A transparent and secure way to look up public keys.

Key Transparency

GoDoc Build Status Go Report Card codecov

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable.

Key Transparency empowers account owners to reliably see what public keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency can add verifiable and user-friendly auditing to any scenario that involves authenticating users with public keys, including Universal Second Factor Security Keys and end-to-end encryption.

Project Status

Key Transparency is a work-in-progress with the following milestones under development.

Key Transparency Client

Setup

  1. Install Go 1.13.
  2. GO111MODULE=on go get github.com/google/keytransparency/cmd/keytransparency-client

Client operations

View a Directory's Public Keys

The Key Transparency server publishes a separate set of public keys for each directory that it hosts. By hosting multiple directories, a single domain can host directories for multiple apps or customers. A standardized pattern for discovering domains and directories is a TODO in issue #389.

Within a directory the server uses the following public keys to sign its responses:

  1. log.public_key signs the top-most Merkle tree root, covering the ordered list of map roots.
  2. map.public_key signs each snapshot of the key-value database in the form of a sparse Merkle tree.
  3. vrf.der signs outputs of the Verifiable Random Function which obscures the key values in the key-value database.

A directory's public keys can be retrieved over HTTPS/JSON with curl or over gRPC with grpcurl. The sandboxserver has been initialized with a domain named default.

$ curl -s https://sandbox.keytransparency.dev/v1/directories/default | json_pp
$ grpcurl -d '{"directory_id": "default"}' sandbox.keytransparency.dev:443 google.keytransparency.v1.KeyTransparency/GetDirectory
Show output 
{
   "directory_id" : "default",
   "log" : {
      "hash_algorithm" : "SHA256",
      "hash_strategy" : "RFC6962_SHA256",
      "public_key" : {
         "der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXPi4Ut3cRY3OCXWvcSnE/sk6tbDEgBeZapfEy/BIKfsMbj3hPLG+WEjzh1IP2TDirc9GpQ+r9HVGR81KqRpbjw=="
      },
      "signature_algorithm" : "ECDSA",
      "tree_id" : "4565568921879890247",
      "tree_type" : "PREORDERED_LOG"
   },
   "map" : {
      "hash_algorithm" : "SHA256",
      "hash_strategy" : "CONIKS_SHA256",
      "public_key" : {
         "der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgX6ITeFrqLmclqH+3XVhbaEeJO37vy1dZYRFxpKScERdeeu3XRirJszc5KJgaZs0LdvJqOccfNc2gJfInLGIuA=="
      },
      "signature_algorithm" : "ECDSA",
      "tree_id" : "5601540825264769688",
      "tree_type" : "MAP"
   },
   "max_interval" : "60s",
   "min_interval" : "1s",
   "vrf" : {
      "der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuqCkY9rM/jq/8hAoQn2PClvlNvVeV0MSUqzc67q6W+MzY/YZKmPLY5t/n/VUEqeSgwU+/sXgER3trsL6nZu+A=="
   }
}

Generate Update Signing Keys

Every update to a user record in key transparency must be signed by an authorized-key.

Update signatures are saved in the Merkle tree data structure, producing a record of who made each change to a user's account, allowing products to distinguish between changes signed by a user key, the provider's key, or a reset-provider's key.

Each account has an updatable policy that lists the current set of authorized public keys that are allowed to make updates to the user's record.

To create an initial set of update signing keys, run the authorized-keys create-keyset command. Keys will be saved in a .keyset file in the current working directory.

$ PASSWORD=[[YOUR-KEYSET-PASSWORD]]
$ keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
Show output 
$ PASSWORD=[[YOUR-KEYSET-PASSWORD]]
$ keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
$ keytransparency-client authorized-keys list-keyset --password=${PASSWORD}
My Authorized Keys:
primary_key_id:17445529 key_info:<type_url:"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey" status:ENABLED key_id:17445529 output_prefix_type:TINK >

Publish the public key

Any number of protocols may be used to prove to the server that a client owns a userID. The sandbox server supports a fake authentication string and OAuth.

