Merge branch 'master' into herman/improve-scep-marshaling

Author: hslatman

.github/workflows/ci.yml

@@ -23,4 +23,5 @@ jobs:
       os-dependencies: "libpcsclite-dev"
       run-gitleaks: true
       run-codeql: true
+      make-test: true # run `make test` instead of the default test workflow
     secrets: inherit

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,22 @@
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.1.1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/release.yml

@@ -21,6 +21,7 @@ jobs:
       version: ${{ steps.extract-tag.outputs.VERSION }}
       is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
       docker_tags: ${{ env.DOCKER_TAGS }}
+      docker_tags_hsm: ${{ env.DOCKER_TAGS_HSM }}
     steps:
       - name: Is Pre-release
         id: is_prerelease
@@ -36,10 +37,12 @@ jobs:
           VERSION=${GITHUB_REF#refs/tags/v}
           echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
           echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
+          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_IMAGE }}:${VERSION}-hsm" >> ${GITHUB_ENV}
       - name: Add Latest Tag
         if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
         run: |
           echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
+          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> ${GITHUB_ENV}
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1
@@ -79,7 +82,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v3
         with:
           version: 'latest'
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
           RELEASE_DATE: ${{ env.RELEASE_DATE }}
@@ -96,5 +99,19 @@ jobs:
       platforms: linux/amd64,linux/386,linux/arm,linux/arm64
       tags: ${{ needs.create_release.outputs.docker_tags }}
       docker_image: smallstep/step-ca
-      docker_file: docker/Dockerfile.step-ca
+      docker_file: docker/Dockerfile
+    secrets: inherit
+
+  build_upload_docker_hsm:
+    name: Build & Upload HSM Enabled Docker Images
+    needs: create_release
+    permissions:
+      id-token: write
+      contents: write
+    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
+    with:
+      platforms: linux/amd64,linux/386,linux/arm,linux/arm64
+      tags: ${{ needs.create_release.outputs.docker_tags_hsm }}
+      docker_image: smallstep/step-ca
+      docker_file: docker/Dockerfile.hsm
     secrets: inherit

.goreleaser.yml

@@ -36,6 +36,7 @@ archives:
     # Most common use case is to archive as zip on Windows.
     # Default is empty.
     name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    rlcp: true
     format_overrides:
       - goos: windows
         format: zip
@@ -78,6 +79,7 @@ nfpms:
 
 source:
   enabled: true
+  rlcp: true
   name_template: '{{ .ProjectName }}_{{ .Version }}'
 
 checksum:
@@ -140,7 +142,7 @@ release:
 
     #### Windows
 
-    - 📦 [step-ca_windows_{{ .Version }}_arm64.zip](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
+    - 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
 
     For more builds across platforms and architectures, see the `Assets` section below.
     And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation).
@@ -154,9 +156,11 @@ release:
     Below is an example using `cosign` to verify a release artifact:
 
     ```
-    COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+    cosign verify-blob \
       --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
       --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
+      --certificate-identity-regexp "https://github\.com/smallstep/certificates/.*" \
+      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
       ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
     ```
 
@@ -185,3 +189,40 @@ release:
   #  - glob: ./path/to/file.txt
   #  - glob: ./glob/**/to/**/file/**/*
   #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
+
+scoop:
+  # Template for the url which is determined by the given Token (github or gitlab)
+  # Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  # Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
+  # Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+
+  # Repository to push the app manifest to.
+  bucket:
+    owner: smallstep
+    name: scoop-bucket
+
+  # Git author used to commit to the repository.
+  # Defaults are shown.
+  commit_author:
+    name: goreleaserbot
+    email: goreleaser@smallstep.com
+
+  # The project name and current git tag are used in the format string.
+  commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
+
+  # Your app's homepage.
+  # Default is empty.
+  homepage: "https://smallstep.com/docs/step-ca"
+
+  # Skip uploads for prerelease.
+  skip_upload: auto
+
+  # Your app's description.
+  # Default is empty.
+  description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
+
+  # Your app's license
+  # Default is empty.
+  license: "Apache-2.0"
+

