Skip to content

Releases: privkeyio/keep

v0.7.5

Choose a tag to compare

@github-actions github-actions released this 12 Jul 16:24
v0.7.5
62dc446

What's Changed

Full Changelog: v0.7.4...v0.7.5

v0.7.4

Choose a tag to compare

@github-actions github-actions released this 12 Jul 03:26
v0.7.4
2ad42c5

What's Changed

Full Changelog: v0.7.3...v0.7.4

v0.7.3

Choose a tag to compare

@github-actions github-actions released this 11 Jul 21:08
v0.7.3
f431540

What's Changed

  • attestation-provision: --expected-pcr pins a known-good reference PCR (measured-boot) by @kwsantiago in #736
  • Release v0.7.3: attestation-provision --expected-pcr by @kwsantiago in #737

Full Changelog: v0.7.2...v0.7.3

v0.7.2

Choose a tag to compare

@github-actions github-actions released this 11 Jul 03:28
v0.7.2
6b9e055

What's Changed

  • duress-provision: reject a duress credential equal to the vault password (anti-brick) by @kwsantiago in #734
  • Release v0.7.2: duress-provision anti-brick guard by @kwsantiago in #735

Full Changelog: v0.7.1...v0.7.2

v0.7.1

Choose a tag to compare

@github-actions github-actions released this 10 Jul 16:15
v0.7.1
0537554

What's Changed

  • Release v0.7.1: fix duress emit flag to --group-total by @kwsantiago in #733

Full Changelog: v0.7.0...v0.7.1

v0.7.0

Choose a tag to compare

@github-actions github-actions released this 10 Jul 15:36
v0.7.0
b7c3d58

What's Changed

  • Add Android cross-compile and UniFFI bindgen job to CI by @kwsantiago in #730
  • Metadata-private duress beacon (NIP-59 gift wrap) with robust delivery by @kwsantiago in #731
  • Release v0.7.0: metadata-private duress beacon by @kwsantiago in #732

Full Changelog: v0.6.1...v0.7.0

v0.6.1

Choose a tag to compare

@github-actions github-actions released this 10 Jul 12:37
v0.6.1
af52793

What's Changed

  • Retry duress beacon relay connection (fixes silent no-alert on slow hosts); v0.6.1 by @kwsantiago in #729

Full Changelog: v0.6.0...v0.6.1

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 10 Jul 06:16
v0.6.0
a34b64a

What's Changed

  • keep-web: fix Windows-only failure in the replication test by @kwsantiago in #701
  • keep-mobile: gate uniffi cli feature to the bindgen binary for reproducible builds by @kwsantiago in #702
  • keep-state: rollback/replay guard via monotonic created_at (keep-ol4n) by @kwsantiago in #703
  • keep-state: surface relay created_at rejection instead of silent replication loss (#704) by @kwsantiago in #706
  • keep-state: bound consumer created_at to prevent permanent mark-poisoning (#708) by @kwsantiago in #709
  • keep: zeroize the shared vault data key through the create chain (keep-1pmw/7n1i) by @kwsantiago in #710
  • keep-state: bound the publish queue + retry transient send failures (keep-dycy) by @kwsantiago in #711
  • cert-pin: robust SPKI extraction via x509-cert instead of a hand-rolled DER walk (keep-8fz) by @kwsantiago in #712
  • keep-core: re-encrypt config and health_status tables on data-key rotation by @kwsantiago in #713
  • keep-frost-net: gate OPRF/enroll oracles on fresh attestation, not a sticky Verified by @kwsantiago in #714
  • keep-frost-net: attestation-gate the ECDH oracle like OPRF/enroll by @kwsantiago in #715
  • attestation: fail closed on unverifiable enclave evidence and all-zero TPM policies by @kwsantiago in #717
  • cert-pin: add fail-closed tests for extract_spki_from_der by @kwsantiago in #718
  • nip46: sanitize the sign-approval content preview and share the bidi-safe field sanitizer by @kwsantiago in #719
  • tui: sanitize app/action/detail in the activity-log pane by @kwsantiago in #720
  • keep-web: honor KEEP_STATE_IDENTITY_FILE to keep the cluster nsec off the process env by @kwsantiago in #721
  • keep-frost-net: add the duress beacon event primitive (inc1a of coercion resistance) by @kwsantiago in #722
  • keep-cli: duress-provision command + beacon-key derivation (coercion inc1b) by @kwsantiago in #723
  • Wire duress detection and fail-closed beacon into frost network serve by @kwsantiago in #724
  • Freeze OPRF holder on a verified duress beacon by @kwsantiago in #725
  • Persist duress freeze across reboot; wire beacon pins into serve by @kwsantiago in #726
  • Add delayed, cancelable operator clear for the duress freeze by @kwsantiago in #727
  • Release 0.6.0: coercion beacon delivery fixes + version bump by @kwsantiago in #728