Create or fetch the public key for your specific application.

 openssl genpkey -algorithm X25519 -out xkey.pem
 openssl pkey -in xkey.pem -pubout
 -----BEGIN PUBLIC KEY-----
 MCowBQYDK2VuAyEAtCAsIMDyVUUooA5yhgRefcEr7edVOmyNCUaN1LCYl3s=
 -----END PUBLIC KEY-----
keytransparency-client post [email protected] \
--kt-url sandbox.keytransparency.dev:443 \
--fake-auth-userid [email protected] \
--password=${PASSWORD} \
--verbose \
--logtostderr \
--data='MCowBQYDK2VuAyEAtCAsIMDyVUUooA5yhgRefcEr7edVOmyNCUaN1LCYl3s=' #Your public key in base64

Get and verify a public key

keytransparency-client get <email> --kt-url sandbox.keytransparency.dev:443 --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >

Verify key history

keytransparency-client history [email protected] --kt-url sandbox.keytransparency.dev:443
Revision |Timestamp                    |Profile
4        |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Checks

Running the server locally with Docker Compose

Prerequisites

  • GoLang
  • OpenSSL
  • Docker
    • Docker Engine 1.17.6+ docker version -f '{{.Server.APIVersion}}'
    • Docker Compose 1.11.0+ docker-compose --version

Deploy the KeyTransparency service

  1. Run the deployment script

    # Download the latest version of keytransparency
git clone https://github.com/google/keytransparency.git
cd keytransparency

# Run the deployment script for local environment
./scripts/deploy_local.sh deploy

  2. Check Docker's running containers

    docker container ls

    You should see 8 new running containers:

    • gcr.io/key-transparency/keytransparency-monitor
    • gcr.io/key-transparency/keytransparency-sequencer
    • gcr.io/trillian-opensource-ci/map_server
    • gcr.io/trillian-opensource-ci/log_signer
    • gcr.io/trillian-opensource-ci/log_server
    • gcr.io/key-transparency/keytransparency-server
    • gcr.io/trillian-opensource-ci/db_server
    • prom/prometheus

  3. Watch it Run

Terminate the KeyTransparency service

The script will remove all the containers and their networks.

# Run the script to undeploy
./scripts/deploy_local.sh undeploy

Development and Testing

Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.

docker-compose up -d db will launch the database in the background.

Directory structure

The directory structure of Key Transparency is as follows:

Support

Acknowledgements

Key Transparency would not have been possible without a whole host of collaborators including researchers, interns, and open source contributors.

Key Transparency was inspired by CONIKS and Certificate Transparency.

Related

Owner
Google
Google ❤️ Open Source
Google
https://github.com/google/keytransparency https://security.googleblog.com/2017/01/security-through-transparency.html
Comments
  • .keytransparency.yaml out of date

    .keytransparency.yaml out of date

    It references log-key: "../trillian/testdata/ct-http-server.pubkey.pem" while I think it should be: log-key: "../trillian/testdata/log-rpc-server.pubkey.pem"

  • Remove secrets from Docker Images

    Remove secrets from Docker Images

    Private keys should not be part of the docker images. This was an old hack that predated docker's secrets feature.

    TODO / Help wanted: add a kubernetes configmap that does the same thing.

  • Add support for proofs of absence

    Add support for proofs of absence

    We want to be able to prove to clients that their requested entry does not exist. With prefix trees, there are two cases for proofs of absence, one where the branch is not present in the tree, and one where the branch is present but contains the wrong leaf.

    I wasn't sure what the best way of structuring the protobufs was. I went with the way that seemed clearest, but we could also do with less protubuf nesting if we wanted. For instance, all three possible proof types share a bytes neighbors member, which could be moved into Proof. However, neighbors actually has a bit of a different meaning in each case, so I wanted to split it. Let me know if this could be made clearer.

  • Store trillian map,log trees in DB

    Store trillian map,log trees in DB

    • Romeved from directory table: MapId, LogId fields
    • Added to directory table: Map, Log fields with type BLOB
    • Removed fecth request to TrillianTree

    Fixes: https://github.com/google/keytransparency/issues/1152

  • failed to read: ../trillian/testdata/ct-http-server.pubkey.pem.

    failed to read: ../trillian/testdata/ct-http-server.pubkey.pem.

