v0.1.1

Call for action to log operators

This release introduces a few changes that may require action from log operators.

• It fixes #553, where chains involving PreIssuer certs were not handled properly. Unfortunately, logs that stored such chain before this fix aren't specs compliant, and must be retired. Thanks @AGWA for flagging this.
• It fixes #644 where partial entry bundles were not garbage collected. Partial tiles were garbage collected as expected, and are not impacted. Rolling a new version of TesseraCT will ensure that newly created partial entry bundle are garbage collected. If you wish garbage collect previous partial entry bundles, the garbage collection state needs to be reset. For POSIX logs, delete the .state/gcState file. For GCP, AWS, and MySQL+S3, set fromSize to 0 in the GCCord table. Tessera will attempt to delete 100 partial entry bundle directories every garbage_collection_interval. By default, it is set to 10s, which means that it should be able to cope with 2.5k entries, roughly 10x the HTTPS certificate issuance rate. It was set to 1 minute by default in the previous release. With this new this new rate, it would take ~11 days to garbage collect a log with 2.5B entries. See cmd/tesseract/README.md#garbage-collection for further details.
• Submission of old chains can now be rate limited with rate_limit_old_not_before. The pushback_max_dedupe_in_flight flag has been renamed rate_limit_dedup in an effort to align flag names. See cmd/tesseract/README.md for further details. The old pushback_max_dedupe_in_flight flag will be removed in an upcoming release: we recommend migrating to the new rate_limit_dedup flag now.

Fixes

• Prevent unlikely posix directory sync issue. Thanks @AGWA for flagging this.
  • Update local copy of Tessera's POSIX file_ops (by @AlCutter in #542):
• Fix otel monitoring buckets.
  • Fix subsecond buckets (by @AlCutter in #580)
• Fix #606, where issuers were missing from GCP and AWS deployments.
  • Fix issuers bug (by @AlCutter in #607)
• Fix #553, where chains involving PreIssuer certs were not handled properly. Unfortunately, logs that stored such chain before this fix aren't specs compliant and must be retired. Thanks @AGWA for flagging this.
  • Fix PreIssuer detection (by @phbnf in #554)
• Fix #644 where partial entry bundles were not garbage collected. Rolling a new version of Tesseract will ensure that new partial entry bundle are garbage collected. To garbage collect previous partial entry bundles, the garbage collection state needs to be reset. For POSIX logs, delete the .state/gcState file. For GCP, AWS, and MySQL+S3, set fromSize to 0 in the GCCord table. Tessera will attempt to delete 100 partial entry bundle directories every garbage_collection_interval. By default, it is set to 10s, which means that it should be able to cope with 2.5k entries, roughly 10x the HTTPS certificate issuance rate. It was set to 1 minute by default in the previous release. At this rate, it would take ~11 days to garbage collect a log with 2.5B entries. See cmd/tesseract/README.md#garbage-collection for further details.
  • garbage collection docs and config (by @phbnf in #648)
  • Decrease default interval between garbage collection runs, and add documentation (by @phbnf in #649):
  • Bump to Tessera@v1.0.1 (by @phbnf in #650)

Features

• Witnessing: logs can now publish checkpoints co-signed by Witnesses in the Witness network.
  • PRs
  • Add witness policy support to TesseraCT/POSIX (by @AlCutter in #546)
  • Pass witness policy as []byte (by @AlCutter in #548)
  • Add support to TesseraCT/GCP for witnessing (by @AlCutter in #549)
  • Update witness docs (by @AlCutter in #601)
• Rate limiting: submission of old chains can now be rate limited with rate_limit_old_not_before. The pushback_max_dedupe_in_flight flag has been renamed rate_limit_dedup in an effort to align flag names. See cmd/tesseract/README.md for further details. The old pushback_max_dedupe_in_flight flag will be removed in an upcoming release. The old pushback_max_dedupe_in_flight flag will be removed in an upcoming release: we recommend migrating to the new rate_limit_dedup flag now.
  • Support rate limiting of old submissions (by @AlCutter in #570)
  • Parse chain separately (by @AlCutter in #571)
  • Wire up old submission rate limit (by @AlCutter in #572)
  • Add republish interval flags (by @AlCutter in #639)
  • add pushback reason (by @phbnf in #577)
  • Rename old submission flags and rate limiters (by @phbnf in #579)
  • move dedupInFlight to a proper rate limiter (by @phbnf in #573)
  • Add notBefore age histogram (by @AlCutter in #576)
• Containers are now built using KO and available in Container registry in this repo.
  • Add KO build workflow (by @AlCutter in #632)

Improvements

• Ensure that origins match with the submission path
  • More orgin bells and whistles (by @phbnf in #622)
  • check origins (by @phbnf in #623)
• Add read-header timeouts to HTTP servers (by @AlCutter in #560)
• Use "dedup" consistently across the repo (by @phbnf in #564)
• better chain error messages (by @phbnf in #567)

Notable Tessera changes impacting TesseraCT

• Check Tessera's release page for complete information. The most important changes are:
  • Fix a POSIX lock issue.
  • Better support for Witnessing, with witnessing policies and the witness network.
  • Fix garbage collection for CT, fixes #644. Thanks @pimvanpelt for flagging this.

