Releases: trailofbits/rfc3161-client
Release list
v1.0.7
[1.0.7] - 2026-07-07
Fixed
- macOS wheels are now self-contained: OpenSSL is vendored and statically linked
like the Linux wheels. Previously the published macOS wheel baked in an absolute
path to Homebrew'sopenssl@3and failed to import on machines without that exact
install (#276)
v1.0.6
[1.0.6] - 2026-04-08
Fixed
- Fixed a bug where the verification incorrectly picked the leaf certificate. This
allowed an attacker who could modify a timestamp response to make a
legitimately-signed timestamp from TSA-A pass verification as if it came from
TSA-B.
v1.0.5
[1.0.5] - 2025-09-23
Changed
- Bump
pyca/cryptographydependency upper bound to version 47
v1.0.4
[1.0.4] - 2025-08-11
Changed
- Timestamps are now verified with the timestamp time as reference time like the RFC
says: this means that the certificate chain no longer needs to be valid at current
time, it is enough for it to have been valid at timestamp time
(#174)
v1.0.3
[1.0.3] - 2025-06-20
Fixed
-
Exposed
verify_messagein the actualVerifyinterface, not just the implementation
(#153) -
Fixed a bug where verification performed insufficient signature checks on
the timestamp response itself, rather than the response's certificate chain
v1.0.2
Changed
-
Added
HashAlgorithmto exports of the base package module (#143) -
Added
verify_messagemethod toVerifierclass (#144) -
Slight refactoring of the tests to ease how to test with multiple TSA (#145)
-
Changed return value of
VerifierBuilder.build()from_VerifiertoVerifier: This is technically
an API change but should have minimal user impact. (#147)
Fixed
- Fixed spelling of
hash_algorithmparameter inTimestampRequestBuilderclass (#131)
v1.0.1
What's changed?
Fixed
-
The Verifier now enforces that the EKU (Extended Key Usage) explicitly includes the id-kp-timeStamping OID (#120)
-
The Verifier now searches for the leaf certificate in the Timestamp Response instead of using the first one provided (#121)
New Contributors
- @pjrobertson made their first contribution in #121
Full Changelog: v1.0.0...v1.0.1
v1.0.0 - First release
What's Changed
- TimestampRequest now accepts setting the hash algorithm to SHA256 (in addition to SHA512) (#93)
Full Changelog: v0.1.2...v1.0.0