Skip to content

pqfile v4.1.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 05 Jun 23:34

Full Changelog: v4.0.0...v4.1.0

Full line-by-line audit across all 11 areas from the audit prompt. Findings:

  • 1 High - signdecrypt streamed plaintext to writer before ML-DSA signature verification
  • 5 Medium - v6 compressed decrypt buffered all ciphertext in memory; archive file_size unbounded; Windows device names not rejected in archive paths; PqfReader left decrypted plaintext in non-zeroizing buffer; signdecrypt API misuse risk
  • 5 Low - Lagrange denominator zero not trapped; SSH seed returned as non-Zeroizing; find_session_key timing; legacy Argon2 timing; zero key_commitment sentinel for v2 files
  • 8 Informational - hybrid HKDF salt, SSH HKDF salt, 8-byte streaming nonce entropy, v2 no key commitment, ml-dsa audit status, add_recipient binding, signcrypt recipient binding, parallel decrypt zeroize

Fixes Applied

File | Change -- | -- shamir.rs | Lagrange denominator zero guard before gf_div keygen.rs | extract_ssh_ed25519_seed returns Zeroizing<[u8;32]> archive.rs | file_size capped at MAX_ORIGINAL_SIZE; Windows device names rejected signcrypt.rs | Added signdecrypt_bytes that buffers and only returns plaintext after verification decrypt.rs | v6 streams through zstd::stream::write::Decoder instead of buffering; parallel decrypt plaintext wrapped in Zeroizing reader.rs | current_ct[..ct_len] zeroed after copy to plaintext buffer

387 tests pass.

GitHub Workflows

Structural changes:

  • release.yml - dropped redundant test job (CI already tested the commit); build and wasm now depend directly on check-versions, saving ~12 min per release
  • publish.yml - changed trigger from workflow_run to release: published; publish now fires once when you manually publish the GitHub draft, not automatically after every Release run; added idempotency check so re-runs skip already-published crates
  • ci.yml - bench job gets its own concurrency group (cancel-in-progress: false) so a code push cannot corrupt gh-pages benchmark history mid-write
  • fuzz.yml - replaced cargo install cargo-fuzz (source compile) with taiki-e/install-action (cached binary)
  • mutants.yml - removed GTK/XCB system deps not needed for core-library mutation testing

Action version bumps (3 actions updated, 8 already current):

  • actions/checkout v6 -> v6.0.3
  • dtolnay/rust-toolchain updated to latest v1 SHA
  • taiki-e/install-action updated to v2.81.3

Other Fixes

  • .gitleaks.toml - added tests/compat/ to path allowlist so test-fixture private keys no longer fail secret scanning
  • supply-chain/config.toml - added 36 exemptions for new crate versions (proptest, notify, qrcode, rand 0.9/0.10, mio, nix 0.31, etc.)
  • scripts/bump-version.ps1 - fixed $root = $PSScriptRoot bug (was resolving to scripts/ subdirectory instead of repo root)
Assets 16
Loading