Allow to specify audience when generating JWK provisioner tokens #2326
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit allows to set custom audiences to generate X.509 and SSH related tokens. This change is backward compatible with the current interface. Fixes @2323
github-actions
bot
added
the
needs triage
|
Thank you for improving this! |
liujed
pushed a commit
to liujed/caddy-dns01proxy
that referenced
this pull request
Jul 27, 2025
Bumps [github.com/smallstep/certificates](https://github.com/smallstep/certificates) from 0.28.3 to 0.28.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/smallstep/certificates/releases">github.com/smallstep/certificates's releases</a>.</em></p> <blockquote> <h2>Step CA v0.28.4 (25-07-14)</h2> <h2>Official Release Artifacts</h2> <h4>Linux</h4> <ul> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca_linux_0.28.4_amd64.tar.gz">step-ca_linux_0.28.4_amd64.tar.gz</a></li> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca_0.28.4-1_amd64.deb">step-ca_0.28.4-1_amd64.deb</a></li> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca-0.28.4-1.x86_64.rpm">step-ca-0.28.4-1.x86_64.rpm</a></li> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca_0.28.4-1_arm64.deb">step-ca_0.28.4-1_arm64.deb</a></li> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca-0.28.4-1.aarch64.rpm">step-ca-0.28.4-1.aarch64.rpm</a></li> </ul> <h4>OSX Darwin</h4> <ul> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca_darwin_0.28.4_amd64.tar.gz">step-ca_darwin_0.28.4_amd64.tar.gz</a></li> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca_darwin_0.28.4_arm64.tar.gz">step-ca_darwin_0.28.4_arm64.tar.gz</a></li> </ul> <h4>Windows</h4> <ul> <li>📦 <a href="https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.28.4/step-ca_windows_0.28.4_amd64.zip">step-ca_windows_0.28.4_amd64.zip</a></li> </ul> <p>For more builds across platforms and architectures, see the <code>Assets</code> section below. And for packaged versions (Docker, k8s, Homebrew), see our <a href="https://smallstep.com/docs/step-ca/installation">installation docs</a>.</p> <p>Don't see the artifact you need? Open an issue <a href="https://github.com/smallstep/certificates/issues/new/choose">here</a>.</p> <h2>Signatures and Checksums</h2> <p><code>step-ca</code> uses <a href="https://github.com/sigstore/cosign">sigstore/cosign</a> for signing and verifying release artifacts.</p> <p>Below is an example using <code>cosign</code> to verify a release artifact:</p> <pre><code>cosign verify-blob \ --certificate step-ca_darwin_0.28.4_amd64.tar.gz.pem \ --signature step-ca_darwin_0.28.4_amd64.tar.gz.sig \ --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ step-ca_darwin_0.28.4_amd64.tar.gz </code></pre> <p>The <code>checksums.txt</code> file (in the <code>Assets</code> section below) contains a checksum for every artifact in the release.</p> <h2>Changelog</h2> <ul> <li>2c61c44176a89885ea69dd341dca16fb2875d868 Update changelog (<a href="https://redirect.github.com/smallstep/certificates/issues/2332">#2332</a>)</li> <li>c86cf07be9c5909a08e631ca0490662f734c3505 Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2331">#2331</a> from smallstep/mariano/fix-tests</li> <li>831d005df8f245ba2cc98028524488f6d0a7442c Fix gcp unit tests</li> <li>bc09e46c3c8263b1d10cd5afcf50da34a1c97b82 Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2133">#2133</a> from ericnorris/feat-gcp-enable-organization-checking</li> <li>0d9f0513cfd5506398f972dd8c40a5f3973be769 Merge branch 'master' into feat-gcp-enable-organization-checking</li> <li>197d0d3508d5f424865682a4df61a05850331487 Changelog updates (<a href="https://redirect.github.com/smallstep/certificates/issues/2330">#2330</a>)</li> <li>293222505539eed2e3dff9078070f1368dd55d99 Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2329">#2329</a> from smallstep/dependabot/go_modules/google.golang.org/api-0.240.0</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/smallstep/certificates/blob/master/CHANGELOG.md">github.com/smallstep/certificates's changelog</a>.</em></p> <blockquote> <h2>[0.28.4] - unreleased</h2> <h3>Added</h3> <ul> <li>Add support for using key usage, extended key usage, and basic constraints <code>smallstep/crypto#767</code></li> <li><code>smallstep/certificates#2326</code></li> <li><code>smallstep/certificates#2290</code></li> <li>Enable dynamic validation of project ownership within a GCP organization <code>smallstep/certificates#2133</code></li> </ul> <h3>Changed</h3> <ul> <li>Introduce poolhttp package for improved memory performance of Authority <code>smallstep/certificates#2325</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/smallstep/certificates/commit/2c61c44176a89885ea69dd341dca16fb2875d868"><code>2c61c44</code></a> Update changelog (<a href="https://redirect.github.com/smallstep/certificates/issues/2332">#2332</a>)</li> <li><a href="https://github.com/smallstep/certificates/commit/c86cf07be9c5909a08e631ca0490662f734c3505"><code>c86cf07</code></a> Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2331">#2331</a> from smallstep/mariano/fix-tests</li> <li><a href="https://github.com/smallstep/certificates/commit/831d005df8f245ba2cc98028524488f6d0a7442c"><code>831d005</code></a> Fix gcp unit tests</li> <li><a href="https://github.com/smallstep/certificates/commit/bc09e46c3c8263b1d10cd5afcf50da34a1c97b82"><code>bc09e46</code></a> Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2133">#2133</a> from ericnorris/feat-gcp-enable-organization-checking</li> <li><a href="https://github.com/smallstep/certificates/commit/0d9f0513cfd5506398f972dd8c40a5f3973be769"><code>0d9f051</code></a> Merge branch 'master' into feat-gcp-enable-organization-checking</li> <li><a href="https://github.com/smallstep/certificates/commit/197d0d3508d5f424865682a4df61a05850331487"><code>197d0d3</code></a> Changelog updates (<a href="https://redirect.github.com/smallstep/certificates/issues/2330">#2330</a>)</li> <li><a href="https://github.com/smallstep/certificates/commit/293222505539eed2e3dff9078070f1368dd55d99"><code>2932225</code></a> Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2329">#2329</a> from smallstep/dependabot/go_modules/google.golang.o...</li> <li><a href="https://github.com/smallstep/certificates/commit/312d1a2f9282bf447baa198eba9bb6530f724cb9"><code>312d1a2</code></a> Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2325">#2325</a> from smallstep/mariano/httpclient</li> <li><a href="https://github.com/smallstep/certificates/commit/b1dd5a6ebd2384468940d37b63fdb74dc59a2a82"><code>b1dd5a6</code></a> Bump google.golang.org/api from 0.239.0 to 0.240.0</li> <li><a href="https://github.com/smallstep/certificates/commit/244e61098684e218bf93674d11a04247dd5385b8"><code>244e610</code></a> Merge pull request <a href="https://redirect.github.com/smallstep/certificates/issues/2326">#2326</a> from smallstep/mariano/fix-2323</li> <li>Additional commits viewable in <a href="https://github.com/smallstep/certificates/compare/v0.28.3...v0.28.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit allows to set custom audiences to generate X.509 and SSH related tokens. This change is backward compatible with the current interface.
Fixes #2323