What's Changed

Fixes to mac CI for publishing binaries:

• chore: rotate Apple signing identity to bdd@pomerium.com by @backport-actions-token[bot] in #667

Full Changelog: v0.32.1...v0.32.2

⚠️ Mac binaries were not published for 0.32.1, for mac users seeking the latest release of pomerium/cli, use 0.32.2 .

What's Changed

• chore: bump pomerium to v0.32.5 / go 1.25.9 by @alexandreLamarre in #666

New Contributors

• @alexandreLamarre made their first contribution in #666

Full Changelog: v0.32.0...v0.32.1

Test pre-release for Apple certificate rotation verification (OPE-244)

This release tests the new Developer ID Application cert (247F4DF4...) and
Developer ID Installer cert (4CCCBFF1...) under bdd@pomerium.com.

Do not use in production. This will be deleted after verification.

What's Changed

• tcp: add fallback tunneler for tcp by @calebdoxsey in #566
• upgrade go and golangci-lint by @calebdoxsey in #595

Full Changelog: v0.31.0...v0.32.0

What's Changed

• switch from pomerium.io to pomerium.com by @kenjenkins in #543
• update Core dependency by @kenjenkins in #544
• ci: do not include deb/rpm packages in docker image by @kenjenkins in #547
• build(deps): bump the go group with 7 updates by @dependabot[bot] in #548
• build(deps): bump docker/metadata-action from 5.7.0 to 5.8.0 in the github-actions group by @dependabot[bot] in #549
• build(deps): bump the docker group with 2 updates by @dependabot[bot] in #550
• build(deps): bump the github-actions group with 4 updates by @dependabot[bot] in #553
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 by @dependabot[bot] in #551
• build(deps): bump the go group with 9 updates by @dependabot[bot] in #554
• build(deps): bump the docker group with 3 updates by @dependabot[bot] in #552
• add ci job to upgrade core by @calebdoxsey in #556
• ci: update core to latest commit in main by @apparitor in #557
• ci: update core to latest commit in main by @apparitor in #558
• build(deps): bump the docker group with 3 updates by @dependabot[bot] in #559
• build(deps): bump the github-actions group with 5 updates by @dependabot[bot] in #561
• build(deps): bump the go group with 8 updates by @dependabot[bot] in #560
• ci: update core to latest commit in main by @apparitor in #562
• ci: update core to latest commit in main by @apparitor in #563
• ci: update core to latest commit in main by @apparitor in #564
• set core to v0.31.0 by @wasaga in #569

Full Changelog: v0.30.0...v0.31.0

Dependencies

• downgrade pomerium/pomerium to avoid cgo dependency by @kenjenkins in #542

Full Changelog: v0.30.0...v0.30.1

Security

• restrict file permissions for cached k8s credentials by @kenjenkins in #539

Changes

• sign and notarize macOS builds by @gaurdro
• docs: fixed install link by @nickytonline in #508

Dependencies

• build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 by @dependabot in #502
• build(deps): bump the github-actions group with 6 updates by @dependabot in #512
• upgrade go to v1.24 by @calebdoxsey in #510
• build(deps): bump the go group across 1 directory with 6 updates by @dependabot in #515
• build(deps): bump the github-actions group with 2 updates by @dependabot in #522
• build(deps): bump the docker group with 3 updates by @dependabot in #521
• build(deps): bump the go group with 7 updates by @dependabot in #520
• build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.4.0 by @dependabot in #523
• build(deps): bump the go group with 7 updates by @dependabot in #528
• build(deps): bump the docker group with 3 updates by @dependabot in #526
• build(deps): bump the github-actions group across 1 directory with 2 updates by @dependabot in #529
• build(deps): bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 by @dependabot in #534
• build(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 by @dependabot in #533
• build(deps): bump docker/setup-buildx-action from 3.10.0 to 3.11.1 in the github-actions group by @dependabot in #537
• build(deps): bump the docker group with 3 updates by @dependabot in #536
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot in #535
• build(deps): bump the go group with 6 updates by @dependabot in #538