CHANGELOG.md

@@ -25,12 +25,85 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
-## [Unreleased]
+## [v0.24.0] - 2023-04-12
+
+### Added
+
+- Add ACME `device-attest-01` support with TPM 2.0
+  (smallstep/certificates#1063).
+- Add support for new Azure SDK, sovereign clouds, and HSM keys on Azure KMS
+  (smallstep/crypto#192, smallstep/crypto#197, smallstep/crypto#198,
+  smallstep/certificates#1323, smallstep/certificates#1309).
+- Add support for ASN.1 functions on certificate templates
+  (smallstep/crypto#208, smallstep/certificates#1345)
+- Add `DOCKER_STEPCA_INIT_ADDRESS` to configure the address to use in a docker
+  container (smallstep/certificates#1262).
+- Make sure that the CSR used matches the attested key when using AME
+  `device-attest-01` challenge (smallstep/certificates#1265).
+- Add support for compacting the Badger DB (smallstep/certificates#1298).
+- Build and release cleanups (smallstep/certificates#1322,
+  smallstep/certificates#1329, smallstep/certificates#1340).
+
+### Fixed
+
+- Fix support for PKCS #7 RSA-OAEP decryption through
+  [smallstep/pkcs7#4](https://github.com/smallstep/pkcs7/pull/4), as used in
+  SCEP.
+- Fix RA installation using `scripts/install-step-ra.sh`
+  (smallstep/certificates#1255).
+- Clarify error messages on policy errors (smallstep/certificates#1287,
+  smallstep/certificates#1278).
+- Clarify error message on OIDC email validation (smallstep/certificates#1290).
+- Mark the IDP critical in the generated CRL data (smallstep/certificates#1293).
+- Disable database if CA is initialized with the `--no-db` flag
+  (smallstep/certificates#1294).
+
+## [v0.23.2] - 2023-02-02
+
+### Added
+
+- Added [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) to
+  docker images, and a new image, `smallstep/step-ca-hsm`, compiled with cgo
+  (smallstep/certificates#1243).
+- Added [`scoop`](https://scoop.sh) packages back to the release
+  (smallstep/certificates#1250).
+- Added optional flag `--pidfile` which allows passing a filename where step-ca
+  will write its process id (smallstep/certificates#1251).
+- Added helpful message on CA startup when config can't be opened
+  (smallstep/certificates#1252).
+- Improved validation and error messages on `device-attest-01` orders
+  (smallstep/certificates#1235).
+
+### Removed
+
+- The deprecated CLI utils `step-awskms-init`, `step-cloudkms-init`,
+  `step-pkcs11-init`, `step-yubikey-init` have been removed.
+  [`step`](https://github.com/smallstep/cli) and
+  [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) should be
+  used instead (smallstep/certificates#1240).
+
+### Fixed
+
+- Fixed remote management flags in docker images (smallstep/certificates#1228).
+
+## [v0.23.1] - 2023-01-10
 
 ### Added
 
 - Added configuration property `.crl.idpURL`  to be able to set a custom Issuing
-  Distribution Point in the CRL.
+  Distribution Point in the CRL (smallstep/certificates#1178).
+- Added WithContext methods to the CA client (smallstep/certificates#1211).
+- Docker: Added environment variables for enabling Remote Management and ACME
+  provisioner (smallstep/certificates#1201).
+- Docker: The entrypoint script now generates and displays an initial JWK
+  provisioner password by default when the CA is being initialized
+  (smallstep/certificates#1223).
+
+### Changed
+
+- Ignore SSH principals validation when using an OIDC provisioner. The
+  provisioner will ignore the principals passed and set the defaults or the ones
+  including using WebHooks or templates (smallstep/certificates#1206).
 
 ## [v0.23.0] - 2022-11-11