Skip to content

v0.9.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 10 Jun 09:03
· 12 commits to main since this release
v0.9.0
This tag was signed with the committer’s verified signature.
CybotTM Sebastian Mendel
SSH Key Fingerprint: BsdGvKi3Med56Wy4VisZQhWin20c4hORHHUxNM9bVlw
Verified
Learn about vigilant mode.
9b17f09
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

Secrets now record how they were encrypted. Until now the AEAD algorithm
was implicit — derived from the PHP host's CPU capabilities (AES-NI) at both
encrypt and decrypt time. Decrypting the same data on a different PHP host
(app-server migration, a dump restored elsewhere, a container base-image
change) or toggling the algorithm preference could silently make every secret
undecryptable. Each secret now carries an explicit per-row algorithm marker
(envelope version 2); decryption dispatches on the stored marker, never on
host capabilities. Existing rows keep decrypting byte-identically via the
legacy path and upgrade to version 2 on value rotation. New secrets default to
XChaCha20-Poly1305; AES-256-GCM can be pinned via the new
encryptionAlgorithm setting. Along the way this fixed a latent truncation
bug: the nonce columns were one size too small for base64-encoded XChaCha20
nonces.

Master-key rotation now re-keys the audit chain atomically. The
tamper-evident audit log is HMAC-keyed from the master key, so rotation used
to orphan the chain. vault:rotate-master-key now rewrites the chain under
the new key inside the same transaction as the DEK re-encryption — both
commit or both roll back — refusing to re-key a chain that doesn't verify
under the current key (tampering is never laundered), preserving per-row key
epochs, and walking the log in bounded-memory batches. Chain verification
itself now streams instead of materialising the whole table. A
consecutive-rotation functional test covers the full lifecycle end to end.

A batch of review findings in the periphery. Backend column migrations no
longer fail on {{uid}} placeholder identifiers; the OAuth token cache keys
on the full token identity (refresh-token source + audience/resource/tenant
params), eliminating cross-audience token confusion; OAuth error redaction
also catches JSON-body and quoted-prose credential echoes; OAuthConfig
fails fast on unknown grant types; the secure HTTP client rejects non-object
JSON bodies up front; and UUID v7 generation uses all of its variant-field
random bits.

Installation

composer require netresearch/nr-vault

Publication status

Security

All release artifacts are signed with Sigstore keyless signing.

Verify signatures

cosign verify-blob \
  --bundle nr-vault-0.9.0.zip.sigstore.json \
  --certificate-identity-regexp "https://github.com/netresearch/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  nr-vault-0.9.0.zip

Verify checksums

sha256sum -c checksums.txt

Software Bill of Materials (SBOM)

SBOMs are provided in both SPDX and CycloneDX formats for supply chain transparency.

Assets 12
Loading