Step CA v0.26.1 (24-04-22)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.26.1_amd64.tar.gz
• 📦 step-ca_0.26.1_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.26.1_amd64.tar.gz
• 📦 step-ca_darwin_0.26.1_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.26.1_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.26.1_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.26.1_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.26.1_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 9cbab5a Add changelog for 0.26.1 (#1812)
• d6bf551 Merge pull request #1803 from smallstep/herman/fix-scep-vault-ra
• f4d506f Merge pull request #1811 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api-1.13.0
• 1e5e267 Remove leftover debug print
• 760014c go mod tidy
• 2561a72 Dedupe CA and SCEP client creation logic
• 3965305 Bump github.com/hashicorp/vault/api from 1.12.2 to 1.13.0
• 65cfee5 Merge pull request #1810 from smallstep/dependabot/go_modules/google.golang.org/api-0.176.0
• 8d4effc Bump google.golang.org/api from 0.172.0 to 0.176.0
• 4a37559 Merge pull request #1809 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.44.6
• d7ed031 Merge pull request #1808 from smallstep/dependabot/go_modules/cloud.google.com/go/security-1.16.0
• 8720200 Rewrite SCEP integration tests to only use the HTTPS endpoint
• 57a6b85 Bump go.step.sm/crypto from 0.44.4 to 0.44.6
• 0ba61c5 Bump cloud.google.com/go/security from 1.15.6 to 1.16.0
• b0fabe1 Add some SCEP integration tests
• 113a6dd Remove reporting the CA mode from startup logs
• 6bc0a86 Fix CA startup with Vault RA configuration
• 07279dd Merge pull request #1801 from smallstep/herman/upgrade-crypto-v0.44.4
• 4c6b0b3 Upgrade go.step.sm/crypto to v0.44.4
• f1a2c68 Merge pull request #1798 from smallstep/herman/fix-instrumented-key-manager
• 7df3ad0 Merge pull request #1797 from smallstep/mariano/init-scep
• 4202d66 Remove debug statement
• d6bbe5b Add support for kmsapi.Decrypter to instrumented key manager
• 721345e Merge pull request #1793 from verytrap/master
• db92404 chore: fix function names in comment
• 725a913 Allow custom SCEP key manager
• 397877a Merge pull request #1795 from smallstep/herman/fix-scep-failinfo-oid
• b226b6e Prevent exposing any internal details in SCEP failure message
• 02956ad Merge pull request #1794 from smallstep/herman/fix-scep-failinfo-oid
• 037554e Fix the id-scep-failInfoText OID
• 1513152 Merge pull request #1791 from smallstep/dependabot/go_modules/github.com/newrelic/go-agent/v3-3.32.0
• c9ba31a Bump github.com/newrelic/go-agent/v3 from 3.31.0 to 3.32.0
• 1f69ff8 Merge pull request #1792 from smallstep/dependabot/go_modules/google.golang.org/grpc-1.63.2
• a76f071 Bump google.golang.org/grpc from 1.62.1 to 1.63.2
• 08ef9fe Merge pull request #1789 from smallstep/dependabot/go_modules/golang.org/x/net-0.24.0
• 57d6285 Bump golang.org/x/net from 0.22.0 to 0.24.0
• d5758ba Merge pull request #1784 from smallstep/dependabot/go_modules/github.com/newrelic/go-agent/v3-3.31.0
• 166c496 Merge pull request #1785 from smallstep/dependabot/go_modules/google.golang.org/api-0.172.0
• 1be0932 Merge pull request #1786 from smallstep/carl/winget-fix
• f04a5e3 Fix winget release URL
• d1523c9 Bump google.golang.org/api from 0.171.0 to 0.172.0
• 44c48a7 Bump github.com/newrelic/go-agent/v3 from 3.30.0 to 3.31.0
• 188e4e3 Add version number to winget branch name (#1783)

Thanks!

Those were the changes on v0.26.1!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.