    "error connecting: Failed to open public key : failed to read: ../trillian/testdata/ct-http-server.pubkey.pem. open ../trillian/testdata/ct-http-server.pubkey.pem: no such file or directory"

    the above error happens when I execute the following command as suggested in the Using the Key Transparency Client seciton. ./keytransparency-client post [email protected] app1 -d 'dGVzdA==' --config=./.keytransparency.yaml

    also, from the instruction "3. Get an OAuth client ID and download the generated JSON file." I can't get how and where to use this generated JSON file, a more detailed instruction will be helpful?

  • Remove TreeNonce?

    Remove TreeNonce?

    IIRC, the purpose of the per-merkle-tree nonce was to allow the provider to change the tree structure between epochs, aiming to prevent direct differential measurements of the churn of the userbase. As our tree structure is public anyway, rerandomizing it does not make sense. And the MerkleTree interface (and impl) would be simpler without that parameter. Is there any reason that I am missing why we still need it?

  • Split Verification Function

    Split Verification Function

    Verifying the legitimacy of a mutation can be broken into two parts:

    1. Verifying that it is well formed without knowing what the current map value is. This verification should be checked by the keyserver.

    2. Verifying that any references to the current value in the map are correct. Both the first check and this check should be run in the sequencer.

  • Concurrency test for MutationLog

    Concurrency test for MutationLog

    Ensure that the queue can support multiple writes at the same time.

    • New Concurrent conformance test
    • Adds concurrency to the MySql implementation by retrying when encountering db locked errors.

    Most interesting to me is that the concurrency test for high contention completes relatively quickly in under 2s.

  • Move to travis-ci.com

    Move to travis-ci.com

    Use the travis-ci GitHub Apps integration, remove the old services based integration

    https://blog.travis-ci.com/2018-05-02-open-source-projects-on-travis-ci-com-with-github-apps

    TravisCI.com uses a smaller permission set:

    • https://docs.travis-ci.com/user/github-oauth-scopes/
    • Screenshot 2019-05-29 at 15 50 42
  • Added keyset-file flag tp specify file path and name

    Added keyset-file flag tp specify file path and name

    Fixes https://github.com/google/keytransparency/issues/1213 Fixes https://github.com/google/keytransparency/issues/1206

    Added keyset-file flag to specify keyset file path and name, for CREATE, LIST, POST and HAMMER commands. Added small description of the new flag to README

  • Fix mapper metadata following Trillian change; vendoring changes required for that to build

    Fix mapper metadata following Trillian change; vendoring changes required for that to build

    (This PR combines PR #818 and PR #819 as one, since those don't individually actually build in Travis.)

    Trillian has withdrawn the MapperMetadata protocol message in favor of using google.protobuf.Any instead. Map personalities can store any protocol message they want in Signed Map Head metadata but must marshal/unmarshal to Any when doing so.

    This PR does the marshalling / unmarshalling in Key Transparency. See: google/trillian#838 google/trillian@80d7516

    While fixing the KeyTransparency uses of Metadata I encountered Go import conflicts due to protobuf/ptypes/any being imported in Trillian (via github.com/golang/protobuf/ptypes/any) and in Key Transparency's vendor tree (via vendor/github.com/golang/protobuf/ptypes/any).

    This led to Go compile errors like: core/internal/common.go:35: cannot use r.GetMetadata() (type *"github.com/golang/protobuf/ptypes/any".Any) as type *"github.com/google/keytransparency/vendor/github.com/golang/protobuf/ptypes/any".Any in argument to ptypes.UnmarshalAny

    In addition, at runtime, quite a few proto messages were being Init()d twice, causing runtime panics. Examples:

    panic: proto: duplicate extension registered: descriptor.MethodOptions 72295728 (via vendored google.golang.org/genproto)

    proto: duplicate proto type registered: grpc.gateway.runtime.StreamError (via vendored github.com/grpc-ecosystem/)

    panic: proto: duplicate enum registered: io.prometheus.client.MetricType (via vendored github.com/prometheus)

    I'm not at all sure this is the right way to address these conflicts. Also whether I've done it properly - I partially trimmed out github.com/grpc-ecosystem/ - and haven't updated vendor.json.

