Merge branch 'new-keyshare-protocol' into new-keyshare-protocol-clien…

…tside

.github/actions/build/action.yml

@@ -17,19 +17,19 @@ runs:
   using: composite
   steps:
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
-        go-version: ^1.16
+        go-version: ^1.18
 
     - name: Determine artifact output filename
       id: artifact-name-generator
-      run: echo "artifact-name=irma-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.os == 'windows' && '.exe' || '' }}" >> $GITHUB_OUTPUT
+      run: echo "artifact-name=irma-${{ inputs.os }}-${{ inputs.arch }}${{ inputs.os == 'windows' && '.exe' || '' }}" >> $GITHUB_OUTPUT
       shell: bash
 
     - name: Build
       run: go build -v -a -ldflags '-extldflags "-static"' -o ${{ steps.artifact-name-generator.outputs.artifact-name }} ./irma
       shell: bash
       env:
-        GOOS: ${{ matrix.os }}
-        GOARCH: ${{ matrix.arch }}
+        GOOS: ${{ inputs.os }}
+        GOARCH: ${{ inputs.arch }}
         CGO_ENABLED: "0"

.github/workflows/delivery.yml

@@ -2,17 +2,26 @@ name: Delivery
 
 on:
   push:
-    tags: [ v* ]
+    branches: [ master ]
+  release:
+    # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
+    types: [ published ]
 
 permissions:
   contents: write
+  packages: write
+
+# Disable concurrency to prevent that images are tagged in the wrong order.
+concurrency:
+  group: delivery
 
 jobs:
 
-  ensure-release-present:
+  prepare:
     runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    outputs:
+      is-head-master: ${{ steps.is-head-master.outcome == 'success' }}
+      is-latest-release: ${{ steps.is-latest-release.outcome == 'success' }}
     steps:
       - uses: actions/checkout@v3
         with:
@@ -23,30 +32,76 @@ jobs:
         run: git branch --contains ${{ github.sha }} | grep -x "* master"
         shell: bash
 
+      - name: Check whether this event is the HEAD of master
+        continue-on-error: true
+        id: is-head-master
+        run: git rev-parse HEAD | grep -x ${{ github.sha }}
+        shell: bash
+
       - uses: actions/checkout@v3
 
       - name: Check whether version.go contains the new version number
+        if: github.event_name == 'release'
         run: cat version.go | grep ${GITHUB_REF_NAME:1}
         shell: bash
 
       - name: Check whether CHANGELOG.md contains the new version number
+        if: github.event_name == 'release'
         run: cat CHANGELOG.md | grep "\[${GITHUB_REF_NAME:1}\]"
         shell: bash
 
-      - name: Check whether release is present
-        id: release-present
-        run: gh release view ${{ github.ref_name }}
+      - name: Check whether the release is latest
         continue-on-error: true
+        id: is-latest-release
+        if: github.event_name == 'release'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release view --json tagName --jq .tagName | grep -x ${{ github.event.release.tag_name }}
+        shell: bash
+
+  build-docker-image:
+    runs-on: ubuntu-latest
+    needs: prepare
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build Docker image
+        run: docker build -t ghcr.io/${{ github.repository_owner }}/irma:${{ github.sha }} .
+
+      - name: Tag Docker image (edge)
+        if: needs.prepare.outputs.is-head-master == 'true'
+        run: docker tag ghcr.io/${{ github.repository_owner }}/irma:${{ github.sha }} ghcr.io/${{ github.repository_owner }}/irma:edge
+
+      - name: Tag Docker image (version)
+        if: github.event_name == 'release'
+        run: docker tag ghcr.io/${{ github.repository_owner }}/irma:${{ github.sha }} ghcr.io/${{ github.repository_owner }}/irma:${{ github.event.release.tag_name }}
+
+      - name: Tag Docker image (latest)
+        if: needs.prepare.outputs.is-latest-release == 'true'
+        run: docker tag ghcr.io/${{ github.repository_owner }}/irma:${{ github.sha }} ghcr.io/${{ github.repository_owner }}/irma:latest
 
-      - name: Make new release if necessary
-        if: steps.release-present.outcome == 'failure'
-        run: gh release create ${{ github.ref_name }} -t "${{ github.ref_name }}" -n "Check CHANGELOG.md in repository."
+      - name: Push Docker image (edge)
+        if: needs.prepare.outputs.is-head-master == 'true'
+        run: docker push ghcr.io/${{ github.repository_owner }}/irma:edge
+
+      - name: Push Docker image (version)
+        if: github.event_name == 'release'
+        run: docker push ghcr.io/${{ github.repository_owner }}/irma:${{ github.event.release.tag_name }}
+
+      - name: Tag Docker image (latest)
+        if: needs.prepare.outputs.is-latest-release == 'true'
+        run: docker push ghcr.io/${{ github.repository_owner }}/irma:latest
 
   build-release-artifact:
-    needs: ensure-release-present
+    needs: prepare
     runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
       matrix:
         os: [ linux, darwin, windows ]
@@ -67,4 +122,13 @@ jobs:
           arch: ${{ matrix.arch }}
 
