Releases: european-epc-competence-center/key-service
Releases · european-epc-competence-center/key-service
Release list
Release v2.5.0
Added
POST /sign/rawendpoint: signs arbitrary raw bytes (base64-encoded) with any stored key
Release v2.4.3
Changed
- Signing error API messages: concise human-readable text in
SigningExceptionresponses; full structured error details remain in server logs vialogSigningError
Release v2.4.2
Fixed
- Data Integrity signing (
signCredential,signPresentation): surface jsonld/@digitalbazaarerror details inSigningExceptionmessages instead ofundefined - [object Object] - JWT signing (
signCredential,signPresentation,signProofOfPossession): wrap failures inSigningExceptionviaformatSigningErrorso joseERR_J*errors exposemessage,code,claim, andreasoninstead of opaque objects
Added
- PostgreSQL TLS/mTLS client configuration via
DB_SSL_MODE,DB_SSL_CA,DB_SSL_CERT, andDB_SSL_KEYenvironment variables (opt-in:DB_SSL=falseby default — existing plain-TCP installs unchanged) - Helm
database.sslfeature flags:database.ssl.enabled,database.ssl.mode, anddatabase.ssl.mtls.enabledwireDB_SSL*env vars and optional cert volume mounts (all default off) - Internal HTTPS server TLS/mTLS via
TLS_ENABLED,TLS_CERT,TLS_KEY,TLS_CA, andTLS_MTLS(opt-in; default plain HTTP for existing installs) scripts/generate-postgres-tls-certs.shandnpm run docker:certsfor local PKI generation- Docker Compose PostgreSQL mTLS: TLS-enabled postgres service, client cert mounts for key-service,
pg_hba.confwithclientcert=verify-full - Unit tests for the database SSL config builder
Security
- Removed committed
docker/signing-keyfrom the repository; local Docker Compose setups generate a random key vianpm run docker:signing-key(gitignored) - Removed hardcoded development fallback signing key from
SecretService; service now fails startup when the signing key file is missing or shorter than 32 characters - When
DB_SSL=true, replaced insecurerejectUnauthorized: falsedefault with validated TLS modes (verify-fulldefault); production rejectsDB_SSL_REJECT_UNAUTHORIZED=falseandDB_SSL_MODE=require(remediates audit finding R7-001). TLS/mTLS remain opt-in —DB_SSL=falsepreserves legacy plain-TCP behavior - Internal HTTPS mTLS enforces client certificates on API routes via application middleware; Kubernetes health probes remain on
/health*without client certs
Changed
- README Docker Compose docs: signing key section for local dev vs production secret mounting; fixed outdated
docker-composecommands npm run devandnpm run startgeneratedocker/signing-keylocally and setSIGNING_KEY_PATHautomatically- E2E Jest config (
jest-e2e.json) aligned with unit-test ESM preset so integration tests can load@digitalbazaar/*modules
Release v2.4.1
Security
- Upgraded npm dependencies and added
overridesfor transitive vulnerabilities:form-data(>=4.0.6, CRLF injection),multer(>=2.2.0, DoS),undici(>=6.24.0, HTTP smuggling/decompression),js-yaml(>=4.2.0, DoS) - Bumped direct dependencies to latest compatible versions (NestJS 11.1.27, Jest 30.4.2, supertest 7.2.2, and others)
Removed
- Unused
sqlite3dependency (application uses PostgreSQL only via TypeORM)
Release v2.4.0
Added
SignRequestDto.validUntil: optional ISO 8601 date-time defining proof expiry, with@Matchesvalidation- JWT VP / PoP: converted to
expclaim and replacesvalidUntilin the JWT payload - Data Integrity VP / PoP: overwrites
presentation.validUntilbefore signing
- JWT VP / PoP: converted to
Release v2.3.6
- upgrade container depdendencies
Release v2.3.5
Release v2.3.4
Security
- Docker production runner:
gcr.io/distroless/nodejs24-debian12:nonrootagain (minimal image); OpenSSL tracks the distroless base — rebuild withdocker build --pullto pick up newer digests when Google refreshes Debian layers - Helm
securityContext:runAsUser/runAsGroup65532 to match distrolessnonroot - Move
tsxto devDependencies so productionnode_modulesno longer shipsesbuild(Go binary / stdlib CVE noise such as CVE-2026-27143, CVE-2025-68121); runtime remainsnode dist/...—npm start/npm run devstill usetsxwhere dev deps are installed
Release v2.3.3
Release v2.3.1
Changed
SignRequestDto.verifiableis optional at the DTO layer;POST /sign/vcandPOST /sign/vpstill require a non-array object (enforced inAppService).POST /sign/pop/jwtcan omit it;POST /sign/pop/data-integrityignores it and always builds a minimal VP shell, then callssignPresentation(OpenID4VCI Appendix F.2di_vp)- Breaking:
POST /sign/pop/data-integrityrequires non-emptydomain(Credential Issuer Identifier for proofdomain, OpenID4VCI F.2di_vp);POST /sign/vp/data-integrityunchanged (domainstill optional there) - Breaking:
POST /sign/pop/data-integrityno longer uses requestverifiable— usePOST /sign/vp/data-integrityfor a custom VP