Releases: privkeyio/keep
Releases · privkeyio/keep
Release list
v0.7.5
What's Changed
- keep-cli: keep the alt-screen-exit escape off command stdout by @kwsantiago in #740
- Bump version to 0.7.5 by @kwsantiago in #741
Full Changelog: v0.7.4...v0.7.5
v0.7.4
What's Changed
- keep-frost-net: in-attempt holder failover for OPRF unlock by @kwsantiago in #738
- Bump version to 0.7.4 by @kwsantiago in #739
Full Changelog: v0.7.3...v0.7.4
v0.7.3
What's Changed
- attestation-provision: --expected-pcr pins a known-good reference PCR (measured-boot) by @kwsantiago in #736
- Release v0.7.3: attestation-provision --expected-pcr by @kwsantiago in #737
Full Changelog: v0.7.2...v0.7.3
v0.7.2
What's Changed
- duress-provision: reject a duress credential equal to the vault password (anti-brick) by @kwsantiago in #734
- Release v0.7.2: duress-provision anti-brick guard by @kwsantiago in #735
Full Changelog: v0.7.1...v0.7.2
v0.7.1
What's Changed
- Release v0.7.1: fix duress emit flag to --group-total by @kwsantiago in #733
Full Changelog: v0.7.0...v0.7.1
v0.7.0
What's Changed
- Add Android cross-compile and UniFFI bindgen job to CI by @kwsantiago in #730
- Metadata-private duress beacon (NIP-59 gift wrap) with robust delivery by @kwsantiago in #731
- Release v0.7.0: metadata-private duress beacon by @kwsantiago in #732
Full Changelog: v0.6.1...v0.7.0
v0.6.1
What's Changed
- Retry duress beacon relay connection (fixes silent no-alert on slow hosts); v0.6.1 by @kwsantiago in #729
Full Changelog: v0.6.0...v0.6.1
v0.6.0
What's Changed
- keep-web: fix Windows-only failure in the replication test by @kwsantiago in #701
- keep-mobile: gate uniffi cli feature to the bindgen binary for reproducible builds by @kwsantiago in #702
- keep-state: rollback/replay guard via monotonic created_at (keep-ol4n) by @kwsantiago in #703
- keep-state: surface relay created_at rejection instead of silent replication loss (#704) by @kwsantiago in #706
- keep-state: bound consumer created_at to prevent permanent mark-poisoning (#708) by @kwsantiago in #709
- keep: zeroize the shared vault data key through the create chain (keep-1pmw/7n1i) by @kwsantiago in #710
- keep-state: bound the publish queue + retry transient send failures (keep-dycy) by @kwsantiago in #711
- cert-pin: robust SPKI extraction via x509-cert instead of a hand-rolled DER walk (keep-8fz) by @kwsantiago in #712
- keep-core: re-encrypt config and health_status tables on data-key rotation by @kwsantiago in #713
- keep-frost-net: gate OPRF/enroll oracles on fresh attestation, not a sticky Verified by @kwsantiago in #714
- keep-frost-net: attestation-gate the ECDH oracle like OPRF/enroll by @kwsantiago in #715
- attestation: fail closed on unverifiable enclave evidence and all-zero TPM policies by @kwsantiago in #717
- cert-pin: add fail-closed tests for extract_spki_from_der by @kwsantiago in #718
- nip46: sanitize the sign-approval content preview and share the bidi-safe field sanitizer by @kwsantiago in #719
- tui: sanitize app/action/detail in the activity-log pane by @kwsantiago in #720
- keep-web: honor KEEP_STATE_IDENTITY_FILE to keep the cluster nsec off the process env by @kwsantiago in #721
- keep-frost-net: add the duress beacon event primitive (inc1a of coercion resistance) by @kwsantiago in #722
- keep-cli: duress-provision command + beacon-key derivation (coercion inc1b) by @kwsantiago in #723
- Wire duress detection and fail-closed beacon into frost network serve by @kwsantiago in #724
- Freeze OPRF holder on a verified duress beacon by @kwsantiago in #725
- Persist duress freeze across reboot; wire beacon pins into serve by @kwsantiago in #726
- Add delayed, cancelable operator clear for the duress freeze by @kwsantiago in #727
- Release 0.6.0: coercion beacon delivery fixes + version bump by @kwsantiago in #728
Full Changelog: v0.5.0...v0.6.0
v0.5.0
Highlights
- Threshold-OPRF vault unlock with TPM attestation: a FROST group can gate a secret unlock behind a threshold-OPRF over secp256k1, with each participant's
frost network serveenforcing a TPM2 remote-attestation policy (opt-in;oprf-provision/oprf-unlockCLI,--tpm-tcti) (#618–#643). - HD FROST wallets (BIP-32 / BIP-86): FROST groups derive child keys by composing a BIP-32 tweak with FROST signing and emit BIP-86 HD taproot descriptors, with the derivation path carried through the sign wire protocol (closes #487) (#668–#672).
