|
| 1 | +# Release Notes — v1.5.2 |
| 2 | + |
| 3 | +**Release date:** June 16, 2026 |
| 4 | + |
| 5 | +v1.5.2 replaces URL-configured CT log discovery with a code-owned, signature-verified catalog registry, and adds the runtime controls to operate it safely. |
| 6 | + |
| 7 | +## Trusted CT source discovery |
| 8 | + |
| 9 | +CT log sources now come from a compile-time registry instead of operator-supplied URLs: |
| 10 | + |
| 11 | +* **google_v3_usable** — verified against a pinned RSA-SHA256 trust anchor; authoritative by default. |
| 12 | +* **google_v3_all** — same pinned key; non-authoritative until opted in via `ct_log.catalog_authority_overrides`. |
| 13 | +* **apple** — TLS-authenticated via issuer-CA SPKI pinning (Apple publishes no detached signature); permanently non-authoritative. |
| 14 | + |
| 15 | +Trust model: a source that does not verify can never auto-spawn watchers. An authority override can only *grant* authority to a source that currently verifies — it can never promote an unverified source such as Apple. A signature failure forces the source non-authoritative for that cycle while still exposing the raw bytes for audit (`certstream_ct_catalog_source_verified=0`). |
| 16 | + |
| 17 | +## Operational controls |
| 18 | + |
| 19 | +* Per-operator outbound rate limits: `ct_log.default_operator_rate_limit_ms` + `ct_log.operator_rate_limits`. |
| 20 | +* Per-log overrides: `batch_size` and `poll_interval_ms` on `custom_logs` / `static_logs`. |
| 21 | +* `expected_log_id` guards configured static-CT overrides against the discovered catalog identity (transport, fetch URL, and an explicitly declared checkpoint origin). The server refuses to start if a configured override contradicts the signed catalog, or if multiple resolved watchers would share a CT log ID. |
| 22 | + |
| 23 | +## Breaking change |
| 24 | + |
| 25 | +The `ct_logs_url` and `additional_log_lists` config keys — and the `CERTSTREAM_CT_LOGS_URL` / `CERTSTREAM_ADDITIONAL_LOG_LISTS` env vars — are removed. CT sources are now the code-owned registry. Apple-only or otherwise non-authoritative logs are ingested by declaring them under `static_logs` / `custom_logs`. Existing configs that still set the removed keys are ignored, not rejected. |
| 26 | + |
| 27 | +## New dependencies |
| 28 | + |
| 29 | +`rsa` (catalog signature verification), `rustls` + `rustls-native-certs` (pinned Apple TLS client); `reqwest` gains the `rustls` feature. |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +# Release Notes — v1.5.1 |
| 34 | + |
| 35 | +**Release date:** June 15, 2026 |
| 36 | + |
| 37 | +A small, focused patch release. Two operational improvements, no breaking changes, fully backward-compatible with v1.5.0 configs and Prometheus queries. |
| 38 | + |
| 39 | +## Configurable static-CT tail overlap |
| 40 | + |
| 41 | +Fresh static-CT watchers previously started at a fixed `tree_size - 256`. The overlap is now tunable: |
| 42 | + |
| 43 | +* `ct_log.start_overlap_leaves` (default `256` — existing behavior preserved) |
| 44 | +* env override `CERTSTREAM_CT_LOG_START_OVERLAP_LEAVES` |
| 45 | +* validated with an upper bound of 100,000 leaves |
| 46 | + |
| 47 | +## CT source observability & retry attribution |
| 48 | + |
| 49 | +* new `certstream_ct_runtime_log_info` gauge (`source_id`, `log_id`, `log`, `operator`, `log_type`) |
| 50 | +* existing per-log metrics gain a stable `source_id` label (`ctlog:<log_id>`, or `url:<...>` for id-less sources) alongside the existing human-readable `log` label — old selectors keep working |
| 51 | +* new `certstream_ct_log_rate_limited_total` (labeled by `log_type`) and `certstream_ct_log_empty_responses_total` counters |
| 52 | +* RFC6962 watchers now honor the `Retry-After` header on 429s (clamped to 250 ms–10 min), matching the static-CT path |
| 53 | + |
| 54 | +--- |
| 55 | + |
1 | 56 | # Release Notes — v1.5.0 |
2 | 57 |
|
3 | 58 | **Release date:** May 19, 2026 |
|
0 commit comments