2.0.0

Security Changes & Fixes

• Graveyard now detects zip-slip attacks. This means that Graveyard will refuse to unarchive archives that try to access files out of their scope.
• Graveyard now only uses libraries that are developed by the Golang developers.

Breaking Changes

• Commands are now provided through the Go flag module. This means that commands will need to be prefixed with - or --, this allows users to string together commands and complete more than one action at once.
• Grave filenames now end in .buried instead of .tar.gz.buried, you will need to rename graves before use with this version, see the release discussion for details.

New Features

• Graveyard is now fully portable! This means that you can store graves on a USB drive and access them across Windows, Linux, and macOS. The grave.zip file currently only supports x64 architectures, but includes binaries for Windows, Linux, and macOS.
• Speaking of Windows and macOS... this is the first release to support those platforms!
• Graveyard also now provides builds for other architectures.

Changes for Developers

• Graveyard now provides a library for external applications to encrypt data within graves.
• The command line application now simply interacts with the library.

Other Changes

• Documentation has been moved into docs.
• Lot of dependencies have been removed.
• Migrate to os from ioutil.
• Graveyard is now a much smaller binary (7.38 MB to 3.22 MB.)

---

Full Changelog: 1.1.5...2.0.0

---

This release includes breaking changes. For a migration guide view the release discussion.

1.1.5

What's Changed

• Bump golang.org/x/crypto from 0.21.0 to 0.23.0 (in #16 and #18).
• Bump github.com/charmbracelet/bubbletea from 0.25.0 to 0.26.3 (in #20 and
  #21).
• Bump github.com/charmbracelet/bubbles from 0.17.1 to 0.18.0 (in #11).
• Bump github.com/urfave/cli from 2.27.1 to 2.27.2 (in #17).

Full Changelog: 1.1.4...1.1.5

1.1.4

What's Changed

• Bump github.com/charmbracelet/log from 0.3.1 to 0.4.0 by @dependabot in #15
• Bump golang.org/x/crypto from 0.18.0 to 0.21.0 by @dependabot in #14

Full Changelog: 1.1.3...1.1.4

1.1.3

What's Changed

• Files are now archived recursively (thanks to @celediel in #10).

Full Changelog: 1.1.2...1.1.3

1.1.2

What's Changed

Dependency upgrades:

• golang.org/x/crypto from 0.17.0 to 0.18.0
• github.com/urfave/cli/v2 from 2.25.7 to 2.27.1
• github.com/charmbracelet/bubbletea from 0.24.2 to 0.25.0
• github.com/charmbracelet/log from 0.2.3 to 0.3.1
• github.com/charmbracelet/bubbles from 0.16.1 to 0.17.1

Full Changelog: 1.1.1...1.1.2

1.1.1

What's Changed

• Bump golang.org/x/crypto from 0.12.0 to 0.17.0.
• Fixed decryption "invalid key size 0" error on installations with more than one grave.

Full Changelog: 1.1.0...1.1.1

1.1.0 - 💥 Security Improvements

💥 This is a breaking change: Your preexisting graves will not open after updating, consider copying a decrypted version before doing so and clearing the ~/.graveyard directory.

What happened?

As Lemmy user @[email protected] pointed out, the key should not have been stored as a SHA256.

Why was this bad?

In case a hacker had physical access to the device and could get the hashed keys they could figure out which passphrases are reused.

How has it been fixed?

Keys are now stored within $XDG_DATA_HOME/graveyard/keys or ~/.graveyard/keys as salted Argon2 hashes.

Initial Release

This is the first public release of Graveyard.

Full Changelog: https://github.com/BetaPictoris/graveyard/commits/1.0.0