Skip to content

Cerebrate v1.36

Choose a tag to compare

View all tags
@iglocska iglocska released this 09 Jun 15:43
· 15 commits to main since this release
v1.36
This tag was signed with the committer’s verified signature.
iglocska Andras Iklody
GPG key ID: BEA224F1FEF113AC
Verified
Learn about vigilant mode.
6d0160d
This commit was signed with the committer’s verified signature.
iglocska Andras Iklody
GPG key ID: BEA224F1FEF113AC
Verified
Learn about vigilant mode.

Cerebrate v1.36

This release introduces an outbound email subsystem with full PGP support, an automated PGP key-expiry reminder sweep, and expanded Keycloak integration
for organisation-level fields — alongside a number of fixes and hardening changes.

New Features

Email subsystem with GPG signing & encryption

A new lightweight outbound-email subsystem (CerebrateMailer) centralises from/reply-to handling, transport disabling, and stable threading headers. It
ships with:

  • GPG sign + encrypt pipeline (GpgMailer) implementing multipart/signed and multipart/encrypted envelopes per RFC 3156, with optional subject
    obscuring and an only_encrypted mode that refuses to send in the clear when no recipient key is available.
  • send_email CLI command for manual and GPG-encrypted sends.
  • New Cerebrate.email.* settings under Application → Network → Email.

Automated PGP key-expiry reminders

  • Cron-driven expiry sweep (./bin/cake check_expiring_keys) walks individual-owned encryption keys, determines the soonest encryption-capable subkey
    expiry, and dispatches reminders when a configured threshold is newly crossed. Default cadence is 30/7/1 days (configurable via --thresholds or
    Cerebrate.reminders.default_thresholds). Supports --dry-run and --encrypt.
  • Per-recipient digests: when several of an individual's keys cross a threshold in the same run, they are collapsed into a single digest email
    (expired-first, soonest-next) rather than one mail per key.
  • Idempotency is gated per key so the same threshold never fires twice; the reminder state resets automatically when key material changes.

Keycloak: organisation-level field mapping

  • Cerebrate organisation meta-fields can now be exposed to Keycloak as claims via keycloak.org_meta_mapping, with optional renaming (e.g.
    foo=bar,baz=xyz,abc).
  • Organisation attributes are namespaced under an org_ prefix to prevent collisions with user attributes.

Improvements

  • GPG key diagnostics: clearer feedback for edge cases where the underlying GnuPG fails to read subkeys.
  • ENISA CSIRT inventory: added the cra_designated_csirt meta-field.
  • New administrator guides for the email/PGP subsystem and the key-reminder sweep.

Bug Fixes

  • User view: the associated encryption keys panel now scopes to owner_model=individual, fixing a case where keys belonging to an organisation
    sharing the same numeric id leaked into a user's view.
  • Mailer: auto-set ownertrust on freshly-imported recipient keys, preventing the first encrypted send to a new recipient from hanging indefinitely on
    GnuPG's trust prompt.
  • User settings ACL: edit/permission checks now resolve the user object related to the setting (rather than the setting id) when verifying access.
  • MetaFields: declared previously-dynamic properties to silence PHP 8.2+ deprecation notices on every request/command touching a MetaFields-enabled
    table.

Internal

  • Reworked GitHub Actions CI workflow; CLI commands and file permissions migrated to run under www-data.
Assets 2
Loading