Release 2.7.0

New features:

- Added overloaded setter `RelyingPartyBuilder.origins(Optional<Set<String>>)`.
- Added support for the CTAP2 `credProtect` extension.
- Added support for the `prf` extension.
- (Experimental) Added option `FinishRegistrationOptions.isConditionalCreate` to
  allow UP=0 in registration response for registration ceremonies with
  `mediation: "conditional"`.
  - NOTE: Experimental features may receive breaking changes without a major
    version increase.

Fixes:

- Excluded CVE-2025-27820 vulnerable versions of Apache httpclient5 from
  dependency resolution. Note that this might only affect consumers using Gradle
  module metadata.

Author: emlun

.github/workflows/build.yml

@@ -84,9 +84,16 @@ jobs:
       if: ${{ matrix.java != 8 }}  # JDK 8 does not produce reproducible binaries
       run: |
         ./gradlew clean primaryPublishJar
-        find . -name '*.jar' | xargs sha256sum | tee checksums.sha256sum
-        ./gradlew clean primaryPublishJar && sha256sum -c checksums.sha256sum
-        ./gradlew clean primaryPublishJar && sha256sum -c checksums.sha256sum
+        find . -name '*.jar' | grep -v buildSrc | grep -v gradle-wrapper | xargs sha256sum | tee java-webauthn-server-artifacts.sha256sum
+        ./gradlew clean primaryPublishJar && sha256sum -c java-webauthn-server-artifacts.sha256sum
+        ./gradlew clean primaryPublishJar && sha256sum -c java-webauthn-server-artifacts.sha256sum
+
+    - name: Archive artifact checksums
+      if: ${{ matrix.java != 8 }}  # JDK 8 does not produce reproducible binaries
+      uses: actions/upload-artifact@v4
+      with:
+        name: artifact-checksums-java${{ matrix.java }}-${{ matrix.distribution }}
+        path: java-webauthn-server-artifacts.sha256sum
 
   publish-test-results:
     name: Publish test results

NEWS

@@ -1,3 +1,23 @@
+== Version 2.7.0 ==
+
+New features:
+
+* Added overloaded setter `RelyingPartyBuilder.origins(Optional<Set<String>>)`.
+* Added support for the CTAP2 `credProtect` extension.
+* Added support for the `prf` extension.
+* (Experimental) Added option `FinishRegistrationOptions.isConditionalCreate` to
+  allow UP=0 in registration response for registration ceremonies with
+  `mediation: "conditional"`.
+ ** NOTE: Experimental features may receive breaking changes without a major
+    version increase.
+
+Fixes:
+
+* Excluded CVE-2025-27820 vulnerable versions of Apache httpclient5 from
+  dependency resolution. Note that this might only affect consumers using Gradle
+  module metadata.
+
+
 == Version 2.6.0 ==
 
 `webauthn-server-core`:

README

@@ -41,12 +41,16 @@ dependencies {
 }
 
 allprojects {
-  ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
-  ext.dirtyMarker = "-DIRTY"
-
-  apply plugin: 'com.cinnober.gradle.semver-git'
   apply plugin: 'idea'
 
+  if (System.env.VERSION) {
+    it.version = System.env.VERSION
+  } else {
+    ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
+    ext.dirtyMarker = "-DIRTY"
+    apply plugin: 'com.cinnober.gradle.semver-git'
+  }
+
   idea.module {
     downloadJavadoc = true
     downloadSources = true

build.gradle

@@ -15,14 +15,15 @@ Release candidate versions
     Gradle build script. Conversely, remove or downgrade to `implementation` any
     dependencies no longer exposed in the public API.
 
+    Add `@since` tags to the JavaDoc for new features.
+
  3. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 4. Update the Java version in the [`release-verify-signatures`
-    workflow](https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42).
+ 4. Update the Java version in the [`release-verify-signatures` workflow][workflow-release-src].
 
     See the `openjdk version` line of output from `java -version`:
 
@@ -44,39 +45,55 @@ Release candidate versions
     Check that this version is available in GitHub Actions. Commit this change,
     if any.
 
