Skip to content

pqfile v3.1.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 May 14:56
· 140 commits to main since this release
v3.1.0
c06be9a

Full Changelog: v3.0.1...v3.1.0

New features
ML-KEM-512 support
A third key size is now available alongside the existing ML-KEM-768 (default) and ML-KEM-1024 variants. Use --level 512 with keygen to generate a 512-bit key pair. All commands (encrypt, decrypt, inspect) handle 512-bit keys transparently. Passphrase-protected 512-bit keys are also supported.

Configurable chunk size (--chunk-size)
encrypt accepts a new --chunk-size BYTES flag (range 1–268,435,456) to control the streaming chunk size. Files encrypted with a non-default chunk size are written in the new v5 format, which embeds the chunk size in the header so decryption is automatic. The default (65,536 bytes) continues to produce v3 files, keeping full backward compatibility.

Performance
Zero-allocation streaming hot path
The encrypt and decrypt streaming paths now use in-place AEAD (encrypt_in_place_detached / decrypt_in_place_detached) instead of allocating a new Vec per chunk. For large files the heap pressure is essentially eliminated on the critical path.

Security & supply chain
OSS-Fuzz integration
pqfile is now integrated with Google OSS-Fuzz for continuous fuzzing. Three fuzz targets run nightly in CI - fuzz_header_read, fuzz_decrypt_bytes, and fuzz_pem_parsing — and crash artifacts are uploaded automatically on failure.

Nightly CI fuzz workflow
A new .github/workflows/fuzz.yml runs all fuzz targets for 120 seconds each on every nightly schedule, independent of OSS-Fuzz, so regressions surface within 24 hours.

CI & developer experience
Benchmark regression detection
Every push and pull request now runs cargo bench against the crypto benchmark suite and stores results on the gh-pages branch via benchmark-action/github-action-benchmark. PRs that regress any benchmark by more than 10% will be flagged with a comment and a failed check.

All GitHub Actions pinned to exact commit SHAs
Every uses: entry in all workflows is now pinned to a specific commit digest rather than a mutable tag, closing a class of supply-chain attack vectors.

Breaking changes
encrypt_stream gains a chunk_size: usize parameter as the third argument. Callers that previously passed (ek_pem, original_size, reader, writer) must now pass (ek_pem, original_size, pqfile::format::CHUNK_SIZE, reader, writer) to preserve the default behaviour.
Checksums
SHA-256 checksums for all release artifacts are in checksums.txt, signed with cosign keyless signing and verifiable against the Sigstore transparency log via checksums.txt.bundle.

Assets 17
Loading