  • Bump github.com/go-kit/kit from 0.9.0 to 0.11.0

    Bump github.com/go-kit/kit from 0.9.0 to 0.11.0

    Bumps github.com/go-kit/kit from 0.9.0 to 0.11.0.

    Release notes

    Sourced from github.com/go-kit/kit's releases.

    v0.11.0

    A new release with several improvements and enhancements. The first one in a long while! Huge thanks to @​sagikazarmark for putting in most of the gruntwork to make it happen! You're a superstar.

    The biggest thing: package log has been extracted to a separate repository and module, go-kit/log. This means that if you or your project was importing go-kit/kit just to get package log, you can significantly reduce your go.mod and dep graph by switching to the new module. Note that we have no current plans to alias the existing go-kit/kit/log to the new go-kit/log module and package, nor to deprecate the current package in favor of the new one. They are two distinct packages with no defined relationship to each other. This may change in the future.

    Major changes:

    Thanks to the 22 contributors who contributed to this release! 🏌️‍♂️

    Bug fixes

    • metrics/cloudwatch: log CloudWatch response error (#961) (thanks @​Trane9991)
    • log: defer mutex unlocks for panic safety in SyncLogger (#974)
    • util/conn: close old connection before reconnect (#982) (thanks @​chikaku)
    • log/term: fix build on GOOS=js GOARCH=wasm (#993) (thanks @​mvdan)
    • transport/http/jsonrpc: move the ClientAfter calls to before the decode (#1008) (thanks @​directionless)
    • sd/etcdv3: fix etcdv3 client won't return error when no endpoint is available (#1009) (thanks @​wayjam)
    • metrics/generic: fix uint64 alignment (#1007) (thanks @​ldez)
    • log: fix stdlibadapter when prefixed (#1036) (thanks @​soven)
    • log: capture newlines in log stdlib (#1041) (thanks @​SuperQ)

    Enhancements

    Documentation, examples, tests

    ... (truncated)

    Commits
    • a6c5d58 Merge pull request #1129 from sagikazarmark/improve-example-references
    • 4c47fd8 remove examples from gitignore
    • 908c5cf docs: fix example links
    • d19ee33 Merge pull request #1128 from robbert229/patch-1
    • ccf3d8d fix a broken link to the addsvc example
    • f80eb06 Merge pull request #1121 from sagikazarmark/remove-kitgen
    • 32681cc remove deprecated kitgen
    • 2ca6ab2 Merge pull request #1112 from sagikazarmark/opentelemetry
    • a119c95 Merge pull request #1122 from sagikazarmark/nats-test-panic
    • 2216160 Merge pull request #1124 from sagikazarmark/update-dependencies
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • Bump github.com/spf13/viper from 1.7.0 to 1.8.1

    Bump github.com/spf13/viper from 1.7.0 to 1.8.1

    Bumps github.com/spf13/viper from 1.7.0 to 1.8.1.

    Release notes

    Sourced from github.com/spf13/viper's releases.

    v1.8.1

    This patch releases fixes two minor issues:

    • Replace %s with %w when wrapping errors
    • Fix pflag.StringArray processing

    v1.8.0

    This is a maintenance release primarily containing fixes and improvements. The most prominent change is the etcd update to 3.5.0. Thanks to proper Go modules support, the dependency graph became much smaller.

    Changes

    Added

    • Allow BindEnv to register multiple environment variables
    • Support for accessing slices
    • Experimental WASM support: Viper compiles on WASM
    • INI load options

    Changed

    • Ensure BindPFlag detects a nil flag parameter

    Fixed

    • Merging a key into a nil target
    • Panics during saving INI files

    Security

    • Updated etcd to 3.5 which should make a lot of false positive vulnerability reports disappear

    In addition to the above changes, this release comes with tons of minor improvements, documentation changes an dependency updates. Find more details in the 1.8.0 milestone.

    Many thanks to everyone who contributed to this release!

    v1.7.1

    This release contains a bugfix for environment variable expansion. See #495 and #940 for details.

