Skip to content

v0.2.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 03 Jun 04:44
· 33 commits to main since this release
v0.2.0
This tag was signed with the committer’s verified signature.
jasonodoom Jason Odoom
GPG key ID: A46573671D50E3D8
Verified
Learn about vigilant mode.
7300406
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Version-keyed body-signature domain. The body message signature is now domain-separated by protocol version. ink/0.1 messages, and any object with no explicit ink/0.2 protocol, keep the legacy tulpa/sign domain so every signature produced to date still verifies. ink/0.2 messages are signed and verified under the neutral ink/sign domain. The verifier selects exactly one domain from the signed protocol field and never tries an alternate, so a signature made under one version's domain cannot be replayed under another.

This change is receiver-first and backward compatible. Verifiers accept both versions and MessageEnvelopeSchema now accepts ink/0.1 and ink/0.2 as a strict enum, rejecting any unknown version. Senders still emit ink/0.1 by default. The HTTP transport-auth signature is unchanged.

New vectors in test-vectors/body-signature.json pin the version-keyed domain including the cross-version and tamper cases. The standalone Python interop client verifies them identically.

Per the pre-1.0 policy this release publishes under the next dist-tag.

Assets 2
Loading