Full Changelog: v0.29.1...v0.30.0

What's Changed

• upgrade core to remove log message by @calebdoxsey in #513

Full Changelog: v0.29.0...v0.29.1

Changes

• Modify the --client-cert-issuer and --client-cert-subject options to allow matching on any value of multi-valued name attributes. (@kenjenkins in #449)
• Update the golangci-lint tool to version 1.60.1 in the CLI/CI configuration. (@calebdoxsey in #453)
• Remove reliance on expiration timestamps in cached credentials by verifying JWT validity through access attempts to /api, assuming invalidity if access fails. (@calebdoxsey in #460)
• Rename the tcptunnel component to tunnel to align with upcoming modifications. (@calebdoxsey in #467)
• Implement HTTP/3 tunneling by detecting the h3 Alt-Svc header in HTTP/2 proxy responses and selecting the appropriate tunneler based on the protocol used. (@calebdoxsey in #474)
• Standardize logging by replacing all instances of stdlog with zerolog and refining log messages. (@calebdoxsey in #475)
• Implement UDP support over HTTP/1 using the CONNECT-UDP method, enabling UDP tunneling with session management and packet framing via the capsule protocol. (@calebdoxsey in #476)
• Implement UDP support over HTTP/3 by utilizing QUIC datagrams and applying back pressure to block rather than drop packets. (@calebdoxsey in #477)
• Implement UDP protocol support in the API utilized by the desktop client. (@calebdoxsey in #481 (ENG-1801))
• Prevent the clearing of JWT credentials when a tunnel receives a 403 Forbidden response, thereby avoiding an infinite authentication loop. (@calebdoxsey in #485 (ENG-1834))
• Refactor the JWT cache to improve compatibility with non-tcp/udp tunnel code. (@calebdoxsey in #486)
• Introduce a new pomerium-cli routes list <URL> subcommand to list routes, requiring a JWT for endpoint querying, with output to stdout and integration into the CLI API. (@calebdoxsey in #487 (ENG-1878))
• Introduce an "autostart" field to the CLI to enable automatic connections when launching the desktop app. (@wrmedford in #494)
• Upgrade the pomerium/pomerium dependency to the latest main branch to incorporate the update of golang.org/x/oauth2 to version 0.27.0. (@kenjenkins in #498 (ENG-2053))

