Skip to content

v2.88.3: signed-tarball release gate and version-aware verification errors

Choose a tag to compare

View all tags
@BartWaardenburg BartWaardenburg released this 04 Jun 09:06
· 227 commits to main since this release
v2.88.3
This tag was signed with the committer’s verified signature.
BartWaardenburg Bart Waardenburg
GPG key ID: 0F3DC0B8D9F6E258
Verified
Learn about vigilant mode.
6e1a3db
This commit was signed with the committer’s verified signature.
BartWaardenburg Bart Waardenburg
GPG key ID: 0F3DC0B8D9F6E258
Verified
Learn about vigilant mode.

Highlights

This release hardens binary distribution and makes signature-verification failures self-explanatory.

Release integrity gate for platform packages

A published @fallow-cli/<platform> package could ship without its fallow.sig signature siblings: npm silently drops a files whitelist entry that has no matching file on disk, and the release packing step only checked that a tarball was produced, not that its contents satisfied the declared contract. The GitHub Action installer then hard-failed every install resolving to such a package with sig-missing.

A release-time gate now inspects every packed tarball against its own package.json files, and independently requires every binary in a CLI platform package to have a .sig sibling, so a future regression that drops signatures from both the files list and disk cannot pass silently.

Version-aware verification errors

Signed platform binaries ship from fallow 2.77.0 onward. When the verifier (the GitHub Action installer or the npm wrapper) runs against an older resolved CLI, the missing-signature error now distinguishes the two causes:

  • Resolved version below 2.77.0 (predates signed binaries): bump the fallow dependency in your project's package.json to >=2.77.0 (npm install fallow@latest).
  • Resolved version 2.77.0 or newer with an absent signature: treated as a possible tampering or incomplete-install signal; reinstall.

The bypass escape hatch is no longer surfaced inline (it stays documented in SECURITY.md), so a possible-tampering case never nudges you to bypass. Verification still fails closed in both cases.

The Action installer also names which version knob to turn on failure (the Action ref selects the Action code, not the CLI version, which comes from your project pin or the version: input), and fallow --version now reports the resolved version's signing status (signed / unsigned (predates 2.77.0)), useful for confirming whether a pinned version is signable when running with FALLOW_SKIP_BINARY_VERIFY. SECURITY.md documents the 2.77.0 signing epoch.

Bug fixes

  • fallow -v through the npm package now prints the verified: integrity line like --version and -V.
  • The VS Code extension self-heals when the resolved fallow CLI on PATH predates the extension, switching to the managed download (when auto-download is enabled) so version-gated settings stop becoming silent no-ops. It never downgrades.

Thanks @hc-12 for reporting the sig-missing packaging issue.

Full Changelog: v2.88.2...v2.88.3

Assets 58
Loading