Skip to content

WolfStack v24.40.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Jun 12:45
· 20 commits to master since this release
v24.40.0
57ae6d1

v24.40.0: built-in local CA + one-click publish — internal-domain TLS

Completes the local-domain trilogy (after wildcard DNS): trusted certs and
one-click reverse-proxy publish for domains that can't use public ACME
(*.ai.home, *.lab.lan …). The Traefik+local-CA replacement, built in.

Local CA (src/local_ca.rs):

  • Generate one root CA (4096-bit, CA:TRUE, SKI), install it once per device,
    then issue CA-signed leaf certs (SAN domain + *.domain, server_auth,
    AKI-chained, 825d). Proven two ways: X509StoreContext verify AND the
    openssl verify CLI both pass on the issued leaf.
  • Keys written atomically at 0600 (no umask race), CA dir 0700 before the
    key lands, CSPRNG serials, a mutex so concurrent init can't desync
    cert/key. The CA private key never leaves the host / is never returned.
  • Endpoints: GET local-ca (status), POST init, GET download (public cert
    only), POST issue. Certificates-page UI: generate / download (+ trust
    install steps) / issue.

One-click publish (POST /api/local-publish + UI):

  • Given a domain + backend, issues the cert AND writes a managed
    reverse-proxy vhost (HTTPS, websocket-ready, HTTP->HTTPS redirect) via the
    existing nginx configurator, then enable+reload so it's actually live.
  • Strict backend allowlist (no nginx proxy_pass injection); path-traversal
    guards on operator-supplied cert/key paths.

Verified: 1190 tests pass (4 new crypto tests incl. openssl-CLI cross-check),
0 warnings, clippy-clean, independent review (all findings fixed). Additive /
no existing behaviour changed. Browser-UI + live proxy-reload untested.

Verifying this release

Each binary is signed via cosign keyless OIDC (no key distribution — signing identity is the GitHub Actions workflow itself, anchored to the Sigstore Fulcio CA and the Rekor transparency log) and ships with a SLSA build provenance attestation.

Verify the cosign signature:

cosign verify-blob \
  --bundle wolfstack-x86_64.cosign.bundle \
  --certificate-identity-regexp 'https://github.com/wolfsoftwaresystemsltd/WolfStack/\.github/workflows/release\.yml@.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  wolfstack-x86_64

Verify the build provenance:

gh attestation verify wolfstack-x86_64 --repo wolfsoftwaresystemsltd/WolfStack

Verify the SHA-256 checksum:

sha256sum -c SHA256SUMS

Artifacts

  • wolfstack-x86_64 / wolfstack-aarch64 — static musl binaries (Linux x86_64 and ARM64 / Raspberry Pi 4+).
  • wolfstack-<arch>.cosign.bundle — cosign signature bundle (cert + signature + Rekor entry).
  • SHA256SUMS — checksums for both binaries.

For per-version history see CHANGELOG.md.

Assets 7
Loading