Skip to content

Commit 87d3488

Browse files
jaschadubjaschadub
committed
Add v1.3.0 changelog entry for SkillSigner release
1 parent 4ede01a commit 87d3488

1 file changed

Lines changed: 20 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,26 @@ All notable changes to the SchemaPin project will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

8+
## [1.3.0] - 2026-02-14
9+
10+
### Added
11+
12+
#### SkillSigner — File-Based Skill Folder Signing & Verification (All Languages)
13+
14+
- **`skill` module (Rust, Python, JavaScript, Go)**: Deterministic directory canonicalization and cryptographic signing for AgentSkills (SKILL.md) folders.
15+
- **`canonicalize_skill()`**: Recursively walks skill directory in sorted order, hashes each file as `SHA256(relative_path + content)`, produces deterministic root hash and file manifest. Skips `.schemapin.sig` and symlinks.
16+
- **`parse_skill_name()`**: Extracts skill name from SKILL.md YAML frontmatter `name:` field, falls back to directory basename.
17+
- **`sign_skill()`**: Signs a skill folder with an ECDSA P-256 private key. Writes `.schemapin.sig` JSON containing root hash, per-file manifest, signature, domain, signer KID, and timestamp.
18+
- **`verify_skill_offline()`**: 7-step offline verification: load signature, validate discovery, extract key, check revocation, TOFU pin, canonicalize and compare, verify ECDSA signature.
19+
- **`verify_skill_with_resolver()`**: Resolves discovery and revocation documents via `SchemaResolver` trait, then delegates to offline verification.
20+
- **`load_signature()`**: Loads and parses `.schemapin.sig` JSON from a skill directory.
21+
- **`detect_tampered_files()`**: Compares current file manifest against signed manifest, reports modified, added, and removed files.
22+
- **`SkillSignature` struct**: Serializable signature document with `schemapin_version`, `skill_name`, `skill_hash`, `signature`, `signed_at`, `domain`, `signer_kid`, and `file_manifest`.
23+
24+
### Security
25+
26+
- Bumped `cryptography` dependency from 44.0.1/45.0.5 to 46.0.5 in Python and server packages.
27+
828
## [1.2.0] - 2026-02-11
929

1030
### Added

0 commit comments

Comments
 (0)