    Commits
    • bd03865 Add a proper processing for pflag.StringArray
    • 3fcad43 update %s to %w
    • faa8ba0 chore: update gotestsum
    • 65ee986 chore(lint): fix gofumpt
    • 04ef5fa chore: update golangci-lint
    • acd965b Add ini load options argument
    • 5f4d053 chore(deps): update dependencies
    • dd57ae6 chore(deps): update etcd
    • cdb5e59 Fix merging a key into a nil target
    • 36be6bf feat: make sure Viper compiles on WASM
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • Bump github.com/prometheus/client_golang from 1.7.1 to 1.11.0

    Bump github.com/prometheus/client_golang from 1.7.1 to 1.11.0

    Bumps github.com/prometheus/client_golang from 1.7.1 to 1.11.0.

    Release notes

    Sourced from github.com/prometheus/client_golang's releases.

    v1.11.0 / 2021-06-07

    • [CHANGE] Add new collectors package. #862
    • [CHANGE] prometheus.NewExpvarCollector is deprecated, use collectors.NewExpvarCollector instead. #862
    • [CHANGE] prometheus.NewGoCollector is deprecated, use collectors.NewGoCollector instead. #862
    • [CHANGE] prometheus.NewBuildInfoCollector is deprecated, use collectors.NewBuildInfoCollector instead. #862
    • [FEATURE] Add new collector for database/sql#DBStats. #866
    • [FEATURE] API client: Add exemplars API support. #861
    • [ENHANCEMENT] API client: Add newer fields to Rules API. #855
    • [ENHANCEMENT] API client: Add missing fields to Targets API. #856

    1.10.0 / 2021-03-18

    • [CHANGE] Minimum required Go version is now 1.13.
    • [CHANGE] API client: Add matchers to LabelNames and LabesValues. #828
    • [FEATURE] API client: Add buildinfo call. #841
    • [BUGFIX] Fix build on riscv64. #833

    1.9.0 / 2020-12-17

    • [FEATURE] NewPidFileFn helper to create process collectors for processes whose PID is read from a file. #804
    • [BUGFIX] promhttp: Prevent endless loop in InstrumentHandler... middlewares with invalid metric or label names. #823

    1.8.0 / 2020-10-15

    • [CHANGE] API client: Use time.Time rather than string for timestamps in RuntimeinfoResult. #777
    • [FEATURE] Export MetricVec to facilitate implementation of vectors of custom Metric types. #803
    • [FEATURE API client: Support /status/tsdb endpoint. #773
    • [ENHANCEMENT] API client: Enable GET fallback on status code 501. #802
    • [ENHANCEMENT] Remove Metric references after reslicing to free up more memory. #784
    Changelog

    Sourced from github.com/prometheus/client_golang's changelog.

    1.11.0 / 2021-06-07

    • [CHANGE] Add new collectors package. #862
    • [CHANGE] prometheus.NewExpvarCollector is deprecated, use collectors.NewExpvarCollector instead. #862
    • [CHANGE] prometheus.NewGoCollector is deprecated, use collectors.NewGoCollector instead. #862
    • [CHANGE] prometheus.NewBuildInfoCollector is deprecated, use collectors.NewBuildInfoCollector instead. #862
    • [FEATURE] Add new collector for database/sql#DBStats. #866
    • [FEATURE] API client: Add exemplars API support. #861
    • [ENHANCEMENT] API client: Add newer fields to Rules API. #855
    • [ENHANCEMENT] API client: Add missing fields to Targets API. #856

    1.10.0 / 2021-03-18

    • [CHANGE] Minimum required Go version is now 1.13.
    • [CHANGE] API client: Add matchers to LabelNames and LabesValues. #828
    • [FEATURE] API client: Add buildinfo call. #841
    • [BUGFIX] Fix build on riscv64. #833

    1.9.0 / 2020-12-17

    • [FEATURE] NewPidFileFn helper to create process collectors for processes whose PID is read from a file. #804
    • [BUGFIX] promhttp: Prevent endless loop in InstrumentHandler... middlewares with invalid metric or label names. #823