Dependencies

• Update golang.org/x/net package. (@dependabot[bot] in #432)
• Update golang, distroless/base-debian12, and distroless/static packages. (@dependabot[bot] in #434)
• Update actions/checkout, docker/setup-buildx-action, and golangci/golangci-lint-action. (@dependabot[bot] in #435)
• Update github.com/pomerium/pomerium, golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, google.golang.org/grpc, and `google.golang.org/protobuf (@dependabot[bot] in #436)
• Update golang and distroless/base-debian12. (@dependabot[bot] in #437)
• Update actions/checkout package. (@dependabot[bot] in #439)
• Update github.com/getsentry/sentry-go. (@dependabot[bot] in #441)
• Update golang in the docker group. (@dependabot[bot] in #442)
• Update actions/checkout, docker/build-push-action, azure/docker-login, and goreleaser/goreleaser-action. (@dependabot[bot] in #443)
• Update google.golang.org/grpc. (@dependabot[bot] in #444)
• Update golang.org/x/crypto, golang.org/x/sys, google.golang.org/grpc, google.golang.org/grpc/cmd/protoc-gen-go-grpc, and google.golang.org/protobuf. (@dependabot[bot] in #445)
• Update golang, distroless/base-debian12, and distroless/static packages. (@dependabot[bot] in #446)
• Update docker/setup-buildx-action. (@dependabot[bot] in #447)
• Update golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, and google.golang.org/grpc. (@dependabot[bot] in #450)
• Update golang in the docker group. (@dependabot[bot] in #451)
• Update docker/build-push-action and actions/setup-python. (@dependabot[bot] in #452)
• Update golang, distroless/base-debian12, and distroless/static. (@dependabot[bot] in #454)
• Update actions/checkout and docker/build-push-action. (@dependabot[bot] in #455)
• Update github.com/getsentry/sentry-go. (@dependabot[bot] in #456)
• Update actions/checkout, docker/setup-buildx-action, actions/setup-go, golangci/golangci-lint-action, actions/cache, and actions/setup-python. (@dependabot[bot] in #461)
• Update golang, distroless/base-debian12, and distroless/static. (@dependabot[bot] in #462)
• Update github.com/getsentry/sentry-go. (@dependabot[bot] in #463)
• Update github.com/pomerium/pomerium, github.com/stretchr/testify, golang.org/x/crypto, golang.org/x/sync, golang.org/x/sys, google.golang.org/grpc, and ` (@dependabot[bot] in #468)
• Update docker/metadata-action, docker/build-push-action, and goreleaser/goreleaser-action. (@dependabot[bot] in #469)
• Update golang, distroless/base-debian12, and distroless/static. (@dependabot[bot] in #470)
• Update golang.org/x/crypto package. (@dependabot[bot] in #478)
• Update docker/setup-buildx-action, actions/setup-go, and actions/cache. (@dependabot[bot] in #482)
• Update github.com/elazarl/goproxy. (@dependabot[bot] in #483)
• Update golang in the docker group. (@dependabot[bot] in #484)
• Update github.com/elazarl/goproxy package. (@dependabot[bot] in #489)
• Update golang, distroless/base-debian12, and distroless/static packages. (@dependabot[bot] in #490)
• Update docker/build-push-action, actions/setup-go, golangci/golangci-lint-action, docker/setup-qemu-action, and actions/setup-python. (@dependabot[bot] in #491)
• Update github.com/go-jose/go-jose/v4 package. (@dependabot[bot] in #492)
• Update github.com/go-jose/go-jose/v3 package. (@dependabot[bot] in #493)
• Update golang in the docker group. (@dependabot[bot] in #495)
• Update github.com/elazarl/goproxy (@dependabot[bot] in #496)
• Update docker/setup-buildx-action, docker/metadata-action, docker/build-push-action, golangci/golangci-lint-action, docker/setup-qemu-action, goreleaser/goreleaser-action, ([@dependabot[bot]](https://github.com/depen...

v0.23.0 adds the ability to use client certificates stored in the Windows certificate store or Keychain (on macOS).
See https://www.pomerium.com/docs/capabilities/tcp#client-certificates for more information.

What's Changed

• vendor internal/signer from enterprise-certificate-proxy by @kenjenkins in #334
• integrate with system cert store by @kenjenkins in #314
• api: integrate with system trust store by @kenjenkins in #337
• update version command by @kenjenkins in #343
• ncrypt: open cert store in readonly mode by @kenjenkins in #344
• api: discard unknown config proto fields by @kenjenkins in #353
• cli/go: upgrade go by @calebdoxsey in #356
• update Go base docker image by @kenjenkins in #371
• expand client cert search capabilities by @kenjenkins in #380
• cli/cmd: add commands for viewing the cache location and clearing it by @calebdoxsey in #384
• api: expand client cert search capabilities by @kenjenkins in #395
• ci: upgrade Go to 1.22 by @wasaga in #406

