Signatory v1.4.0: Observability, Security Hardening, Portable Binaries

Project Updates
,
1

Signatory v1.4.0 Released

Signatory v1.4.0 is out. This is the first stable release since v1.3.1 and focuses on observability, security hardening, and operational resilience.

Observability overhaul

Signatory now ships with comprehensive Prometheus metrics for signing operations, watermark checks, and consensus rounds. New metrics include sign_handler_request_duration_milliseconds, sign_handler_requests_total, watermark_check_duration_milliseconds, and consensus_round_total. The consensus round is also now visible in log output for blocks, attestations, and preattestations. A Grafana dashboard panel for round distribution is included. We also fixed several metric correctness issues where counters weren’t incrementing properly.

Full metrics documentation with example PromQL queries is now available at signatory.io.

Security hardening

  • Docker images now run as non-root (UID 10000) on an Ubuntu 24.04 base
  • JWT authentication uses constant-time comparison, with mutex protection for credential maps
  • Inlined AES Key Wrap from the archived Google Tink module, removing the dependency
  • Nitro Enclave Docker deployments now use a scoped seccomp profile instead of --privileged

Operational improvements

  • Configurable timeout and retry with exponential backoff for Google Cloud KMS signing
  • Graceful skip of inaccessible/disabled keys during AWS and GCP KMS vault iteration
  • New signatory-cli list-keys command
  • Fixed ballot sub-kind validation (ballot:yay/nay/pass) in policy configuration
  • Fixed block round validation via gotez v2.4.3

Portable standalone binaries

Release binaries are now built with zig cc targeting glibc 2.17+, making them portable across virtually all Linux distributions. Unlike static builds, these support dlopen, so PKCS11/CloudHSM works in standalone mode without Docker.

Migration notes

If you volume-mount directories, ensure they’re accessible by UID/GID 10000. Nitro Enclave users should switch from --privileged to the scoped seccomp profile. No breaking API or configuration changes.

Full release notes: Release v1.4.0 · ecadlabs/signatory · GitHub

Docker:

docker pull ecadlabs/signatory:v1.4.0
3 Likes