- 5. Tag the head commit with an `X.Y.Z-RCN` tag:
+ 5. Push the branch to GitHub.
+
+    If the pre-release makes significant changes to the project README, such
+    that the README does not accurately reflect the latest non-pre-release
+    version, push the changes on a separate release branch:
 
     ```
-    $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
+    $ git checkout -b release-1.4.0
+    $ git push origin release-1.4.0
     ```
 
-    No tag body needed.
+    If the README still accurately reflects the latest non-pre-release version,
+    you can simply push to main instead:
 
- 6. Publish to Sonatype Nexus:
+    ```
+    $ git push origin main
+    ```
+
+ 6. Wait for the ["build" workflow][workflow-build] to finish.
+    Download the `artifact-checksums-java17-temurin` artifact,
+    unpack it and verify that the artifact checksums match artifacts built locally:
 
     ```
-    $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
+    $ unzip artifact-checksums-java17-temurin.zip
+    $ VERSION=0.1.0-SNAPSHOT ./gradlew primaryPublishJar
+    $ sha256sum -c java-webauthn-server-artifacts.sha256sum
     ```
 
- 7. Push to GitHub.
+ 7. Tag the head commit with an `X.Y.Z-RCN` tag:
 
-    If the pre-release makes significant changes to the project README, such
-    that the README does not accurately reflect the latest non-pre-release
-    version, push the changes on a separate release branch:
+    ```
+    $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
+    ```
+
+    No tag body needed.
+
+ 8. Publish to Sonatype Nexus:
 
     ```
-    $ git checkout -b release-1.4.0
-    $ git push origin release-1.4.0 1.4.0-RC1
+    $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-    If the README still accurately reflects the latest non-pre-release version,
-    you can simply push to main instead:
+ 9. Push the tag to GitHub:
 
     ```
-    $ git push origin main 1.4.0-RC1
+    $ git push origin 1.4.0-RC1
     ```
 
- 8. Make GitHub release.
+10. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Check the pre-release checkbox.
@@ -86,9 +103,7 @@ Release candidate versions
     - Note the JDK version shown by `java -version` in step 3.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
- 9. Check that the ["Reproducible binary"
-    workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
-    runs and succeeds.
+11. Check that the ["Reproducible binary" workflow][workflow-release] runs and succeeds.
 
 
 Release versions
@@ -105,6 +120,8 @@ Release versions
     Gradle build script. Conversely, remove or downgrade to `implementation` any
     dependencies no longer exposed in the public API.
 
+    Add `@since` tags to the JavaDoc for new features.
+
  3. Make a no-fast-forward merge from the last (non release candidate) release
     to the commit to be released:
 
@@ -133,8 +150,7 @@ Release versions
 
  6. Update the version in JavaDoc links in the READMEs.
 
- 7. Update the Java version in the [`release-verify-signatures`
-    workflow](https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42).
+ 7. Update the Java version in the [`release-verify-signatures` workflow][workflow-release-src].
 
     See the `openjdk version` line of output from `java -version`:
 
@@ -168,27 +184,43 @@ Release versions
     $ ./gradlew clean check
     ```
 
-10. Tag the merge commit with an `X.Y.Z` tag:
+10. Push the branch to GitHub:
+
+    ```
+    $ git push origin main
+    ```
+
+11. Wait for the ["build" workflow][workflow-build] to finish.
+    Download the `artifact-checksums-java17-temurin` artifact,
+    unpack it and verify that the artifact checksums match artifacts built locally:
+
+    ```
+    $ unzip artifact-checksums-java17-temurin.zip
+    $ VERSION=0.1.0-SNAPSHOT ./gradlew primaryPublishJar
+    $ sha256sum -c java-webauthn-server-artifacts.sha256sum
+    ```
+
+12. Tag the merge commit with an `X.Y.Z` tag:
 
     ```
     $ git tag -a -s 1.4.0 -m "Release 1.4.0"
     ```
 
     No tag body needed since that's included in the commit.
 
-11. Publish to Sonatype Nexus:
+12. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-12. Push to GitHub:
+13. Push the tag to GitHub:
 
     ```
-    $ git push origin main 1.4.0
+    $ git push origin 1.4.0
     ```
 
-13. Make GitHub release.
+14. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
@@ -197,6 +229,9 @@ Release versions
     - Note the JDK version shown by `java -version` in step 6.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
-14. Check that the ["Reproducible binary"
-    workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
-    runs and succeeds.
+15. Check that the ["Reproducible binary" workflow][workflow-release] runs and succeeds.
+
+
+[workflow-build]: https://github.com/Yubico/java-webauthn-server/actions/workflows/build.yml
+[workflow-release]: https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml
+[workflow-release-src]: https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42

doc/releasing.md

@@ -16,7 +16,10 @@ dependencyResolutionManagement {
         create("constraintLibs") {
             library("cbor", "com.upokecenter:cbor:[4.5.1,5)")
             library("guava", "com.google.guava:guava:[24.1.1,33)")
-            library("httpclient5", "org.apache.httpcomponents.client5:httpclient5:[5.0.0,6)")
+            library("httpclient5", "org.apache.httpcomponents.client5", "httpclient5").version {
+              strictly("[5.0.0,6)")
+              reject("[5.4-alpha1,5.4.3)")
+            }
             library("slf4j", "org.slf4j:slf4j-api:[1.7.25,3)")
 
             val jacksonVer = version("jackson", "[2.13.2.1,3)")