Version 1.8.0

New Features

• Add support for systemd watchdog timer (@csstaub in #427). Ghostunnel can now be watched by systemd using the WatchdogSec option. If Ghostunnel fails to respond, systemd will automatically relaunch it. See docs/WATCHDOG.md for an example service file.
• Implement landlock support to limit process privileges on Linux (@csstaub in #431). If started with the --use-landlock flag, Ghostunnel will call upon landlock on Linux to limit access to files and sockets. This is an experimental feature, please give it a try and let us know if you run into any issues.

Bug Fixes

• Avoid use of deprecated SecTrustGetCertificateAtIndex (@csstaub in #426)
• Fix nil ptr deref on Windows/Linux when keychain flags are used (@csstaub in #448)
• Close files properly and remove refs to deprecated io/ioutil (@testwill in #453 and #454)
• Fix RSA-PSS for Windows platform keys (@csstaub in #459 and #469)

Other Changes

• Upgrade to Go 1.22 (@csstaub in #419)
• Upgrade go-jose to v4.0.1 (@mcpherrinm in #423)
• Upgrade go-spiffe (@mcpherrinm in #429)
• Various other dependency updates via @dependabot

Full Changelog: v1.7.3...v1.8.0

Version 1.8.0-rc.2

Bug Fixes

• Close files properly by @testwill in #453
• Remove refs to deprecated io/ioutil by @testwill in #454
• Fix RSA-PSS for Windows platform keys by @csstaub in #459

Full Changelog: v1.8.0-rc.1...v1.8.0-rc.2

Version 1.8.0-rc.1

New Features

• Add support for systemd watchdog timer (@csstaub in #427). Ghostunnel can now be watched by systemd using the WatchdogSec option. If Ghostunnel fails to respond, systemd will automatically relaunch it. See docs/WATCHDOG.md for an example service file.
• Implement landlock support to limit process privileges on Linux (@csstaub in #431). If started with the --use-landlock flag, Ghostunnel will call upon landlock on Linux to limit access to files and sockets. This is an experimental feature, please give it a try and let us know if you run into any issues.

Bug Fixes

• Avoid use of deprecated SecTrustGetCertificateAtIndex (@csstaub in #426)
• Fix nil ptr deref on Windows/Linux when keychain flags are used (@csstaub in #448)

Other Changes

• Upgrade to Go 1.22 (@csstaub in #419)
• Upgrade go-jose to v4.0.1 (@mcpherrinm in #423)
• Upgrade go-spiffe (@mcpherrinm in #429)
• Various other dependency updates via @dependabot

Full Changelog: v1.7.3...v1.8.0-rc.1

Version 1.7.3

Changes

• Fix bug in flag handling for disabling auth in server mode when using SPIFFE workload API (#418)
• Bump dependency versions and minor fixes (#411, #409, #414, #413)

Version 1.7.2

Changes

• Updated Go toolchain and bumped all dependencies to latest versions (#411)
• Avoid setting GetCertificate for SPIFFE in client mode if auth is disabled (#407)

Plus some miscellaneous fixes & build changes (#405, #399, #401, #397, #395)

Full Changelog: v1.7.1...v1.7.2

Version 1.7.1

Changes

• Reload OPA policies during reload (#381)
• Bump Go version in Docker container to 1.19 (#383)
• Provide darwin-arm64/universal release binaries (#388)

Version 1.7.0

Changes

• Update to Go 1.19 for release builds & bump dependencies
• Fix a memory leak in HTTP status checking (#379, thanks @phamann)
• Add support for OPA to allow auth based on Rego policies (#374, thanks @spacedub)
• Update to latest go-spiffe for better Windows support (#371, thanks @MarcosDY)

Version 1.7.0-rc.1

Changes

• Update to Go 1.19 for release builds & bump dependencies
• Fix a memory leak in HTTP status checking (#379, thanks @phamann)
• Add support for OPA to allow auth based on Rego policies (#374, thanks @spacedub)
• Update to latest go-spiffe for better Windows support (#371, thanks @MarcosDY)

Version 1.6.1

Changes

• Add support for HTTP status endpoints for targets (#365, thanks to @mccurdyc)
• Support for filtering keychain identities by serial and/or issuer (#352)
• Add initial ACME support in server mode (#348, thanks to @ryankoski)
• Better connect proxy resolution handling (#357, #360)

Version 1.6.0

Changes

• Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS/Win.
• Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
• Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other
Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that linux/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms for when feasible with GitHub Actions.