    1.8.0 / 2020-10-15

    • [CHANGE] API client: Use time.Time rather than string for timestamps in RuntimeinfoResult. #777
    • [FEATURE] Export MetricVec to facilitate implementation of vectors of custom Metric types. #803
    • [FEATURE] API client: Support /status/tsdb endpoint. #773
    • [ENHANCEMENT] API client: Enable GET fallback on status code 501. #802
    • [ENHANCEMENT] Remove Metric references after reslicing to free up more memory. #784
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • Bump github.com/google/go-cmp from 0.5.2 to 0.5.6

    Bump github.com/google/go-cmp from 0.5.2 to 0.5.6

    Bumps github.com/google/go-cmp from 0.5.2 to 0.5.6.

    Release notes

    Sourced from github.com/google/go-cmp's releases.

    v0.5.6

    Reporter changes:

    • (#258) Print as text if mostly text
    • (#259) Cleanup edit groups after coalescing
    • (#260) Avoid diffing by lines if inefficient

    Minor documentation changes:

    • (#256) Fix typo in path.go

    v0.5.5

    Bug fixes:

    • (#253) Fix reporter verbosity bug

    Reporter changes:

    • (#254) De-virtualize interfaces for specialized diffing

    Dependency changes:

    • (#251) Use errors.Is with ≥go1.13 in compareErrors

    v0.5.4

    Bug fixes:

    (#247) Fix non-determinism in diffing algorithm (#248) Impose verbosity limit when formatting map keys

    v0.5.3

    Minor documentation changes:

    (#236) Fix license headers (#205) Add an example for IgnoreFields (#237) Fix Diff documentation

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • Bump github.com/google/tink/go from 1.4.0-rc2 to 1.6.0

    Bump github.com/google/tink/go from 1.4.0-rc2 to 1.6.0

    Bumps github.com/google/tink/go from 1.4.0-rc2 to 1.6.0.

    Release notes

    Sourced from github.com/google/tink/go's releases.

    Tink 1.6.0

    Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

    This is Tink 1.6.0.

    To get started using Tink, see the installation instructions.

    What's new

    The complete list of changes since 1.5.0 can be found here.

    New documentation website

    We've launched a new home for Tink documentation at https://developers.google.com/tink.

    The site brings together content currently spread across the HOW-TOs and other markdown files throughout the project repository.

    Initially, we've populated the site with instructions and code snippets for the Java and Python implementations. Moving forward, expect additional content covering other language implementations, additional critical path overviews, and more.

    Java

    Key templates API

    Introduced the KeyTemplates class. It has a get(name) method that facilitates getting any registered key template.

    A list of currently registered key templates can be obtained by calling Registry.keyTemplates()

    Custom key manager method removals

    The following methods have been removed. Except where noted, the methods had been annotated as being deprecated.

    • Registry
      • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle, final KeyManager<P> customManager, Class<P> primitiveClass)
        • not deprecated
      • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle, Class<P> primitiveClass)
        • not deprecated
      • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle, final KeyManager<P> customManager)
      • public static <P> PrimitiveSet<P> getPrimitives(KeysetHandle keysetHandle)
    • KeysetHandle
      • public <P> P getPrimitive(KeyManager<P> customKeyManager, Class<P> targetClassObject)
    • MacFactory
      • public static Mac getPrimitive(KeysetHandle keysetHandle, final KeyManager<Mac> keyManager)
    • HybridDecryptFactory
      • public static HybridDecrypt getPrimitive(KeysetHandle keysetHandle, final KeyManager<HybridDecrypt> keyManager)
    • AeadFactory
      • public static Aead getPrimitive(KeysetHandle keysetHandle, final KeyManager<Aead> keyManager)
    • PublicKeyVerifyFactory
      • public static PublicKeyVerify getPrimitive(KeysetHandle keysetHandle, final KeyManager<PublicKeyVerify> keyManager)
    • PublicKeySignFactory
      • public static PublicKeySign getPrimitive(KeysetHandle keysetHandle, final KeyManager<PublicKeySign> keyManager)

    ... (truncated)