Full Changelog: v0.5.0...v0.6.0

v0.5.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 02:44
v0.5.0
8d7d3a4

Highlights

  • Threshold-OPRF vault unlock with TPM attestation: a FROST group can gate a secret unlock behind a threshold-OPRF over secp256k1, with each participant's frost network serve enforcing a TPM2 remote-attestation policy (opt-in; oprf-provision / oprf-unlock CLI, --tpm-tcti) (#618#643).
  • HD FROST wallets (BIP-32 / BIP-86): FROST groups derive child keys by composing a BIP-32 tweak with FROST signing and emit BIP-86 HD taproot descriptors, with the derivation path carried through the sign wire protocol (closes #487) (#668#672).
  • Software distributed key generation: users without hardware can run DKG entirely in software (frost network dkg), with participants authenticated against the signed group roster to close a relay-index hijack, plus bounded decoy-flood handling on both software and hardware paths (#673, closes #674, closes #676).
  • Signing hardening: PSBT prevout amounts are validated against a chain view before signing (closes #502); structured-payload verification defeats cross-domain label spoofs (closes #529); NIP-98 approval prompts surface the URL/method being authorized (#665, #667, #677).
  • Cryptographic robustness: RNG health-check failures return a recoverable error instead of panicking in key/secret/vault-header generation; the post-refresh group-key check was corrected; TLS certificate pinning supports multiple pins per host for safe rotation; AEAD/deps advanced (RustCrypto 0.11, quinn-proto RUSTSEC-2026-0037) (#686, #688, #694, #696, #645, #641).
  • Multi-node availability: keep-state replication over a Nostr relay, with a shared cluster vault data key, enables high-availability multi-node operation (#698, #700).
  • Test coverage: extensive new mutation-killing and integration coverage across the DKG, PSBT, ECDH, and signing coordination paths (#681#693).

Install

  • CLI / Desktop: download the asset for your platform from the Assets section below.
  • StartOS: bundled via keep-startos.
  • Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.9...v0.5.0

v0.4.9

Choose a tag to compare

@github-actions github-actions released this 13 Jun 21:25
v0.4.9
31ad043

Highlights

This release lands the NIP-55 / NIP-46 signer policy surface in the audited Rust core (mobile platforms previously duplicated this in Kotlin), plus NIP-55 interop features and the NIP-44 v3 cipher.

  • Signer policy moved into Rust (RMP): permission decision + sensitive-kind duration clamp + expiry (#594), keyed-HMAC tamper-evident audit chain + verification (#595), caller trust-on-first-use decision + challenge-nonce store (#596), persistent SigningRateLimiter over a storage callback with monotonic/wall-clock survival (#598), front-door rate limiter + request-count velocity policy (#599), and the NIP-46 bunker rate limiter — global + per-client + exponential backoff (#600).
  • NIP-55 interop: Amber-compatible batch / multi-event results wire format (#601), get_public_key permissions-array parsing into declared grants (#602), and NIP-42 (kind 22242) relay-host extraction + relay-auth whitelist gate (#603).
  • NIP-44 v3: kind/scope-aware (context-bound) encrypt/decrypt cipher in keep-core, verified byte-for-byte against the nostr-land/nip44v3 draft test vectors (#605).
  • NIP-46 grants: persist bunker remember-grants with the engine as the single source of truth (#593); drop the silent NIP-98 grant in favor of prompt-on-first-use with a remember-duration (#592).
  • Security fixes: enclave fail-closed PCR matching — ExpectedPcrs required by construction (#590), FROST refuses a partial refresh_shares to prevent silent share orphaning (#589), and password rotation verifies the old password when unlocked + audits every failure path (#588).

Install

  • CLI / Desktop: download the asset for your platform from the Assets section below.
  • StartOS: bundled via keep-startos.
  • Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.8...v0.4.9