github charmbracelet/soft-serve v0.11.3
on GitHub

13 hours ago

This release patches a critical auth issue that allows any malicious actor to gain access as any user.
Please upgrade ASAP!

Credits goes to @juancabe, so thank you so much for noticing and reporting this one 🙂

Changelog

New!

Fixed

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget: 

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.3/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.3/checksums.txt.sigstore.json'

Then, verify it using cosign: 

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum: 

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

The Charm logo

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

Check out latest releases or
releases around charmbracelet/soft-serve v0.11.3

Don't miss a new soft-serve release

NewReleases is sending notifications on new releases.

Get notifications