charmbracelet/soft-serve v0.11.4 on GitHub

This release includes a bug fix to our SSRF protection rules where it won't do DNS resolutions before checking SSRF. It also adds LFS SSRF security checks so make sure you upgrade your instance to get the latest security updates.

Changelog

Fixed

19bc627: fix(ssh): add argument validation to webhook deliveries commands (@aymanbagabas)
3ef6600: fix(ssrf): handle DNS resolution in SSRF protection (@aymanbagabas)

Other stuff

e80b183: Merge commit from fork (@vnykmshr)
85fecd7: ci: sync dependabot config (#774) (@charmcli)

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.4/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.4/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.