Added
- Support for the NU6.3 "Ironwood" shielded pool and v6 transaction format,
activating on Testnet at height 4,134,000. The consensus parameters (v6 version
group ID, consensus branch ID, and Testnet activation height) match
zcash_protocol. No Mainnet activation height is set yet. - The
z_gettreestate,z_getsubtreesbyindex, and verbosegetblockRPCs expose the
Ironwood note commitment tree and its subtree roots from NU6.3 activation
(#10888). - Zebra now tags the coinbase input of every block it mines with a
🦓. The
mining.extra_coinbase_dataoption is now limited to 86 bytes (was 94); Zebra
refuses to start if it is exceeded. - Pre-built
zebradbinaries are attached to each GitHub release for Linux on
x86_64andaarch64, so operators can run a node without Docker or a source
build, also installable withcargo binstall zebrad. Each.tar.gzcarries a
SHA-256 checksum, a Sigstore build-provenance attestation, and a Cosign signature
over the checksum manifest (#10799) - Added a Regtest configuration option,
should_allow_unshielded_coinbase_spends,
to forbid spending coinbase outputs into transparent outputs (the inverse of
zcashd's-regtestshieldcoinbase). It defaults to allowing such spends, preserving
existing Regtest behavior (#10698) - When the indexer RPC is enabled, a co-located read-state consumer can follow the
node more efficiently: the non-finalized block subscription resumes from the
consumer's known chain tips instead of re-streaming the whole non-finalized state,
and a newGetBlockindexer method lets the consumer fetch blocks it is missing
while its finalized state catches up. - New
zebra-stateread requestReadRequest::FindForkPoint(with response
ReadResponse::ForkPoint) that returns the most recent block in a caller-supplied
locator that is on the best chain — the fork point — for clients tracking chain
reorganizations through a read-only state service. - Added a
[notify] block_notify_commandoption that runs a command on each best-chain-tip
change, with%sreplaced by the new block hash — Zebra's equivalent ofzcashd's
-blocknotify.
Changed
- The state database format is bumped to 28.0.0 for the NU6.3 "Ironwood" shielded
pool. This is a major-version bump that is restorable in place from the previous
major format version (no resync): an in-place migration backfills the genesis
Ironwood note commitment tree and anchor, four new (initially empty)ironwood_*
column families are created, and the chain value pool record is widened to include
the Ironwood pool. ThegetblockchaininfoandgetblockvaluePoolsnow include
the (zero, until NU6.3 activates)ironwoodpool. - Opening a Zebra state read-only (for example, as a secondary instance over a
running node's database) now fails with a clear error instead of panicking when
the cache directory is missing or unreadable, when no database exists at the
configured path, or when an ephemeral database is also configured (a read-only
secondary must not delete the primary's files). The read-write open path is
unchanged. - Upgraded the librustzcash crate cohort to the NU6.3 pre-release wave (
orchard
0.15.0-pre.1,zcash_address0.13.0-pre.0,zcash_history0.5.0-pre.0,zcash_keys
0.15.0-pre.0,zcash_primitives0.29.0-pre.0,zcash_proofs0.29.0-pre.0,
zcash_protocol0.10.0-pre.0,zcash_transparent0.9.0-pre.0) for v6 transaction
and Ironwood support (#10762). - Bumped
anyhowto 1.0.103, clearing RUSTSEC-2026-0190
(#10849).
Fixed
getblocktemplatenow caches the built coinbase transaction per block, so repeated short-poll
requests within the same block no longer rebuild it. This prevents CPU saturation and multi-second
template latency when mining to a shielded (Sapling or Orchard) address
(#10847)- Released
zebradbinaries report their source commit inzebrad version
(#10798) - Handle
invalidateblockandreconsiderblockedge cases (chain-root and
same-height sibling-tip invalidation, repeated reconsideration) without panicking
(#10586) - A timeout waiting for a transparent input UTXO during transaction verification is
now treated as a missing input instead of an internal error, preventing a sync
stall near the chain tip (#10810) - The co-located read-state syncer (used by indexers like Zaino) no longer drops and
re-creates its non-finalized block subscription every second while its view of the
finalized state lags the node's
(#10818)
Security
- Use constant-time comparison for RPC cookie authentication (#10567)
- Zebra's release Docker images are now reproducible: an independent rebuild of a
publishedzebradfrom the same commit produces the same binary. The Rust
toolchain and the Rust and Debian base images are pinned by exact version and
digest, and build paths and file timestamps are normalized, so two independent
builds of the same commit produce the same binary. Release images are also built
without the shared build cache, so a published image cannot inherit a layer from
a lower-trust build
(#10798) - Release Docker images are signed and carry build provenance and a signed SBOM.
Each production release gets a Cosign keyless signature, a signed SLSA provenance
attestation, and a signed SBOM, so anyone can confirm an image came from Zebra's CI
withcosign verifyorgh attestation verify
(#10798) - Route directly pushed transactions (
txmessages) through the same per-peer
mempool admission accounting as advertised transaction IDs, so a single inbound
peer cannot bypass the per-peer download cap by pushing full transactions
instead of advertising them
(GHSA-m9xx-8rcj-vmgp).
This is the direct-push counterpart of the advertisement-path fix in
GHSA-4fc2-h7jh-287c. Thanks to @SuplabsYi for reporting the issue. - Fixed a panic in the
getblockRPC at verbosity 2 for blocks not in the best
chain: their transactions' confirmations are negative and were cast to an
unsigned type
(GHSA-x6v8-c2xp-928m).
Contributors
Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@andres-pcg, @conradoplg, @dannywillems, @emersonian, @gustavovalverde, @nuttycom, @syszery, @upbqdn and @zmanian.