Prepare CHANGELOG for v0.15.0
This commit is contained in:
Andrew Ayer
parent
d4cf32f9b3
commit
9b29ca93b8
71
CHANGELOG.md
71
CHANGELOG.md
|
|
@ -1,5 +1,76 @@
|
|||
# Change Log
|
||||
|
||||
## v0.15.0 (2023-02-TBD)
|
||||
- **Significant behavior change**: certspotter is now intended to run as
|
||||
a daemon instead of a cron job. Specifically, certspotter no longer
|
||||
terminates unless it receives SIGTERM or SIGINT or there is a serious error.
|
||||
You should remove certspotter from your crontab and arrange to run it as a
|
||||
daemon, passing either the `-email` option or `-script` option to configure
|
||||
how you want to be notified about certificates.
|
||||
|
||||
Reason for this change: although using cron made sense in the early days of
|
||||
Certificate Transparency, certspotter now needs to run continuously to reliably
|
||||
keep up with the high growth rate of contemporary CT logs, and to gracefully
|
||||
handle the many transient errors that can arise when monitoring CT.
|
||||
See <https://github.com/SSLMate/certspotter/issues/63> for background.
|
||||
|
||||
- `-script` is now officially supported and can be used to execute
|
||||
a command when a certificate is discovered or there is an error. For details,
|
||||
see the [certspotter-script(8) man page](man/certspotter-script.md).
|
||||
|
||||
Note the following changes from the experimental, undocumented `-script`
|
||||
option found in previous versions:
|
||||
- The script is also executed when there is an error. Consult the `$EVENT`
|
||||
variable to determine why the script was executed.
|
||||
- The `$DNS_NAMES` and `$IP_ADDRESSES` variables have been removed because
|
||||
the OS limits the size of environment variables and some certificates have
|
||||
too many identifiers. To determine a certificate's identifiers, you can
|
||||
read the JSON file specified by the `$JSON_FILENAME` variable, as explained
|
||||
in the [certspotter-script(8) man page](man/certspotter-script.md).
|
||||
- The `$CERT_TYPE` variable has been removed because it is almost always
|
||||
a serious mistake (that can make you miss malicious certificates) to treat
|
||||
certificates and precertificates differently. If you are currently
|
||||
using this variable to skip precertificates, stop doing that because
|
||||
precertificates imply the existence of a corresponding certificate that you
|
||||
**might not** be separately notified about. For more details, see
|
||||
<https://github.com/SSLMate/certspotter/commit/cd2bb429fc2f4060a33ec8eb8b71a3eb12e9ba93>.
|
||||
- New variable `$WATCH_ITEM` contains the first watch list item which
|
||||
matched the certificate.
|
||||
|
||||
- New `-email` option can be used to send an email when a certificate is
|
||||
discovered or there is an error. Your system must have a working `sendmail`
|
||||
command.
|
||||
|
||||
- (Behavior change) You must specify the `-stdout` option if you want discovered
|
||||
certificates to be written to stdout. This only makes sense when running
|
||||
certspotter from the terminal; when running as a daemon you probably want to
|
||||
use `-email` or `-script` instead.
|
||||
|
||||
- Once a day, certspotter will send you a notification (per `-email` or
|
||||
`-script`) if any problems are preventing it from detecting all certificates.
|
||||
As in previous versions of certspotter, errors are written to stderr when they
|
||||
occur, but since most errors are transient, you can now ignore stderr and rely
|
||||
on the daily health check to notify you about any persistent problems that
|
||||
require your attention.
|
||||
|
||||
- certspotter now saves `.json` and `.txt` files alongside the `.pem` files
|
||||
containing parsed representations of the certificate.
|
||||
|
||||
- `.pem` files no longer have `.cert` or `.precert` in the filename.
|
||||
|
||||
- certspotter will save its state periodically, and before terminating due to
|
||||
SIGTERM or SIGINT, meaning it can resume monitoring without having to
|
||||
re-download entries it has already processed.
|
||||
|
||||
- The experimental "BygoneSSL" feature has been removed due to limited utility.
|
||||
|
||||
- The `-num_workers` option has been removed.
|
||||
|
||||
- The `-all_time` option has been removed. You can remove the certspotter state
|
||||
directory if you want to re-download all entries.
|
||||
|
||||
- The minimum supported Go version is now 1.19.
|
||||
|
||||
## v0.14.0 (2022-06-13)
|
||||
- Switch to Go module versioning conventions.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue