Skip to content

Releases: european-epc-competence-center/key-service

Release v2.5.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 12:48

Added

  • POST /sign/raw endpoint: signs arbitrary raw bytes (base64-encoded) with any stored key

Release v2.4.3

Choose a tag to compare

@github-actions github-actions released this 22 Jun 14:57

Changed

  • Signing error API messages: concise human-readable text in SigningException responses; full structured error details remain in server logs via logSigningError

Release v2.4.2

Choose a tag to compare

@github-actions github-actions released this 22 Jun 13:56

Fixed

  • Data Integrity signing (signCredential, signPresentation): surface jsonld/@digitalbazaar error details in SigningException messages instead of undefined - [object Object]
  • JWT signing (signCredential, signPresentation, signProofOfPossession): wrap failures in SigningException via formatSigningError so jose ERR_J* errors expose message, code, claim, and reason instead of opaque objects

Added

  • PostgreSQL TLS/mTLS client configuration via DB_SSL_MODE, DB_SSL_CA, DB_SSL_CERT, and DB_SSL_KEY environment variables (opt-in: DB_SSL=false by default — existing plain-TCP installs unchanged)
  • Helm database.ssl feature flags: database.ssl.enabled, database.ssl.mode, and database.ssl.mtls.enabled wire DB_SSL* env vars and optional cert volume mounts (all default off)
  • Internal HTTPS server TLS/mTLS via TLS_ENABLED, TLS_CERT, TLS_KEY, TLS_CA, and TLS_MTLS (opt-in; default plain HTTP for existing installs)
  • scripts/generate-postgres-tls-certs.sh and npm run docker:certs for local PKI generation
  • Docker Compose PostgreSQL mTLS: TLS-enabled postgres service, client cert mounts for key-service, pg_hba.conf with clientcert=verify-full
  • Unit tests for the database SSL config builder

Security

  • Removed committed docker/signing-key from the repository; local Docker Compose setups generate a random key via npm run docker:signing-key (gitignored)
  • Removed hardcoded development fallback signing key from SecretService; service now fails startup when the signing key file is missing or shorter than 32 characters
  • When DB_SSL=true, replaced insecure rejectUnauthorized: false default with validated TLS modes (verify-full default); production rejects DB_SSL_REJECT_UNAUTHORIZED=false and DB_SSL_MODE=require (remediates audit finding R7-001). TLS/mTLS remain opt-in — DB_SSL=false preserves legacy plain-TCP behavior
  • Internal HTTPS mTLS enforces client certificates on API routes via application middleware; Kubernetes health probes remain on /health* without client certs

Changed

  • README Docker Compose docs: signing key section for local dev vs production secret mounting; fixed outdated docker-compose commands
  • npm run dev and npm run start generate docker/signing-key locally and set SIGNING_KEY_PATH automatically
  • E2E Jest config (jest-e2e.json) aligned with unit-test ESM preset so integration tests can load @digitalbazaar/* modules

Release v2.4.1

Choose a tag to compare

@github-actions github-actions released this 17 Jun 20:51
0b08e3d

Security

  • Upgraded npm dependencies and added overrides for transitive vulnerabilities: form-data (>=4.0.6, CRLF injection), multer (>=2.2.0, DoS), undici (>=6.24.0, HTTP smuggling/decompression), js-yaml (>=4.2.0, DoS)
  • Bumped direct dependencies to latest compatible versions (NestJS 11.1.27, Jest 30.4.2, supertest 7.2.2, and others)

Removed

  • Unused sqlite3 dependency (application uses PostgreSQL only via TypeORM)

Release v2.4.0

Choose a tag to compare

@github-actions github-actions released this 21 May 11:19

Added

  • SignRequestDto.validUntil: optional ISO 8601 date-time defining proof expiry, with @Matches validation
    • JWT VP / PoP: converted to exp claim and replaces validUntil in the JWT payload
    • Data Integrity VP / PoP: overwrites presentation.validUntil before signing

Release v2.3.6

Choose a tag to compare

@github-actions github-actions released this 19 May 05:55
  • upgrade container depdendencies

Release v2.3.5

Choose a tag to compare

@github-actions github-actions released this 13 May 15:58
  • move image to debian 13

Release v2.3.4

Choose a tag to compare

@github-actions github-actions released this 13 May 15:12

Security

  • Docker production runner: gcr.io/distroless/nodejs24-debian12:nonroot again (minimal image); OpenSSL tracks the distroless base — rebuild with docker build --pull to pick up newer digests when Google refreshes Debian layers
  • Helm securityContext: runAsUser / runAsGroup 65532 to match distroless nonroot
  • Move tsx to devDependencies so production node_modules no longer ships esbuild (Go binary / stdlib CVE noise such as CVE-2026-27143, CVE-2025-68121); runtime remains node dist/...npm start / npm run dev still use tsx where dev deps are installed

Release v2.3.3

Choose a tag to compare

@github-actions github-actions released this 29 Apr 08:09
  • fix package-lock sync

Release v2.3.1

Choose a tag to compare

@github-actions github-actions released this 02 Apr 09:31

Changed

  • SignRequestDto.verifiable is optional at the DTO layer; POST /sign/vc and POST /sign/vp still require a non-array object (enforced in AppService). POST /sign/pop/jwt can omit it; POST /sign/pop/data-integrity ignores it and always builds a minimal VP shell, then calls signPresentation (OpenID4VCI Appendix F.2 di_vp)
  • Breaking: POST /sign/pop/data-integrity requires non-empty domain (Credential Issuer Identifier for proof domain, OpenID4VCI F.2 di_vp); POST /sign/vp/data-integrity unchanged (domain still optional there)
  • Breaking: POST /sign/pop/data-integrity no longer uses request verifiable — use POST /sign/vp/data-integrity for a custom VP