- Software distributed key generation: users without hardware can run DKG entirely in software (
frost network dkg), with participants authenticated against the signed group roster to close a relay-index hijack, plus bounded decoy-flood handling on both software and hardware paths (#673, closes #674, closes #676). - Signing hardening: PSBT prevout amounts are validated against a chain view before signing (closes #502); structured-payload verification defeats cross-domain label spoofs (closes #529); NIP-98 approval prompts surface the URL/method being authorized (#665, #667, #677).
- Cryptographic robustness: RNG health-check failures return a recoverable error instead of panicking in key/secret/vault-header generation; the post-refresh group-key check was corrected; TLS certificate pinning supports multiple pins per host for safe rotation; AEAD/deps advanced (RustCrypto 0.11, quinn-proto RUSTSEC-2026-0037) (#686, #688, #694, #696, #645, #641).
- Multi-node availability: keep-state replication over a Nostr relay, with a shared cluster vault data key, enables high-availability multi-node operation (#698, #700).
- Test coverage: extensive new mutation-killing and integration coverage across the DKG, PSBT, ECDH, and signing coordination paths (#681–#693).
Install
- CLI / Desktop: download the asset for your platform from the Assets section below.
- StartOS: bundled via keep-startos.
- Build from source: see the README.
Verify
sha256sum -c SHA256SUMSFull changelog
v0.4.9
Highlights
This release lands the NIP-55 / NIP-46 signer policy surface in the audited Rust core (mobile platforms previously duplicated this in Kotlin), plus NIP-55 interop features and the NIP-44 v3 cipher.
- Signer policy moved into Rust (RMP): permission decision + sensitive-kind duration clamp + expiry (#594), keyed-HMAC tamper-evident audit chain + verification (#595), caller trust-on-first-use decision + challenge-nonce store (#596), persistent
SigningRateLimiterover a storage callback with monotonic/wall-clock survival (#598), front-door rate limiter + request-count velocity policy (#599), and the NIP-46 bunker rate limiter — global + per-client + exponential backoff (#600). - NIP-55 interop: Amber-compatible batch / multi-event results wire format (#601),
get_public_keypermissions-array parsing into declared grants (#602), and NIP-42 (kind 22242) relay-host extraction + relay-auth whitelist gate (#603). - NIP-44 v3: kind/scope-aware (context-bound) encrypt/decrypt cipher in keep-core, verified byte-for-byte against the
nostr-land/nip44v3draft test vectors (#605). - NIP-46 grants: persist bunker remember-grants with the engine as the single source of truth (#593); drop the silent NIP-98 grant in favor of prompt-on-first-use with a remember-duration (#592).
- Security fixes: enclave fail-closed PCR matching —
ExpectedPcrsrequired by construction (#590), FROST refuses a partialrefresh_sharesto prevent silent share orphaning (#589), and password rotation verifies the old password when unlocked + audits every failure path (#588).
Install
- CLI / Desktop: download the asset for your platform from the Assets section below.
- StartOS: bundled via keep-startos.
- Build from source: see the README.
Verify
sha256sum -c SHA256SUMS