- Support for using a custom backoff strategy in the Workload API client (#302)
- Support for a default JWT-SVID picker (#301)
- Empty bundles are now supported, in alignment with the SPIFFE specification (#288)
- Upgraded to go-jose v4 which has a stronger security posture than v3. Go-spiffe was not impacted by the security weaknesses of v3 due to stringing algorithm checking that is now handled by go-jose v4 (#276)
- Makefile invocation for Apple Silicon-based Macs (#275)
- Support Ed25519 keys for Workload SVIDs (#248)
- Panic if the Workload API returned a malformed JWT-SVID (#233)
- Race that causes WaitForUpdate to return immediately after watcher is initialized even if there is no update (#260)
- Name convenience method to the spiffeid.TrustDomain type (#228)
- PeerIDFromConnectionState method for extracting the peer ID from TLS connection state (#225)
- The
tlsconfigto enforce a minimum TLS version of TLS1.2 (#226)
- Panic when failing to parse raw SVID response returned from the Workload API (#223)
- Support for the SVID hints obtained from the Workload API (#220)
- JoinPathSegments properly disallows dot segments (#221)
- ValidatePathSegment function for validating an individual path segment (#221)
- Minimum supported go version to 1.17 (#209)
- Support for dialing named pipes using an npipe URL scheme (#198)
- The workloadapi.WatchX509Bundles method which watches X.509 bundles from the Workload API (#192)
- The workloadapi.WithNamedPipeName option to support connecting to the Workload API via named pipes (#190)
- The workloadapi.FetchJWTSVIDs method which fetches multiple JWT-SVIDs from the Workload API, instead of just the first (#187)
- The x509bundle.ParseRaw method for creating a bundle from raw ASN.1 encoded certificates (#192)
- The spiffeid.ID String() method no longer causes an allocation (#185)