Agaric 0.1.30
Security fixes
This release is the first to ship with the Tauri 2.11.2 origin-confusion patch:
- GHSA-7gmj-67g7-phm9 / CVE-2026-42184 — Tauri 2.x had a
is_local_url()flaw on Windows + Android where remote pages hosted onhttp://<scheme>.<attacker>.example/could be classified as Local and invokelocal: trueIPC commands. Fixed upstream in Tauri 2.11.1; this release rolls forward to 2.11.2 alongside the rest of the Tauri ecosystem. Agaric does not register custom URI scheme protocols and does not uselocal: truecapabilities, so the exploit prerequisites were never present in the shipped app — but staying on a CVE'd upstream version was its own signal.
See the assets to download and install this version.
Verifying this release
Every bundle, updater payload, SBOM, and APK in this release is signed
with SLSA build provenance via GitHub's
actions/attest-build-provenance
→ Sigstore transparency log. Verify any downloaded asset with the
GitHub CLI:
gh attestation verify <asset> --repo jfolcini/agaricExamples (substitute the version in the filename):
# Linux .AppImage
gh attestation verify agaric_*_amd64.AppImage --repo jfolcini/agaric
# Windows .msi
gh attestation verify agaric_*_x64_en-US.msi --repo jfolcini/agaric
# macOS .dmg
gh attestation verify agaric_*_aarch64.dmg --repo jfolcini/agaric
# Android APK
gh attestation verify agaric-*-android-aarch64.apk --repo jfolcini/agaric
# SBOM (SPDX-JSON or CycloneDX-JSON)
gh attestation verify agaric-*.spdx.json --repo jfolcini/agaricFor air-gapped verification, use
slsa-verifier
against the Sigstore transparency log directly.