Step CA v0.26.0 (24-03-29)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.26.0_amd64.tar.gz
• 📦 step-ca_0.26.0_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.26.0_amd64.tar.gz
• 📦 step-ca_darwin_0.26.0_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.26.0_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.26.0_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.26.0_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.26.0_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 395a3ee Update go.step.sm/crypto (#1781)
• 4772d7c Merge pull request #1780 from smallstep/herman/update-changelog-20240328
• 854288a Update changelog for v0.26.0 release
• 4016b69 Merge pull request #1776 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api-1.12.2
• b5b723e Merge pull request #1775 from smallstep/dependabot/go_modules/google.golang.org/api-0.171.0
• 0a6e79a Merge pull request #1778 from smallstep/dependabot/github_actions/dependabot/fetch-metadata-2.0.0
• 9d86361 Bump github.com/hashicorp/vault/api from 1.12.1 to 1.12.2
• 7e05343 Merge pull request #1774 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.44.1
• 014b4ef Bump dependabot/fetch-metadata from 1.6.0 to 2.0.0
• 21734f7 Bump google.golang.org/api from 0.169.0 to 0.171.0
• 927cd97 Bump go.step.sm/crypto from 0.43.1 to 0.44.1

Thanks!

Those were the changes on v0.26.0!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.

Step CA v0.26.0-rc2 (24-03-20)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.26.0-rc2_amd64.tar.gz
• 📦 step-ca_0.26.0-rc2_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.26.0-rc2_amd64.tar.gz
• 📦 step-ca_darwin_0.26.0-rc2_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.26.0-rc2_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.26.0-rc2_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.26.0-rc2_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.26.0-rc2_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 2650944 Merge pull request #1773 from smallstep/herman/cosign-2.x
• 7888d86 Use --yes to acknowledge user prompts for cosign signing

Thanks!

Those were the changes on v0.26.0-rc2!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.

