Merged
Conversation
….SDK into docs-thirdpartypayment merging with origin
…ico/Yubico.NET.SDK into docs-thirdpartypayment
docs: third-party payment extension
docs: updated 1.15.0 release notes
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
…ecurity-remediation [StepSecurity] Apply security best practices
Bumps nginx from `052b75a` to `66d420c`. --- updated-dependencies: - dependency-name: nginx dependency-version: alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group with 3 updates: [actions/setup-dotnet](https://github.com/actions/setup-dotnet), [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/setup-dotnet` from 5.0.1 to 5.1.0 - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@2016bd2...baa11fb) Updates `anthropics/claude-code-action` from 1.0.27 to 1.0.29 - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@7145c3e...1b8ee3b) Updates `github/codeql-action` from 4.31.9 to 4.31.10 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5d4e8d1...cdefb33) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: anthropics/claude-code-action dependency-version: 1.0.29 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.31.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps Microsoft.Bcl.AsyncInterfaces from 10.0.1 to 10.0.2 Bumps Microsoft.Bcl.Cryptography from 10.0.1 to 10.0.2 Bumps Microsoft.CodeAnalysis.NetAnalyzers from 10.0.101 to 10.0.102 Bumps Microsoft.Extensions.Configuration.Json from 10.0.1 to 10.0.2 Bumps Microsoft.Extensions.Logging.Abstractions from 10.0.1 to 10.0.2 Bumps Microsoft.Extensions.Options.ConfigurationExtensions from 10.0.1 to 10.0.2 Bumps System.Configuration.ConfigurationManager from 10.0.1 to 10.0.2 Bumps System.Formats.Asn1 from 10.0.1 to 10.0.2 Bumps System.Formats.Cbor from 10.0.1 to 10.0.2 Bumps Xunit.SkippableFact from 1.5.23 to 1.5.61 --- updated-dependencies: - dependency-name: Microsoft.Bcl.AsyncInterfaces dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Bcl.Cryptography dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: System.Formats.Asn1 dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.CodeAnalysis.NetAnalyzers dependency-version: 10.0.102 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.CodeAnalysis.NetAnalyzers dependency-version: 10.0.102 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Extensions.Configuration.Json dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Extensions.Logging.Abstractions dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Extensions.Logging.Abstractions dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Extensions.Options.ConfigurationExtensions dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: System.Configuration.ConfigurationManager dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: System.Formats.Asn1 dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: System.Formats.Cbor dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Xunit.SkippableFact dependency-version: 1.5.61 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages ... Signed-off-by: dependabot[bot] <support@github.com>
- Fixed DigestData to use hash digest size instead of key size for RSA keys - Reuses MessageDigestOperations.ComputeMessageDigest for hashing - For RSA: returns raw digest (PadRsa handles signature padding) - For ECC: pads digest to key size with leading zeros if needed - Added unit tests for digest computation logic - Updated devcontainer to include .NET 8.0 and 10.0
…actions-f3c9c47414 chore(deps): bump the github-actions group with 3 updates
…all_packages-febfb66e60 Bump the all_packages group with 10 updates
chore(deps): bump nginx from `052b75a` to `66d420c`
fix(piv): Fix YubiKeySignatureGenerator.DigestData regression in Sample App
Bumps nginx from `66d420c` to `2622096`. --- updated-dependencies: - dependency-name: nginx dependency-version: alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps Microsoft.Extensions.Logging.Console from 10.0.0 to 10.0.2 --- updated-dependencies: - dependency-name: Microsoft.Extensions.Logging.Console dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Extensions.Logging.Console dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages - dependency-name: Microsoft.Extensions.Logging.Console dependency-version: 10.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all_packages ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.14.0` | `2.14.1` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.1` | `6.0.2` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `3.1.0` | `3.2.0` | | [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.29` | `1.0.37` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.31.10` | `4.32.0` | Updates `step-security/harden-runner` from 2.14.0 to 2.14.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@20cf305...e3f713f) Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) Updates `actions/attest-build-provenance` from 3.1.0 to 3.2.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@00014ed...96278af) Updates `anthropics/claude-code-action` from 1.0.29 to 1.0.37 - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@1b8ee3b...2817c54) Updates `github/codeql-action` from 4.31.10 to 4.32.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@cdefb33...b20883b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/attest-build-provenance dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: anthropics/claude-code-action dependency-version: 1.0.37 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
chore(deps): bump nginx from `66d420c` to `2622096`
…all_packages-74699dc37d Bump the all_packages group with 1 update
…actions-e40d636236 chore(deps): bump the github-actions group with 5 updates
Contributor
There was a problem hiding this comment.
