Added

• k8s_configmap BundlePublisher plugin (#6105, #6139)
• UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
• Integration tests running on ARM64 platform (#6059)
• The OIDC Discovery Provider can now read the trust bundle from a file (#6025)

Changed

• The "Container id not found" log message in the k8s WorkloadAttestor has been lowered to Debug level (#6128)
• Improvements in lookup performance for entries (#6100, #6034)
• Agent no longer pulls the bundle from trust_bundle_url if it is not required (#6065)

Fixed

• The subject_types_supported value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
• SPIRE Server gRPC servers are now gracefully stopped (#6076)

Security

• Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
  This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
  Thanks to Edoardo Geraci for reporting this issue.

Security

• Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
  This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
  Thanks to Edoardo Geraci for reporting this issue.

Fixed

• Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)

Added

• Support for Unix sockets in trust bundle URLs (#5932)
• Documentation improvements and additions (#5989, #6012)

Changed

• sql_transaction_timeout replaced by event_timeout and value reduced to 15 minutes (#5966)
• Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
• Improved error messages when retrieving CGroups (#6030)

Fixed

• Corrected invalid user-agent value in OIDC Discovery Provider debug logs (#5981)

Added

• Support for any S3 compatible object storage such as MinIO in the aws_s3 BundlePublisher plugin (#5757)
• Support for Rego V1 in the authorization policy engine (#5769)
• Support for SAN-based selectors in the x509pop NodeAttestor plugin (#5775)

Changed

• Agents now use the SyncAuthorizedEntries API for periodically synchronization of authorized entries by default (#5906)
• Timestamps in logs are now formatted to include nanoseconds (#5798)
• Improved entry lookup performance in NewJWTSVID and BatchNewX509SVID server RPCs (#5819)
• Increased the maximum number of idle database connections to 100 (#5853)
• The maximum idle time per database connection is now set to 30 seconds (#5853)
• Small documentation improvements (#5873, #5876)
• The experimental events-based cache now supports reading events from read-only replicas when data staleness is tolerated, enhancing read performance (#5911)
• The use_legacy_downstream_x509_ca_ttl server setting is now set to false by default (#5917)

Deprecated

• use_sync_authorized_entries experimental agent setting (#5906)
• use_legacy_downstream_x509_ca_ttl server setting (#5917)

Removed

• The deprecated k8s_sat NodeAttestor plugin (#5703)

Fixed

• Issue where agents did not receive entry updates when new entries with the same entry ID were created while use_sync_authorized_entries was enabled (#5764)

Added

• gcp_secretmanager SVIDStore plugin now supports specifying the regions where secrets are created (#5718)
• Support for expanding environment variables in the OIDC Discovery Provider configuration (#5689)
• Support for optionally enabling trust_domain label for all metrics (#5673)
• The JWKS URI returned in the discovery document can now be configured in the OIDC Discovery Provider (#5690)
• A server path prefix can now be specified in the OIDC Discovery Provider (#5690)

Changed

• Small documentation improvements (#5809, #5720)

Fixed

• Regression in the hydration of the experimental event-based cache that caused a delay in availability (#5842)
• Do not log an error when the Envoy SDS v3 API connection has been closed cleanly (#5835)
• SVIDStore plugins to properly parse metadata in entry selectors containing ':' characters (#5750)
• Compatibility with deployments that use a server port other than 443 when the jwt_issuer configuration is set in the OIDC Discovery Provider (#5690)
• Domain verification is now properly done when setting the jwt_issuer configuration in the OIDC Discovery Provider (#5690)

Security

• Fixed to properly call the CompareObjectHandles function when it's available on Windows systems, as an extra security measure in the peertracker (#5749)

Added

• The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (#5593, #5625)
• The JWT-SVID cache in the agent is now configurable (#5633)
• The JWT issuer is now configurable in the OIDC Discovery Provider (#5657)

Changed

• CA journal now relies on the authority ID instead of the issued time when updating the status of keys (#5622)

Fixed

• Spelling and grammar fixes (#5571)
• Handling of IPv6 address consistently for the binding address of the server and health checks (#5623)
• Link to Telemetry documentation in the Contributing guide (#5650)
• Handling of registration entries with revision number 0 when the agent syncs entries with the server (#5680)

Known Issues

• Setting the new jwt_issuer configuration property in oidc-discovery-provider is not compatible with deployments that use a server port other than 443 (#5696)
• Domain verification is bypassed when setting the new jwt_issuer configuration property in oidc-discovery-provider (#5697)

Added

• Support for forced rotation and revocation (https://github.com/orgs/spiffe/projects/21)
• New EJBCA UpstreamAuthority plugin for SPIRE Server (#5378)
• Support for variables in templates contained in the config file (#5576)
• Support for the configuration validation RPC on all built-in plugins (#5303)
• Improved logging when built-in plugins panic (#5476)
• Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (#5408)
• Documentation additions and improvements (#5589, #5588, #5499, #5433, #5430, #5269)

Changed

• SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the x509_svid_cache_max_size configuration option. (#5383, #5531)
• Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (#5506)
• Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (#5454)

Removed

• Deprecated -ttl flag from the SPIRE Server entry create and entry update commands (#5483)
• Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (#5487)

Fixed

• Missing TrustDomain field passed to x509pop path template (#5577)
• Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (#5509)

Fixed

• Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk#66, spiffe/spire-plugin-sdk#39)