Other (documentation, other tools, staging deployments, etc.)

fsck

• Add fsck TUI (by @AlCutter in #562)
• Add --bundle_compressed flag to allow Sunlight logs to be fsck'd (by @pimvanpelt in #539)

fetch_roots

• CLI to fetch roots from CCADB (by @phbnf in #592)
• format b64 (by @phbnf in #593)

TesseraCT

• add base name in aws codelab (by @phbnf in #531)
• Update engine_version to 8.0 in AWS storage rds terraform (by @rogerng in #532)
• Change deployment link (by @phbnf in #535)
• migrate to new user (by @phbnf in #561)
• more resources for arche2025h2 (by @phbnf in #569)
• point at IPng's deployment and Cheese (by @phbnf in #583)
• fix rare race condition (by @phbnf in #584)
• make path of ci log configurable for cloudbuild (by @phbnf in #586)
• configure all conformance paths with variable (by @phbnf in #588)
• static-ct-ci ci test (by @phbnf in #587)
• Migrate to cloud-init (by @AlCutter in #591)
• Up version (by @phbnf in #594)
• Add witnessing policy for staging logs (by @AlCutter in #595)
• delete static-ct project config (by @phbnf in #596)
• Update lockfiles (by @AlCutter in #597)
• Add support for additional ed25519 signers to terraform (by @AlCutter in #598)
• Update staging witness policy(by @AlCutter in #599)
• static-ct-CI (by @phbnf in #600)
• Add remora witness to staging policy (by @AlCutter in #608)
• Raise cloudbuild timeouts to 15m (by @AlCutter in #610)
• Add smartit witness (by @AlCutter in #614)
• Add rgdd-1 witness to arche (by @AlCutter in #615)
• Add support for witness timeout (by @AlCutter in #616)
• Remove unprovisioned witnesses (by @AlCutter in #617)
• conditionally enable health checks (by @phbnf in #633)
• make git tags configurable (by @phbnf in #634)
• Optionally pass roots via cloud-init (by @phbnf in #636)
• Migrate preloader to cloud-init (by @AlCutter in #640)
• Disable linter for x509 fork (by @mhutchinson in #643)
• Add Mulvad's test witness
• Add Geomys dev

Robots

• Bump tessera to 63623c62b7c95f06d736a594d2051c5fcea62bd1 (by @AlCutter in #541)
• Bump tessera to 8baaa7b46f0c78104b40c61bf7f546ad24720050 (by @AlCutter in #547)
• Bump to Tessera@v1.0.0 (by @AlCutter in #568)
• Bump tessera to ac0ba0aa82a0e52002cece997f149fceba7a3e7c (by @AlCutter in #609)
• Bump tessera to a623a6aedfc0fb66a56091558a5c4be395f188e0 & mod tidy (by @AlCutter in #620)
• Bump tessera to ff15e941ea8c6c9332812edfdded1c2a4115fd67 & mod tidy (by @AlCutter in #621)
• Bump the all-deps group with 2 updates (by @dependabot[bot] in #533)
• Bump the all-deps group with 2 updates (by @dependabot[bot] in #534)
• Bump the all-deps group with 9 updates (by @dependabot[bot] in #536)
• Bump github/codeql-action from 3.29.9 to 3.29.11 in the all-deps group (by @dependabot[bot] in #537)
• Bump the all-deps group across 2 directories with 2 updates (by @dependabot[bot] in #544)
• Bump the all-deps group with 14 updates (by @dependabot[bot] in #545)
• Bump the all-deps group with 3 updates (by @dependabot[bot] in #551)
• Bump golang.org/x/sync from 0.16.0 to 0.17.0 in the all-deps group (by @dependabot[bot] in #550)
• Bump golang in /internal/hammer in the all-deps group across 1 directory (by @dependabot[bot] in #552)
• Bump the all-deps group with 11 updates (by @dependabot[bot] in #559)
• Bump github/codeql-action from 3.30.1 to 3.30.3 in the all-deps group (by @dependabot[bot] in #558)
• Bump github.com/charmbracelet/bubbletea in the all-deps group (by @dependabot[bot] in #566)
• Bump github/codeql-action from 3.30.3 to 3.30.5 in the all-deps group (by @dependabot[bot] in #574)
• Bump the all-deps group with 9 updates (by @dependabot[bot] in #575)
• Bump the all-deps group with 2 updates (by @dependabot[bot] in #589)
• Bump the all-deps group with 2 updates (by @dependabot[bot] in #590)
• Bump the all-deps group with 8 updates (by @dependabot[bot] in #603)
• Bump the all-deps group across 2 directories with 2 updates (by @dependabot[bot] in #604)
• Bump the all-deps group w...

TesseraCT Alpha v0.1.0

This is the initial alpha release of TesseraCT!

Take a look at the main README for information about how to get started using it, and let us know in the slack channel how you get on: https://transparency.dev/slack/.