v7.10.0

What's Changed

New features and significant changes:

• templates: Add version 2.2, with event log location options by @ansasaki in #1522
• Detect template changes for IDevID - docs and template mappings by @Isaac-Matthews in #1504
• update roadmap for 2024 by @THS-on in #1517

Bugfixes:

• Various fixes for example MB policy by @THS-on in #1516
• Extended the length of verifier_ip column to String(255) by @maugustosilva in #1520

Testing/CI:

• Tests: Switch code coverage measurement to Fedora 39 by @kkaarreell in #1511

Code Cleanup:

• codestyle: Remove a 'type: ignore' comment (mypy) by @stefanberger in #1512
• codestyle: Address some issues detected by pyright by @stefanberger in #1514

Documentation:

• docs: add additional reading section by @THS-on in #1505
• Fix readthedocs config file location by @mpeters in #1506
• Add build os and python version to readthedocs by @mpeters in #1507
• docs: fix conf.py by @THS-on in #1508
• Correcting paths in userguide documentation by @derpedda in #1510

Administrative

• Monthly release (7.9.0) by @maugustosilva in #1521

New Contributors

• @derpedda made their first contribution in #1510

Full Changelog: v7.8.0...v7.9.0