Release v0.26.0-rc1

Merge pull request #1772 from smallstep/jdoss/Enable_tpmkms

Enable tpmkms

Step CA v0.25.3-rc7 (24-03-05)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.25.3-rc7_amd64.tar.gz
• 📦 step-ca_0.25.3-rc7_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.25.3-rc7_amd64.tar.gz
• 📦 step-ca_darwin_0.25.3-rc7_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.25.3-rc7_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.25.3-rc7_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.25.3-rc7_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.25.3-rc7_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 1583e53 Merge branch 'master' into wire-acme-extensions
• ec223c1 Merge pull request #1748 from smallstep/dependabot/go_modules/github.com/stretchr/testify-1.9.0
• b7e3e0b Merge pull request #1746 from smallstep/dependabot/go_modules/google.golang.org/api-0.167.0
• 022deaf Merge pull request #1749 from smallstep/dependabot/go_modules/github.com/prometheus/client_golang-1.19.0
• 5853c73 Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0
• cf0d6f8 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0
• 69c7ca9 Bump google.golang.org/api from 0.165.0 to 0.167.0
• 755ae0b Fix Wire mock CA interface implementation
• 364566b Merge branch 'master' into wire-acme-extensions
• 10aa48c Merge pull request #1743 from smallstep/herman/improve-request-id
• 2a47644 Fix linting issue
• d392c16 Improve functional coverage of request ID integration test
• 7fd524f Default to generating request IDs using UUIDv4 format in CA
• 0898c6d Use UUIDv4 as automatically generated client request identifier
• 0d5c692 Merge pull request #1744 from smallstep/carl/readme-updates
• cd3e91b Updated README
• b9d6bfc Cleanup CA client tests by removing smallstep/assert
• 532b9df Improve CA client request ID handling
• 06696e6 Move user ID handling to userid package
• 7e5f109 Decouple request ID middleware from logging middleware
• 535e2a9 Fix the e2e request ID test (again)
• b83b8aa Make random TCP address reservation more contained
• 2255857 Fix client shadowing and e2e request ID test case
• 5c2572c Add support for user provider X-Request-Id header value
• cf8a501 Add a basic e2e test for X-Request-Id reflection
• fb4cd6f fix: Webhook-related instruments
• a58f595 Add reflection of request ID in X-Request-Id response header
• c798735 Merge pull request #1542 from smallstep/herman/webhook-request-id
• c1c2e73 Add X-Request-Id to all requests made by our CA clients
• 4213a19 Use X-Request-Id as canonical request identifier (if available)
• 041b486 Remove usages of Sign without context
• c16a0b7 Remove smallstep/assert and pkg/errors from webhook tests
• 9689508 Add tests for webhook request IDs
• 2a8b80a Merge branch 'master' into herman/webhook-request-id
• 6ce502c Merge pull request #1741 from smallstep/dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.2
• 0d2aeff Merge pull request #1739 from smallstep/dependabot/go_modules/google.golang.org/grpc-1.62.0
• 5ee2e02 Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2
• e4bbe89 Bump google.golang.org/grpc from 1.61.0 to 1.62.0
• 98a976b Merge pull request #1740 from smallstep/dependabot/go_modules/github.com/fxamacker/cbor/v2-2.6.0
• a583b59 Merge pull request #1738 from smallstep/dependabot/go_modules/github.com/googleapis/gax-go/v2-2.12.2
• 0b196b0 Bump github.com/fxamacker/cbor/v2 from 2.5.0 to 2.6.0
• fa941dc Bump github.com/googleapis/gax-go/v2 from 2.12.0 to 2.12.2
• bb6aae0 Merge pull request #1736 from patsevanton/master
• c2dfe59 Сorrection of spelling errors
• 0d4f53f Merge branch 'master' into wire-acme-extensions
• e968275 Merge pull request #1729 from patsevanton/master
• 7e1b93b Update examples/README.md
• dc577e2 Merge pull request #1724 from smallstep/dependabot/go_modules/github.com/newrelic/go-agent/v3-3.30.0
• 3a2b426 Bump github.com/newrelic/go-agent/v3 from 3.29.1 to 3.30.0
• f7554a0 Merge pull request #1725 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api/auth/kubernetes-0.6.0
• 685e107 Merge pull request #1726 from smallstep/dependabot/go_modules/google.golang.org/api-0.165.0
• 0a074cb Spelling errors and punctuation have been corrected
• 8e1f538 Bump google.golang.org/api from 0.160.0 to 0.165.0
