From 9b29ca93b8074e27a397bfd46f13e8dc4d399931 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Sun, 5 Feb 2023 13:03:09 -0500 Subject: [PATCH] Prepare CHANGELOG for v0.15.0 --- CHANGELOG.md | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b6b9315..db6be41 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,76 @@ # Change Log +## v0.15.0 (2023-02-TBD) +- **Significant behavior change**: certspotter is now intended to run as + a daemon instead of a cron job. Specifically, certspotter no longer + terminates unless it receives SIGTERM or SIGINT or there is a serious error. + You should remove certspotter from your crontab and arrange to run it as a + daemon, passing either the `-email` option or `-script` option to configure + how you want to be notified about certificates. + + Reason for this change: although using cron made sense in the early days of + Certificate Transparency, certspotter now needs to run continuously to reliably + keep up with the high growth rate of contemporary CT logs, and to gracefully + handle the many transient errors that can arise when monitoring CT. + See for background. + +- `-script` is now officially supported and can be used to execute + a command when a certificate is discovered or there is an error. For details, + see the [certspotter-script(8) man page](man/certspotter-script.md). + + Note the following changes from the experimental, undocumented `-script` + option found in previous versions: + - The script is also executed when there is an error. Consult the `$EVENT` + variable to determine why the script was executed. + - The `$DNS_NAMES` and `$IP_ADDRESSES` variables have been removed because + the OS limits the size of environment variables and some certificates have + too many identifiers. To determine a certificate's identifiers, you can + read the JSON file specified by the `$JSON_FILENAME` variable, as explained + in the [certspotter-script(8) man page](man/certspotter-script.md). + - The `$CERT_TYPE` variable has been removed because it is almost always + a serious mistake (that can make you miss malicious certificates) to treat + certificates and precertificates differently. If you are currently + using this variable to skip precertificates, stop doing that because + precertificates imply the existence of a corresponding certificate that you + **might not** be separately notified about. For more details, see + . + - New variable `$WATCH_ITEM` contains the first watch list item which + matched the certificate. + +- New `-email` option can be used to send an email when a certificate is + discovered or there is an error. Your system must have a working `sendmail` + command. + +- (Behavior change) You must specify the `-stdout` option if you want discovered + certificates to be written to stdout. This only makes sense when running + certspotter from the terminal; when running as a daemon you probably want to + use `-email` or `-script` instead. + +- Once a day, certspotter will send you a notification (per `-email` or + `-script`) if any problems are preventing it from detecting all certificates. + As in previous versions of certspotter, errors are written to stderr when they + occur, but since most errors are transient, you can now ignore stderr and rely + on the daily health check to notify you about any persistent problems that + require your attention. + +- certspotter now saves `.json` and `.txt` files alongside the `.pem` files + containing parsed representations of the certificate. + +- `.pem` files no longer have `.cert` or `.precert` in the filename. + +- certspotter will save its state periodically, and before terminating due to + SIGTERM or SIGINT, meaning it can resume monitoring without having to + re-download entries it has already processed. + +- The experimental "BygoneSSL" feature has been removed due to limited utility. + +- The `-num_workers` option has been removed. + +- The `-all_time` option has been removed. You can remove the certspotter state + directory if you want to re-download all entries. + +- The minimum supported Go version is now 1.19. + ## v0.14.0 (2022-06-13) - Switch to Go module versioning conventions.