Skip to content

v0.4.1rc1 — security pre-release

Pre-release
Pre-release

Choose a tag to compare

@ascender1729 ascender1729 released this 16 Jun 07:55
ba15d30

Pre-release (use pip install --pre attestix). pip install attestix still resolves 0.4.0 stable.

Security hardening from a multi-persona audit (2026-06-16):

  • A1 — VC key-binding (High): verification now decodes the Ed25519 key from the trust anchor (issuer.id / server DID) and rejects a mismatched proof.verificationMethod, closing an issuer key-substitution masquerade. Aligns with W3C VC Data Integrity controller-authorization.
  • A2 — fail-closed auth (High): the REST API refuses non-public requests (503) when ATTESTIX_API_KEY is unset, unless ATTESTIX_ALLOW_NO_AUTH is explicitly set.
  • A6 — CVE floors (High): requirements.txt pins cryptography>=46.0.7 / PyJWT>=2.12.0.
  • B9 — import fix: bundle import reads the cloud vc_jsonld credential key.

Known issue: cloud→OSS audit-chain re-verification can fail (chain tenant vs storage tenant); tracked for a later 0.4.1 pre-release.

Full notes in CHANGELOG.md.