• e6491ca Merge pull request #1727 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.43.1
• 507f4d0 Bump go.step.sm/crypto from 0.43.0 to 0.43.1
• 2ffc908 Bump github.com/hashicorp/vault/api/auth/kubernetes from 0.5.0 to 0.6.0
• 0a97e1b Merge branch 'master' into wire-acme-extensions
• bb296c9 Merge pull request #1708 from smallstep/herman/csr-expires-header
• bd99db0 Merge pull request #1685 from venkyg-sec/allow_custom_tls_config
• 503e504 Merge branch 'master' into allow_custom_tls_config
• beea482 Fix linter errors in ca/ca.go
• 073fcb7 Merge pull request #1684 from venkyg-sec/allow_external_x509_ca_service_intf
• ac773ff Merge branch 'master' into allow_external_x509_ca_service_intf
• 9fcdd3f Fix format warnings on ca/ca.go
• 3dbb4aa Change CRL unavailable case to HTTP 404
• 5d865b2 Merge pull request #1715 from rvichery/aws-ca-west-1-iid-certificate
• ee44ac1 fixup! Add AWS ca-west-1 identity document certificate
• aaf5a1c Merge branch 'master' into wire-acme-extensions
• 490d065 Merge pull request #1713 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api/auth/approle-0.6.0
• 283d46d Add AWS ca-west-1 identity document certificate
• a3bed40 Bump github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0
• d174e78 Merge pull request #1712 from smallstep/dependabot/go_modules/golang.org/x/net-0.21.0
• 5f91441 Merge pull request #1711 from smallstep/dependabot/go_modules/cloud.google.com/go/longrunning-0.5.5
• a32dade Bump golang.org/x/net from 0.20.0 to 0.21.0
• b9db4e3 Bump cloud.google.com/go/longrunning from 0.5.4 to 0.5.5
• c76dad8 Improve tests for CRL HTTP handler
• 69f5f8d Use stretchr/testify instead of smallstep/assert for tests
• d1deb7f Add Expires header to CRL response
• 95fdbc1 Merge pull request #1691 from smallstep/herman/wire-acme-improvements
• 194341e Address review comments
• 745017c Add test for OIDC auto discovery configuration
• 138c101 Add validation for Wire UserID + DeviceID identifiers
• 5d7e533 Add validation of name in DPoP token
• 2e78301 Simplify the DPoP target provider functionality
• c6a6622 Improve test coverage for Wire authorizations
• ef657d7 Fix OIDC target
• e153be3 Replace smallstep/assert with stretchr/testify for ACME provisioner
• 37a9f36 Merge branch 'wire-acme-extensions' into herman/wire-acme-improvements
• 92b6191 Merge branch 'master' into wire-acme-extensions
• 6724692 Merge pull request #1706 from smallstep/dependabot/go_modules/github.com/prometheus/client_golang-1.18.0
• 6d29e8a Merge pull request #1704 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.43.0
• 05ccf84 Merge pull request #1705 from smallstep/dependabot/go_modules/cloud.google.com/go/security-1.15.5
• 78522c7 Bump github.com/prometheus/client_golang from 1.15.1 to 1.18.0
• 053d05b Bump cloud.google.com/go/security from 1.15.4 to 1.15.5
• 5209393 Bump go.step.sm/crypto from 0.42.1 to 0.43.0
• e6d9208 Merge branch 'wire-acme-extensions' into herman/wire-acme-improvements
• ace27c0 Merge branch 'master' into wire-acme-extensions
• c579239 Add basic support for OIDC provider instantiation through discovery
• cd21f8d Refactor OIDC verifier instantation to happen only once
• 19feae5 Add test for ACME initialization with Wire challenges
• 59ea731 Merge pull request #1693 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api-1.11.0
• 78d889a Bump github.com/hashicorp/vault/api from 1.10.0 to 1.11.0
• 2fcb33b Merge pull request #1695 from smallstep/dependabot/go_modules/github.com/newrelic/go-agent/v3-3.29.1
• fe926e9 Merge pull request #1694 from smallstep/dependabot/go_modules/github.com/google/uuid-1.6.0
• 8123d6a Merge pull request #1692 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.42.1
• d9cf8aa Bump github.com/newrelic/go-agent/v3 from 3.29.0 to 3.29.1
• eeaabbc Bump github.com/google/uuid from 1.5.0 to 1.6.0
• 1122090 Bump go.step.sm/crypto from 0.42.0 to 0.42.1
• 14e8d47 Skip Wire option validation and initialization if not enabled
• 8a9b1b3 Move Wire option validation to provisioner initialization
• 79943d2 Merge branch 'wire-acme-extensions' into herman/wire-acme-improvements
• a0e4cba Merge branch 'master' into wire-acme-extensions
• dd1ff9c Implementation of the Prometheus endpoint (#1669)
• 4d4719a Change URLs used in DPoP template test
• 356e707 Allow usage o...