Dependency updates

• build(deps): bump distroless/static from a01d47d to 7198a35 by @dependabot in #272
• build(deps): bump distroless/base from 357bc96 to ba4cde5 by @dependabot in #271
• build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 by @dependabot in #277
• build(deps): bump github.com/pomerium/pomerium from 0.22.0 to 0.22.1 by @dependabot in #275
• build(deps): bump golang from 1.20.3-buster to 1.20.4-buster by @dependabot in #274
• build(deps): bump github.com/getsentry/sentry-go from 0.20.0 to 0.21.0 by @dependabot in #273
• build(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 by @dependabot in #276
• build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 by @dependabot in #278
• build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @dependabot in #280
• build(deps): bump actions/setup-python from 4.6.0 to 4.6.1 by @dependabot in #282
• build(deps): bump golang from 4cf6dc4 to 6be6011 by @dependabot in #283
• build(deps): bump github.com/pomerium/pomerium from 0.22.1 to 0.22.2 by @dependabot in #281
• build(deps): bump docker/login-action from 2.1.0 to 2.2.0 by @dependabot in #289
• build(deps): bump docker/setup-buildx-action from 2.5.0 to 2.6.0 by @dependabot in #288
• build(deps): bump docker/metadata-action from 4.4.0 to 4.5.0 by @dependabot in #287
• build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 by @dependabot in #286
• build(deps): bump github.com/golangci/golangci-lint from 1.52.2 to 1.53.2 by @dependabot in #285
• build(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @dependabot in #284
• build(deps): bump golang from 1.20.4-buster to 1.20.5-buster by @dependabot in #291
• build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #290
• build(deps): bump golang from b0f97bf to eb3f9ac by @dependabot in #293
• build(deps): bump docker/build-push-action from 4.0.0 to 4.1.1 by @dependabot in #294
• build(deps): bump docker/setup-buildx-action from 2.6.0 to 2.7.0 by @dependabot in #295
• build(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 by @dependabot in #296
• build(deps): bump docker/setup-qemu-action from 2.1.0 to 2.2.0 by @dependabot in #297
• build(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 by @dependabot in #298
• build(deps): bump github.com/getsentry/sentry-go from 0.21.0 to 0.22.0 by @dependabot in #299
• build(deps): bump github.com/golangci/golangci-lint from 1.53.2 to 1.53.3 by @dependabot in #301
• build(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 by @dependabot in #300
• build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 by @dependabot in #304
• build(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 by @dependabot in #302
• build(deps): bump google.golang.org/grpc from 1.56.0 to 1.56.1 by @dependabot in #303
• build(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.0 by @dependabot in #305
• build(deps): bump actions/setup-python from 4.6.1 to 4.7.0 by @dependabot in #306
• build(deps): bump docker/setup-buildx-action from 2.9.0 to 2.9.1 by @dependabot in #307
• build(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 by @dependabot in #312
• build(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 by @dependabot in #310
• build(deps): bump github.com/getsentry/sentry-go from 0.22.0 to 0.23.0 by @dependabot in #309
• build(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 by @dependabot in #311
• build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #320
• build(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in #319
• build(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in #318
• build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #317
• build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in #316
• build(deps): bump github.com/golangci/golangci-lint from 1.53.3 to 1.54.2 by @dependabot in #324
• build(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in #323
• build(deps): bump distroless/static from 7198a35 to e7e79fb by @dependabot in #321
• build(deps): bump github.com/pomerium/pomerium from 0.22.2 to 0.23.0 by @dependabot in #322
• update github.com/elazarl/goproxy by @kenjenkins in #326
• build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 by @dependabot in #329
• build(deps): bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #330
• build(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #328
• build(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 by @dependabot in #331
• build(deps): bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #333
• build(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in #339
• build(deps): bump docker/setup-buildx-action from 2.10.0 to 3.0.0 by @dependabot in #342
• build(deps): bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in #341
• build(deps): bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #340
• build(deps): bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in #338
• build(deps): bump distroless/base from ba4cde5 to 80c68f0 by @dependabot in #352
• build(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #351
• build(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 by @dependabot in #350
• build(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.2 by @dependabot in #349
• build(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 by @dependabot in #348
• build(deps): bump github.com/rs/zerolog from 1.30.0 to 1.31.0 by @dependabot in #347
• build(deps): bump golang.org/x/crypto from 0.12.0 to 0.13.0 by @dependabot in #346
• build(deps): bump github.com/getsentry/sentry-go from 0.23.0 to 0.24.1 by @dependabot in #345
• build(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 by @dependabot in #354
• build(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot in https...