v0.4.1rc1 — security pre-release
Pre-release
Pre-release
Pre-release (use pip install --pre attestix). pip install attestix still resolves 0.4.0 stable.
Security hardening from a multi-persona audit (2026-06-16):
- A1 — VC key-binding (High): verification now decodes the Ed25519 key from the trust anchor (
issuer.id/ server DID) and rejects a mismatchedproof.verificationMethod, closing an issuer key-substitution masquerade. Aligns with W3C VC Data Integrity controller-authorization. - A2 — fail-closed auth (High): the REST API refuses non-public requests (503) when
ATTESTIX_API_KEYis unset, unlessATTESTIX_ALLOW_NO_AUTHis explicitly set. - A6 — CVE floors (High):
requirements.txtpinscryptography>=46.0.7/PyJWT>=2.12.0. - B9 — import fix: bundle import reads the cloud
vc_jsonldcredential key.
Known issue: cloud→OSS audit-chain re-verification can fail (chain tenant vs storage tenant); tracked for a later 0.4.1 pre-release.
Full notes in CHANGELOG.md.