Pull request overview
This release (v1.15.1) focuses on security, maintainability, and documentation improvements. Key updates include enhanced CI/CD security through GitHub Actions hardening, dependency updates, bug fixes, and improved documentation.
Changes:
- Enhanced security posture by adding runner hardening and updating action versions across all workflows
- Updated multiple project dependencies to latest versions (Microsoft.Bcl.Cryptography, Xunit.SkippableFact, etc.)
- Fixed regression in PIV sample app's signature generation logic
Reviewed changes
Copilot reviewed 38 out of 38 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/users-manual/toc.yml | Added new documentation section for third-party payment extension |
| docs/users-manual/getting-started/whats-new.md | Updated release notes for v1.15.1 and corrected v1.15.0 release date |
| docs/users-manual/application-piv/cert-size.md | Restructured PIV certificate size documentation for improved clarity |
| docs/users-manual/application-fido2/thirdpartypayment.md | Added comprehensive documentation for thirdPartyPayment extension |
| build/Versions.props | Bumped version to 1.15.1 |
| Multiple test project files | Updated NuGet package versions across test projects |
| Yubico.YubiKey/tests/unit/.../YubiKeySignatureGeneratorTests.cs | Added unit tests verifying the PIV signature generation fix |
| Yubico.YubiKey/tests/unit/.../ConnectionManagerTests.cs | Removed file (likely moved or refactored) |
| Yubico.YubiKey/src/.../SmartCardConnection.cs | Extracted method calls to variables for clarity |
| Yubico.YubiKey/src/.../Fido2Session.LargeBlobs.cs | Moved variable declaration to reduce scope |
| Yubico.YubiKey/src/.../AuthenticatorOperationParameters.cs | Updated Guard method calls and removed duplicate extension method |
| Yubico.YubiKey/src/.../ConnectionManager.cs | Removed file (likely moved or refactored) |
| Yubico.YubiKey/src/Yubico.YubiKey.csproj | Updated multiple NuGet package references |
| Yubico.YubiKey/examples/.../YubiKeySignatureGenerator.cs | Fixed digest computation bug in signature generation |
| Yubico.Core/tests/Yubico.Core.UnitTests.csproj | Updated Xunit.SkippableFact package version |
| Yubico.Core/src/.../DesktopSmartCardConnection.cs | Extracted method call result to variable |
| Yubico.Core/src/Yubico.Core.csproj | Updated multiple Microsoft Extensions package references |
| SECURITY.md | Added security vulnerability disclosure policy |
| Dockerfile | Pinned nginx base image with SHA256 hash |
| .github/workflows/*.yml | Added harden-runner step and updated action versions across all workflows |
| .github/dependabot.yml | Changed GitHub Actions schedule to weekly and added Docker ecosystem |
| .devcontainer/devcontainer.json | Added support for .NET 8.0 and 10.0 versions |
Yubico.YubiKey/src/Yubico/YubiKey/Fido2/AuthenticatorOperationParameters.cs
Show resolved
Hide resolved
Yubico.YubiKey/examples/PivSampleCode/CertificateOperations/YubiKeySignatureGenerator.cs
Show resolved
Hide resolved
Contributor
Test Results: Windows 2 files 2 suites 19s ⏱️ Results for commit f7bfcb4. |
Contributor
Test Results: Ubuntu 2 files 2 suites 48s ⏱️ Results for commit f7bfcb4. |
Contributor
Test Results: MacOS 4 files 4 suites 29s ⏱️ Results for commit f7bfcb4. |
Contributor
Minimum allowed line rate is |
dainnilsson
approved these changes
Jan 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request focuses on improving the security, maintainability, and clarity of the project's CI/CD workflows and development environment. The main updates include enhancing GitHub Actions security with runner hardening, upgrading and pinning action versions, refining permissions for least privilege, and adding support for Docker updates in Dependabot.
Bug Fixes:
Documentation:
Dependencies:
CI/CD Workflow Security and Maintenance:
step-security/harden-runneraction to all major jobs in GitHub Actions workflows to audit and restrict outbound network calls, increasing build security. [1] [2] [3] [4] [5] [6] [7] [8] [9]actions/checkout,actions/upload-artifact,actions/setup-dotnet,actions/attest-build-provenance,docker/setup-qemu-action,actions/download-artifact) to specific, newer versions for improved reliability and traceability. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]Permissions and Least Privilege:
pull-requests: write,attestations: write, orpackages: writeare required). [1] [2] [3] [4] [5]Dependabot and Development Environment:
.devcontainer/devcontainer.jsonto support multiple .NET versions (8.0, 9.0, 10.0) for local development, improving flexibility for contributors.These changes collectively improve the security posture of CI/CD pipelines, keep dependencies up to date, and make the development environment more robust and contributor-friendly.