    Commits
    • de84fd2 Resuming 1.6.0 release.
    • 8b1b361 Add type header to JWTs in C++.
    • ab8670a Merge pull request #501 from google:dependabot/npm_and_yarn/javascript/lodash...
    • 402f807 Remove some redundant JWT tests in Java.
    • ce621ba Workaround for pyenv issue causing Kokoro jobs to fail.
    • 7b2f80e Bump lodash from 4.17.20 to 4.17.21 in /javascript
    • 257809e Put Json-parsing into new class JsonUtil.
    • ebe49b0 Add function that converts JWK sets into Tink KeysetHandles.
    • 9f7ef81 Use Optional instead of null to indicate a missing value in JwtValidator.
    • b55e811 Fix a typo in deterministic_aead.go: s/plaintex/plaintext.
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • Bump gocloud.dev from 0.20.0 to 0.23.0

    Bump gocloud.dev from 0.20.0 to 0.23.0

    Bumps gocloud.dev from 0.20.0 to 0.23.0.

    Release notes

    Sourced from gocloud.dev's releases.

    v0.23.0

    blob:

    • azblob: Add support for CDN domains.
    • fileblob: Minor fixes and performance improvements; new option to skip writing sidecar/metadata files.
    • azblob: Fixed bug where Copy could fail with permission denied when using SAS tokens.

    pubsub:

    • Added a Message.LoggableID field for logging.
    • Added an As hook for AfterSend.
    • rabbitpubsub: Made the default URL opener reconnect if needed.

    docstore:

    • memdocstore: Fixed a bug in OrderBy when using Limit.

    secrets:

    • hashivault: Added support for VAULT_ADDR and VAULT_TOKEN as aliases for existing environment variables.
    • azurekeyvault: Added support for private clouds.

    server:

    • Logger is now passed the full Request (sans Body).

    v0.22.0

    • blob

      • azblob: Fixed a bug where a SAS token was not being used during Open.

    • pubsub

      • gcppubsub: Tell gRPC to allow messages up to 10MB.
      • azurepubsub: Fixed a bug when the number of messages returned is empty.
      • azurepubsub: Now using a new SendBatchDisposition function to simplify sending of acks/nacks.
      • awssnssqs: Fixed Message.As when used with multiple concurrent workers.
      • kafka: Fixed to use default partitioning when no KeyName is set.

    • runtimevar

      • Added a new driver for GCP Secret Manager.

    • mysql

      • Fixed parsing of URL hostnames in the form of protocol(addr).

    • docstore

      • all: Improved handling of byte arrays and non-pointer protocol buffers.
      • dynamodocstore: Added support for a consistent_read option to the URLOpener.

    All commits:

    v0.21.0

    • blob
      • all: added a ListPage function for listing blobs in pages.
      • all: added bucket.IsAccessible.

    ... (truncated)

    Commits
    • d0064f5 new release
    • 5b71424 all: prerelease v0.23.0
    • d284dbe pubsub: Add Message.LoggableID (#2998)
    • f004cb7 secrets/azurekeyvault: Add support for private clouds (Azure Stack) (#2997)
    • 5f19477 all: update dependencies (#2993)
    • bc7f4b3 secrets/hashivault: Add support for VAULT_ADDR and VAULT_TOKEN as aliases for...
    • 448a545 blob/azblob: Pass nil instead of an empty map for tags on Copy operation (#2989)
    • 7b4db4c pubsub/all: Add support for As hook AfterSend (#2987)
    • 7b8a196 server/requestlog: pass Request (without Body) into Logger via new field in E...
    • 6f954e2 internal/docs: update docs for GCP/gcloud's application default credentials (...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
Related tags
Cryptography secure-by-default coniks key-management block-chain public-keys merkletree verifiable-data-structures verifiable-random-function vrf
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
 Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Jan 9, 2023
Split and distribute your private keys securely amongst untrusted network
 Split and distribute your private keys securely amongst untrusted network

cocert An experimental tool for splitting and distributing your private keys safely* cocert, generates ECDSA - P521 key and uses a technique known as

Dec 5, 2022
Go implementation of a vanity attempt to generate Bitcoin private keys and subsequently checking whether the corresponding Bitcoin address has a non-zero balance.

