The primary signing key was rotated!

The device that contained the signing key has been destroyed, so we have promoted our backup key to the primary one and generated a new backup keypair.

What's Changed

• Fix CI
• Prune old files

Full Changelog: https://github.com/paragonie/certainty/compare/v2.8.2...v2.8.3

• No code changes, just includes the latest CACert bundles, including the bundle after LetsEncrypt's intermediate certificate expired.
• Although Certainty will, by design, try to keep the bundles up-to-date, if you're in a Composer-based deployment situation where the Certainty update process isn't being used, pulling the latest version in a staging environment will tell you if the LetsEncrypt intermediate expiration breaks your app.
  • If necessary, rollback to 2.8.1 in your composer.json file until you've resolved the network issue.

• Block vulnerable versions of Composer.

• #32 / #33 -- Add support for Guzzle 7 (thanks @jacques, @ziming)

• Fix compatibility with PHP 7.4
• Updated Psalm in require-dev from ^1|^2 to ^1|^3.

• Expand unit testing coverage to PHP 7.4
• Updated composer.json to allow installing on PHP 8

We had to reinstall the server. Bgcc1QfkP0UNgMZuHzi0hC1hA1SoVAyUrskmSkzRw3E= is the public key of the new default Chronicle server.

Previously, the default behavior of RemoteFetch was to check a Chronicle instance (i.e. the one at php-chronicle.pie-hosted.com), regardless of whether or not the bundle was already fetched and verified.

This was wasteful, and led to an accidental stress test of the Chronicle instance for the PHP community.

Now, the default behavior of RemoteFetch is to only query Chronicle instances on freshly-downloaded bundles, rather than every time getLatestBundle() is invoked.

We've already done a lot of work to ensure our server is stable even under the tremendous load we were seeing previously, but we do ask everyone to update to the latest version to improve the performance of your code that uses Certainty.

• You can now specify an HTTP connection timeout for Chronicle queries and Github fetches.

Updated minimum version of sodium_compat to version 1.11.0

Per #25: We've made it substantially easier to specify a different Chronicle URL and Public Key in case the one we operate ever goes down.

There is a table located at https://github.com/paragonie/certainty/blob/master/docs/README.md#php-chronicle-replicas-for-certainty which contains (currently only one) replica instances of the PHP Chronicle.

• NEW: Trust Channels
  To better support Enterprise users that want to manage their own internal certificate authorities, we've marked each bundle with its respective trust channel. Since our CA bundles come from Mozilla, the JSON file we provide is populated with "trust-channel": "Mozilla".

• NEW: Composer Integration
  You can now have Certainty request an up-to-date bundle at runtime by ensuring you add this entry to your composer.json file:

  {
    "scripts": {
      "post-autoload-dump": [
        "ParagonIE\\Certainty\\Composer::postAutoloadDump"
      ]
    }
  }
  

  Then, you can simply use the local Fetch class instead of RemoteFetch in your application code. Every time you run composer update, it will fetch the latest bundles from Certainty.

  This is a great way to reduce your runtime performance overhead while guaranteeing that you have the latest CACert bundle.

  Note: You can create your own script that does the same thing. This is probably desirable if you'd like to put your configuration in a nonstandard location.

• UPDATED: Psalm v2 will now be used on PHP 7 projects.
  This ensures we'll have better visibility into type safety issues as Psalm adds more checks over time.

• FIXED: #22
  Prevent infinite loops when trying to fetch newer bundles by using the locally installed CACert.pem bundles. Fix provided by @credomane.

• Certainty now supports PHP 5.5+ projects in line with Guzzle 6's minimum version and the LTS version covered by many software projects we wish to incorporate Certainty with.

Fixes #18

• Fixes #17 by changing the API to require an explicit data directory, rather than surprisingly failing closed.

Version 1.x is deprecated and we will not be providing noncommercial support. Please upgrade to v2 as soon as you can.

Fixed #16

• Fix #15 (Heisenbug) by using ParagonIE_Sodium_Compat instead of ParagonIE_Sodium_File.
• Fix cURL warnings with CURLOPT_SSLVERSION.
• If libsodium isn't installed, and the current architecture is 32-bit, skip sodium_compat verification. It's unusably slow in this configuration. If you want to still enjoy Ed25519 and Chronicle verification, install libsodium from PECL.

• Added cacert-2018-03-07.pem
• Update sodium_compat to v1.6
• Update vimeo/psalm to v1.x
• Fix psalm.xml configuration

• Update bundle to 2018-01-17.pem.
• Fix nit with signing script.
• Update sodium_compat minimum to 1.5.