       - name: Upload artifact
-        run: gh release upload ${{ github.ref_name }} ${{ steps.build.outputs.artifact-name }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: irma-${{ matrix.os }}-${{ matrix.arch }}
+          path: ${{ steps.build.outputs.artifact-name }}
+
+      - name: Upload artifact to release
+        if: github.event_name == 'release'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload ${{ github.event.release.tag_name }} ${{ steps.build.outputs.artifact-name }}

.github/workflows/status-checks-dockerfile.yml

@@ -2,39 +2,24 @@
 name: Status checks (Dockerfile)
 
 on:
-  push:
-    branches: [ master ]
-    paths:
-      - Dockerfile
+  # Delivery pipeline already runs this on push to master.
   pull_request:
     paths:
       - Dockerfile
-  schedule:
-    # Run every monday on 9:00 in the morning (UTC).
-    - cron: "0 9 * * 1"
-  # Make it possible to trigger the checks manually.
-  workflow_dispatch:
+
+# Building the Dockerfile includes downloading the IRMA schemes.
+# Therefore, we only run one check at the time, and we put a limit on the event types triggering this job.
+concurrency:
+  group: dockerfile
 
 jobs:
-  # Building the Dockerfile includes downloading the IRMA schemes.
-  # Therefore, we only run one check at the time, and we put a limit on the event types triggering this job.
-  docker-build-all:
+  docker-build:
     runs-on: ubuntu-latest
-    strategy:
-      max-parallel: 1
-      matrix:
-        # busybox is not working yet.
-        image:
-          - "debian:stable"
-          - "alpine:latest"
-          - "ubuntu:latest"
-          - "centos:latest"
-          - "amazonlinux:latest"
     steps:
       - uses: actions/checkout@v3
 
       - name: Build Dockerfile
-        run: docker build -t privacybydesign/irma:edge --build-arg BASE_IMAGE=${{ matrix.image }} .
+        run: docker build -t ghcr.io/${{ github.repository_owner }}/irma:${{ github.sha }} .
 
       - name: Test Docker image
-        run: docker run privacybydesign/irma:edge version
+        run: docker run ghcr.io/${{ github.repository_owner }}/irma:${{ github.sha }} version

.github/workflows/status-checks.yml

@@ -52,9 +52,9 @@ jobs:
     - uses: actions/checkout@v3
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
-        go-version: ^1.16
+        go-version: ^1.18
 
     - name: Run gofmt
       # gofmt does not return non-zero exit codes on failure, so we have to check that there are no issues using grep.
@@ -75,6 +75,12 @@ jobs:
     - name: Run misspell
       run: misspell -error .
 
+    - name: Install staticcheck
+      run: go install honnef.co/go/tools/cmd/[email protected]
+
+    - name: Run staticcheck
+      run: staticcheck -checks "all,-ST1000,-ST1003,-SA1019,-SA1029" ./...
+
   test:
     runs-on: ubuntu-latest
     timeout-minutes: 10

CHANGELOG.md

@@ -5,33 +5,61 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Added
+- E-mail address revalidation, addressing issues where user's e-mail addresses can be (temporary) invalid
+- Keyshare server /api/v2/prove/... endpoints for the new keyshare protocol
+
+## [0.13.2] - 2023-08-22
+### Changed
+- Remove mail header 'Content-Transfer-Encoding: binary'
+  The header gets converted to 'Content-Transfer-Encoding: quoted-printable' causing 'arc=fail (body hash mismatch)' with gmail
+
+## [0.13.1] - 2023-08-16
+### Fixed
+- Invalid amount of arguments in query scan when e-mail revalidation is disabled
 
+## [0.13.0] - 2023-08-10
 ### Added
 - E-mail address revalidation, addressing issues where user's e-mail addresses can be (temporary) invalid
+- Publish the Docker image of the `irma` CLI tool on ghcr.io/privacybydesign/irma
+- Support for revocation db type `sqlserver` (Microsoft SQL Server)
 
 ### Changed
 - Use separate application user in Dockerfile for entrypoint
 - Rename RevocationStorage's UpdateLatest function to LatestUpdates. This name better fits its behaviour. The functionality stays the same.
 - Validate revocation witness before revocation update is applied
 - RevocationStorage's EnableRevocation function does not return an error anymore if it has been enabled already
+- Use a Docker image created from scratch as base for the Dockerfile
 - Custom WrapErrorPrefix function that respects the error's type
+- Log info message of irma.SessionError errors
 
