January 17th, 2025

TSM Release 62.2.6 LTS

by Torben Lauritzen

Changelog

Docker image updated
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20250106192035-c31d5b91ecc3

Versions

Client API: 51.6
Client Communication: 27.0
Database: 7.8.0
Node Communication: 31.1
Node Configuration: 18.2

November 18th, 2024

TSM Release 68.0.0

by Torben Lauritzen

Changelog

Client API:
- Node.js SDKv2: Removed duplicate sign method, added TypeScript type definitions
Database:
- use encryptor for pkcs11 table
  
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241108191957-fa514ef75a0f

Versions

Client API: 58.0 (!)
Client Communication: 29.1
Database: 7.12.0
Node Communication: 32.1
Node Configuration: 21.2

November 18th, 2024

TSM Release 62.2.5 LTS

by Torben Lauritzen

Changelog

Docker image updated
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241108191957-fa514ef75a0f

Versions

Client API: 51.6
Client Communication: 27.0
Database: 7.8.0
Node Communication: 31.1
Node Configuration: 18.2

November 5th, 2024

TSM Release 67.0.0

by Michael Bæksvang Østergaard

Changelog

Client API:
	- New PKCS11 implementation with improved security
Client Communication:
	- Added PKCS11 endpoints
Database:
	- Add table for PKCS11 protocol
Node Communication:
	- Added PKCS11 protocol
Node Configuration:
	- Added PKCS11 protocol configuration
Patch changes (no effect on compatibility):
	- Fixed errors in the OCSP configuration
  
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c

Versions

Client API: 57.0 (!)
Client Communication: 29.1
Database: 7.11.0
Node Communication: 32.1
Node Configuration: 21.2

October 30th, 2024

TSM Release 66.0.0

by Torben Lauritzen

Changelog

	Client API:  
	- mTLS authentication with limited access based on certificate fields, specified in the configuration file.  
	- SDKv2 (Go, Node.js, Java, C): Added WithRootCAFile, WithPublicKeyPinning, WithOCSPValidation to the configuration builder  
	- SDKv2 (Go, Node.js, Java, C): Removed public key pinning from the mTLS authenticator, and added support for OCSP stapling of the client certificate  
	Node Configuration:  
	- Added OCSP configuration to the SDK server and the TLS authenticator  
	Patch changes (no effect on compatibility):  
	- Passing a negative UID or GID value to the tsm-node will now disable privilege dropping  
	- Updated required Go version to 1.22.0 (no need to specify a higher version than we need), but always build with the latest version
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c

Versions

Client API: 56.0 (!)  
Client Communication: 29.0  
Database: 7.10.0  
Node Communication: 32.0  
Node Configuration: 21.1

Upgrade Instructions

OCSP Configuration (Node Configuration: 21.1)

OCSP validation has been added

Filtering on certificate fields for mTLS authentication has been added.

Client API changes (Client API 55.0)

WithPublicKeyPinning is now an option on the client configuration, whereas it was part of the mTLS configuration before.
This means that public key pinning is now also possible for API key and OIDC authentication.

When using mTLS you can now choose to OCSP staple the client certificate. If this is not used, just pass nil as the
ocspStapling value when configuring mTLS authentication.

Finally, all the builder steps in the configuration can no longer return an error. The error will instead be reported
when instantiating the client.

October 30th, 2024

TSM Release 62.2.4 LTS

by Torben Lauritzen

Changelog

Patch changes (no effect on compatibility):
- Update Docker packages
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c

Versions

Client API: 51.6  
Client Communication: 27.0  
Database: 7.8.0  
Node Communication: 31.1  
Node Configuration: 18.2

October 10th, 2024

TSM Release 65.1.0

by Torben Lauritzen

Changelog

Client API:
- Node.js SDKv2: Added support for RSA, AES and HMAC
Patch changes (no effect on compatibility):
- Upgrade to Go 1.23.2 (https://go.dev/doc/devel/release#go1.23.minor)
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241004191011-08a83c5af9f8

Versions

Client API: 54.1
Client Communication: 29.0
Database: 7.10.0
Node Communication: 32.0
Node Configuration: 21.0

October 10th, 2024

TSM Release 62.2.3 LTS

by Torben Lauritzen

Changelog

Patch changes (no effect on compatibility):
- Upgrade to Go 1.23.2 (https://go.dev/doc/devel/release#go1.23.minor)
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241004191011-08a83c5af9f8

Versions

Client API: 51.6
Client Communication: 27.0
Database: 7.8.0
Node Communication: 31.1
Node Configuration: 18.2

September 9th, 2024

TSM Release 65.0.0

by Torben Lauritzen

Changelog

Node Configuration:
- All MPC protocol methods can be toggled on and off, and are DISABLED by default. You must explicitly enable the ones you need.
Patch changes (no effect on compatibility):
- Fixed error with DNS lookup when using iOS SDKs
- SDKv2 method for signing with a recovered schnorr private key

Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240905004112-7c4916698cc9

Versions

Client API: 54.0
Client Communication: 29.0
Database: 7.10.0
Node Communication: 32.0
Node Configuration: 21.0 (!)

Upgrade Instructions

MPC Protocol Features (Node Configuration: 21.0)

MPC protocol features such as GenerateKey, Sign, PublicKey, etc. can now be enabled or disabled per MPC protocol, and by default all methods are DISABLED. This means that without changes to the configuration file, the node will not be able to use the given MPC protocol, and it will fail to start.

Each MPC protocol (here we use DKLS19 as an example) now have a configuration section called DKLS19.Features that can look like this:

[DKLS19.Features]  
  GenerateKey = true  
  GeneratePresignatures = true  
  Sign = true  
  SignWithPresignature = true  
  GenerateRecoveryData = false  
  PublicKey = true  
  ChainCode = true  
  Reshare = false  
  CopyKey = false  
  BackupKeyShare = false  
  RestoreKeyShare = false  
  ExportKeyShares = false  
  ImportKeyShares = false  
  BIP32GenerateSeed = false  
  BIP32DeriveFromSeed = false  
  BIP32DeriveFromKey = false  
  BIP32ConvertKey = false  
  BIP32ExportSeed = false  
  BIP32ImportSeed = false  
  BIP32Info = false

Each MPC protocol can have a different feature set. Check the example configuration for a complete list of features for each protocol. The feature names correspond to methods in the SDK. If a feature is not listed, it defaults to false.

Also, some configuration options have been removed from the MPC protocols, as they are now controlled through the protocol features instead. This includes options such as EnableResharing, EnableShareBackup, EnableExport,
EnableERSExport and EnableBIP32ExportSeed.

If all features for an MPC protocol are disabled, the MPC node will refuse to start. In this case you should just
disable the protocol completely in the configuration.

Do not just enable all features without considering the impact of doing so. Especially features that allow export of
key shares in some way should be used with caution. In the example above the potentially dangerous features are
GenerateRecoveryData, BackupKeyShare, ExportKeyShares and BIP32ExportSeed.

September 9th, 2024

TSM Release 62.2.2 LTS

by Torben Lauritzen

Changelog

Patch changes (no effect on compatibility):
- Fixed error with DNS lookup when using iOS SDKs
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240905004112-7c4916698cc9

Versions

Client API: 51.6	
Client Communication: 27.0
Database: 7.8.0
Node Communication: 31.1
Node Configuration: 18.2