Step CA v0.25.3-rc6 (24-02-27)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.25.3-rc6_amd64.tar.gz
• 📦 step-ca_0.25.3-rc6_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.25.3-rc6_amd64.tar.gz
• 📦 step-ca_darwin_0.25.3-rc6_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.25.3-rc6_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.25.3-rc6_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.25.3-rc6_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.25.3-rc6_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• fb4cd6f fix: Webhook-related instruments
• c798735 Merge pull request #1542 from smallstep/herman/webhook-request-id
• 041b486 Remove usages of Sign without context
• c16a0b7 Remove smallstep/assert and pkg/errors from webhook tests
• 9689508 Add tests for webhook request IDs
• 2a8b80a Merge branch 'master' into herman/webhook-request-id
• 6ce502c Merge pull request #1741 from smallstep/dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.2
• 0d2aeff Merge pull request #1739 from smallstep/dependabot/go_modules/google.golang.org/grpc-1.62.0
• 5ee2e02 Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2
• e4bbe89 Bump google.golang.org/grpc from 1.61.0 to 1.62.0
• 98a976b Merge pull request #1740 from smallstep/dependabot/go_modules/github.com/fxamacker/cbor/v2-2.6.0
• a583b59 Merge pull request #1738 from smallstep/dependabot/go_modules/github.com/googleapis/gax-go/v2-2.12.2
• 0b196b0 Bump github.com/fxamacker/cbor/v2 from 2.5.0 to 2.6.0
• fa941dc Bump github.com/googleapis/gax-go/v2 from 2.12.0 to 2.12.2
• bb6aae0 Merge pull request #1736 from patsevanton/master
• c2dfe59 Сorrection of spelling errors
• e968275 Merge pull request #1729 from patsevanton/master
• 7e1b93b Update examples/README.md
• dc577e2 Merge pull request #1724 from smallstep/dependabot/go_modules/github.com/newrelic/go-agent/v3-3.30.0
• 3a2b426 Bump github.com/newrelic/go-agent/v3 from 3.29.1 to 3.30.0
• f7554a0 Merge pull request #1725 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api/auth/kubernetes-0.6.0
• 685e107 Merge pull request #1726 from smallstep/dependabot/go_modules/google.golang.org/api-0.165.0
• 0a074cb Spelling errors and punctuation have been corrected
• 8e1f538 Bump google.golang.org/api from 0.160.0 to 0.165.0
• e6491ca Merge pull request #1727 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.43.1
• 507f4d0 Bump go.step.sm/crypto from 0.43.0 to 0.43.1
• 2ffc908 Bump github.com/hashicorp/vault/api/auth/kubernetes from 0.5.0 to 0.6.0
• bb296c9 Merge pull request #1708 from smallstep/herman/csr-expires-header
• bd99db0 Merge pull request #1685 from venkyg-sec/allow_custom_tls_config
• 503e504 Merge branch 'master' into allow_custom_tls_config
• beea482 Fix linter errors in ca/ca.go
• 073fcb7 Merge pull request #1684 from venkyg-sec/allow_external_x509_ca_service_intf
• ac773ff Merge branch 'master' into allow_external_x509_ca_service_intf
• 9fcdd3f Fix format warnings on ca/ca.go
• 3dbb4aa Change CRL unavailable case to HTTP 404
• 5d865b2 Merge pull request #1715 from rvichery/aws-ca-west-1-iid-certificate
• ee44ac1 fixup! Add AWS ca-west-1 identity document certificate
• 490d065 Merge pull request #1713 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api/auth/approle-0.6.0
• 283d46d Add AWS ca-west-1 identity document certificate
• a3bed40 Bump github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0
• d174e78 Merge pull request #1712 from smallstep/dependabot/go_modules/golang.org/x/net-0.21.0
• 5f91441 Merge pull request #1711 from smallstep/dependabot/go_modules/cloud.google.com/go/longrunning-0.5.5
• a32dade Bump golang.org/x/net from 0.20.0 to 0.21.0
• b9db4e3 Bump cloud.google.com/go/longrunning from 0.5.4 to 0.5.5
• c76dad8 Improve tests for CRL HTTP handler
• 69f5f8d Use stretchr/testify instead of smallstep/assert for tests
• d1deb7f Add Expires header to CRL response
• 6724692 Merge pull request #1706 from smallstep/dependabot/go_modules/github.com/prometheus/client_golang-1.18.0
• 6d29e8a Merge pull request #1704 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.43.0
• 05ccf84 Merge pull request #1705 from smallstep/dependabot/go_modules/cloud.google.com/go/security-1.15.5
• 78522c7 Bump github.com/prometheus/client_golang from 1.15.1 to 1.18.0
• 053d05b Bump cloud.google.com/go/security from 1.15.4 to 1.15.5
• 5209393 Bump go.step.sm/crypto from 0.42.1 to 0.43.0
• 59ea731 Merge pull request #1693 from smallstep/dependabot/go_modules/github.com/hashicorp/vault/api-1.11.0
• 78d889a Bump github.com/hashicorp/vault/api from 1.10.0 to 1.11.0
• 2fcb33b Merge pull request #1695 from smallstep/dependabot/go_modules/github.com/newrelic/go-agent/v3-3.29.1
• fe926e9 Merge pull request #1694 from smallstep/dependabot/go_modules/github.com/google/uuid-1.6.0
• 8123d6a Merge pull request #1692 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.42.1
• d9cf8aa Bump github.com/newrelic/go-agent/v3 from 3.29.0 to 3.29.1
• eeaabbc Bump github.com/google/uuid from 1.5.0 to 1.6.0
• 1122090 Bump go.step.sm/crypto from 0.42.0 to 0.42.1
• 356e707 Allow usage of externally supplied TLS config
• fbc1e89 Allow x509 Service CA implementation to be injected through ca and authority options
• 4ef093d Fix broken tests relying on Sign in mocks
• 9e3807e Use SignWithContext in the critical paths
• 4e06bdb Add SignWithContext method to authority and mocks
• b2301ea Remove the webhook Do method
• f3229d3 Propagate (original) request ID to webhook requests