 As part of e-mail address revalidation:
 - `VerifyMXRecord` incorporates a check to see if there is an active network connection
-- MyIrma server: `/user` returns an additional field `revalidate_in_progress` in the JSON response body, indicating whether the e-mail address is being revalidated or not 
+- MyIrma server: `/user` returns an additional field `revalidate_in_progress` in the JSON response body, indicating whether the e-mail address is being revalidated or not
 - MyIrma server: `/user/delete` and `/email/remove` return a 500 status code and `REVALIDATE_EMAIL` error type if one or more e-mail addresses of the user are invalid
 
 **Note:** Enabling e-mail address revalidation requires a change in the database schema. In order to do this please add the `revalidate_on` column of type `bigint` to the `irma.emails` table. See the [schema](https://github.com/privacybydesign/irmago/tree/master/server/keyshare/schema.sql#L50) file. Otherwise e-mail address revalidation is disabled and there will not be a breaking change.
 
 ### Fixed
 - Race conditions in database logic of revocation storage
-- `irma scheme verify` not detecting missing files in index 
+- `irma scheme verify` not detecting missing files in index
 - Scheme verification/signing does not reject credentials with invalid revocation settings
 - Write transactions within memory implementation of revocation storage may lead to unintended changes
 
 ### Removed
 - Superfluous openssl package in Dockerfile
 
+### Security
+- Let IRMA servers by default reject IRMA/Yivi apps that don't support pairing codes (IRMA protocol version <= 2.7)
+
+**Note:** This is an important security update for issuers to make sure that pairing codes cannot be circumvented.
+IRMA apps that don't support pairing codes should not be in circulation anymore, so this change won't affect users.
+Yivi apps have always supported pairing codes.
+
+### Internal
+- Linter switch from golint to staticcheck
+- Use Postgres 15 for unit and component tests
+
 ## [0.12.6] - 2023-05-31
 ### Fixed
 - Legacy endpoints of keyshare server return 403 status codes when database is down
@@ -378,6 +406,9 @@ This release contains several large new features. In particular, the shoulder su
 - Combined issuance-disclosure requests with two schemes one of which has a keyshare server now work as expected
 - Various other bugfixes
 
+[0.13.2]: https://github.com/privacybydesign/irmago/compare/v0.13.1...v0.13.2
+[0.13.1]: https://github.com/privacybydesign/irmago/compare/v0.13.0...v0.13.1
+[0.13.0]: https://github.com/privacybydesign/irmago/compare/v0.12.6...v0.13.0
 [0.12.6]: https://github.com/privacybydesign/irmago/compare/v0.12.5...v0.12.6
 [0.12.5]: https://github.com/privacybydesign/irmago/compare/v0.12.4...v0.12.5
 [0.12.4]: https://github.com/privacybydesign/irmago/compare/v0.12.3...v0.12.4

Dockerfile

@@ -1,7 +1,4 @@
-# Use variable base image, such that we can also build for other base images, like alpine.
-ARG BASE_IMAGE=debian:stable-slim
-
-FROM golang:1 as build
+FROM golang:1-alpine as build
 
 # Set build environment
 ENV CGO_ENABLED=0
@@ -11,23 +8,27 @@ COPY . /irmago
 WORKDIR /irmago
 RUN go build -a -ldflags '-extldflags "-static"' -o "/bin/irma" ./irma
 
-FROM $BASE_IMAGE
+# Create application user
+RUN adduser -D -u 1000 -g irma irma
 
-# The amazonlinux image does not include adduser, so we have to install this first.
-RUN if grep -q -E 'Amazon Linux' /etc/os-release; then yum install -y shadow-utils; fi
+# Start building the final image
+FROM scratch
 
-# Add application user
-RUN adduser --disabled-password --gecos '' irma || adduser irma
+# Copy binary from build stage
+COPY --from=build /bin/irma /bin/irma
 
-# The debian image does not include ca-certificates, so we have to install this first.
-RUN if which apt-get &> /dev/null; then apt-get update && apt-get install -y ca-certificates; fi
+# Add TLS root certificates
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
-COPY --from=build /bin/irma /usr/local/bin/irma
+# Ensure the application user and group is set
+COPY --from=build /etc/passwd /etc/passwd
+COPY --from=build /etc/group /etc/group
+COPY --from=build --chown=irma:irma /home/irma/ /home/irma/
 
 # Switch to application user
 USER irma
 
-# Include schemes in the Docker image to speed up the start-up time.
-RUN irma scheme download
+# Include schemes in the Docker image to speed up the start-up time
+RUN ["/bin/irma", "scheme", "download"]
 
-ENTRYPOINT ["irma"]
+ENTRYPOINT ["/bin/irma"]