vanity-BTC-miner Go implementation of a vanity attempt to generate Bitcoin private keys and subsequently checking whether the corresponding Bitcoin ad

Jun 3, 2022
This plugin enhances Hashicorp Vault Service with cryptographic operations to create, import and sign using different type of keypairs and Ethereum wallets, including signing operation for public ethereum transaction, EEA and Quorum
 This plugin enhances Hashicorp Vault Service with cryptographic operations to create, import and sign using different type of keypairs and Ethereum wallets, including signing operation for public ethereum transaction, EEA and Quorum

Quorum Hashicorp Vault plugin The Quorum plugin enhances Hashicorp Vault Service with cryptographic operations under Vault engine, such as: Create and

Jan 7, 2023
🌰 encrypt/decrypt using ssh keys

ssh-vault ?? encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

Dec 30, 2022
generate a chia address by public key, chia公钥生成地址

chia-address-generator This repo is a hack way to generate an address from publicKey. So it's not a good enough way to use it in prod, use it just for

Mar 9, 2022
Public key derivator for ECDSA (without knowledge of the private key)

A proof of concept of a public key derivation for ECDSA (without knowledge of the private key) It is a demonstration of how to implement a simple key

Nov 9, 2022
Xk6-crypto-x509 - A k6 extension to encrypt data with a PEM Public Key

xk6-crypto-x509 A k6 extension to encrypt data with a PEM Public Key This is a k

Jan 5, 2022
A public facing version of the Chicago data microservices repo.

chicago-data | full stack reporting solution Project Overview This repo houses microservices dedicated to ingesting and preparing open Chicago dataset

Jun 22, 2022
Kiteco-public - Primary Kite repo — private bits replaced with XXXXXXX

This is a public version of the main Kite repo The main Kite repo (originally kiteco/kiteco) was intended for private use. It has been lightly adapted

Dec 30, 2022
DERO: Secure, Anonymous Blockchain with Smart Contracts. Subscribe to Dero announcements by sending mail to [email protected] with subject: subscribe announcements
 DERO: Secure, Anonymous Blockchain with Smart Contracts. Subscribe to Dero announcements by sending mail to lists@dero.io with subject: subscribe announcements

Welcome to the Dero Project DERO News Forum Wiki Explorer Source Twitter Discord Github Stats WebWallet Medium Table of Contents ABOUT DERO PROJECT DE

Dec 7, 2022
fastrand implements a cryptographically secure pseudorandom number generator.

10x faster than crypto/rand. Uses securely allocated memory. The generator is seeded using the system's default entropy source, and thereafter produces random values via repeated hashing. As a result, fastrand can generate randomness much faster than crypto/rand, and generation cannot fail beyond a potential panic during init().

Nov 25, 2022
Secure software enclave for storage of sensitive information in memory.

MemGuard Software enclave for storage of sensitive information in memory. This package attempts to reduce the likelihood of sensitive data being expos

Dec 30, 2022
A simple, secure self-destructing message service, using HashiCorp Vault product as a backend
 A simple, secure self-destructing message service, using HashiCorp Vault product as a backend

sup3rS3cretMes5age! A simple, secure self-destructing message service, using Has

Mar 5, 2022
OpenZeppelin Contracts is a library for secure smart contract development.

A library for secure smart contract development. Build on a solid foundation of community-vetted code. Implementations of standards like ERC20 and ERC

Jan 5, 2023
Monero: the secure, private, untraceable cryptocurrency
 Monero: the secure, private, untraceable cryptocurrency

Monero Copyright (c) 2014-2021 The Monero Project. Portions Copyright (c) 2012-2013 The Cryptonote developers. Table of Contents Development resources

Jan 2, 2023
ChainMaker, a blockchain platform for building secure

ChainMaker, a blockchain platform for building secure, trustworthy value-exchange networks to power the new global digital economy. ChainMaker aim

Nov 15, 2022
A tiny secure-random password generator
 A tiny secure-random password generator

go-psw A tiny golang tool for generating a crypto-random password in a terminal. Installation go install github.com/hedhyw/go-psw/cmd/psw@latest Usage

Jun 23, 2022
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
 sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (demo)

Jan 9, 2023