Thanks!

Those were the changes on v0.25.3-rc6!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.

Step CA v0.25.3-rc5 (24-01-26)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.25.3-rc5_amd64.tar.gz
• 📦 step-ca_0.25.3-rc5_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.25.3-rc5_amd64.tar.gz
• 📦 step-ca_darwin_0.25.3-rc5_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.25.3-rc5_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.25.3-rc5_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.25.3-rc5_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.25.3-rc5_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• dd1ff9c Implementation of the Prometheus endpoint (#1669)
• 27ea4de Merge pull request #1687 from smallstep/dependabot/go_modules/google.golang.org/api-0.157.0
• b0833d7 Merge pull request #1686 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.42.0
• bcaf8a5 Bump google.golang.org/api from 0.156.0 to 0.157.0
• 18d3b7f Bump go.step.sm/crypto from 0.41.0 to 0.42.0

Thanks!

Those were the changes on v0.25.3-rc5!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.

Step CA v0.25.3-rc4 (24-01-25)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.25.3-rc4_amd64.tar.gz
• 📦 step-ca_0.25.3-rc4_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.25.3-rc4_amd64.tar.gz
• 📦 step-ca_darwin_0.25.3-rc4_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.25.3-rc4_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.25.3-rc4_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.25.3-rc4_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.25.3-rc4_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 675e418 Merge branch 'master' into wire-acme-extensions
• 502334f Merge pull request #1689 from smallstep/beltram/wire-acme-extensions
• a38132a Fix policy check for Wire user and device identifiers
• 93ba165 Fix tests to work with Wire UserID and DeviceID
• 9eed61a use switch statement
• b8eb559 Update acme/order.go
• 27ea4de Merge pull request #1687 from smallstep/dependabot/go_modules/google.golang.org/api-0.157.0
• b0833d7 Merge pull request #1686 from smallstep/dependabot/go_modules/go.step.sm/crypto-0.42.0
• bcaf8a5 Bump google.golang.org/api from 0.156.0 to 0.157.0
• 18d3b7f Bump go.step.sm/crypto from 0.41.0 to 0.42.0
• a3de984 fix: use 2 separate identifiers for Wire
• 7e6356e Merge pull request #1670 from smallstep/herman/remove-rusty-cli

Thanks!

Those were the changes on v0.25.3-rc4!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.

Step CA v0.25.3-rc3 (24-01-17)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.25.3-rc3_amd64.tar.gz
• 📦 step-ca_0.25.3-rc3_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.25.3-rc3_amd64.tar.gz
• 📦 step-ca_darwin_0.25.3-rc3_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.25.3-rc3_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.25.3-rc3_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.25.3-rc3_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.25.3-rc3_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 9cc3295 empty commit

Thanks!

Those were the changes on v0.25.3-rc3!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.

Step CA v0.25.2 (23-11-29)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.25.2_amd64.tar.gz
• 📦 step-ca_0.25.2_amd64.deb

OSX Darwin

• 📦 step-ca_darwin_0.25.2_amd64.tar.gz
• 📦 step-ca_darwin_0.25.2_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.25.2_amd64.zip

For more builds across platforms and architectures, see the Assets section below.
And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.25.2_amd64.tar.gz.sig.pem \
  --signature step-ca_darwin_0.25.2_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.25.2_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 7bfe11c Bump go.step.sm/crypto (#1635)
• d34f0f6 Fix linter warnings (#1634)

Thanks!

Those were the changes on v0.25.2!

Come join us on Discord to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.