ReleaseMicrosoftMicrosoftpublished Apr 21, 2026seen 1d

microsoft/CCF ccf-7.0.0

microsoft/CCF

Open original ↗

Captured source

source ↗
GH
GitHub/github.com/microsoft/CCF
microsoft/CCF ccf-7.0.0
Source ↗
published Apr 21, 2026seen 1dcaptured 11hhttp 200method plain

7.0.0

Repository: microsoft/CCF

Tag: ccf-7.0.0

Published: 2026-04-21T15:39:05Z

Prerelease: no

Release notes: > Release highlights: CCF 7.0.0 is a major release with significant architectural and API changes: > > - `cchost` has been removed. Each CCF application is now built as its own standalone binary. The add_ccf_app CMake function builds an executable; callers provide a main function and invoke ccf::run() (see samples/apps/main.cpp). The js_generic sample is now installed at /ccf/bin/js_generic. The separate "run" package is no longer published — only the -devel package is available. > - Unified platform build. There is no longer a separate SNP or Virtual build. A single build auto-detects the platform at runtime, so the COMPILE_TARGET CMake option and per-platform release artifacts are gone. > - Classic governance API removed. The legacy /gov endpoints (without an api-version query parameter), deprecated since 5.0.0, have been removed. All /gov endpoints now require passing an api-version query parameter. The most recent value is 2024-07-01. > - COSE-only ledger signatures. Networks can start in COSE-only signing mode or transition from dual signing, and a new /receipt/cose endpoint returns COSE Sign1 receipts with Merkle proofs (see https://datatracker.ietf.org/doc/draft-ietf-cose-merkle-tree-proofs/18/ and https://datatracker.ietf.org/doc/draft-ietf-scitt-receipts-ccf-profile/01/ for a full specification). > - Commit-aware endpoints. Endpoints can now defer their HTTP response until the transaction reaches a terminal consensus state (committed or invalidated), with optional inline receipt construction at commit time. > - Improved snapshot management. Backup nodes can auto-fetch snapshots from the primary, snapshots can be scheduled by wall-clock interval, and new file-cleanup options automatically prune old ledger chunks and snapshots.

Developer API

C++

##### Added

  • Added support for endpoints that defer their HTTP response until the submitted transaction reaches a terminal consensus state (committed or invalidated). A set_consensus_committed_function() call on the RpcContext registers a callback invoked once the transaction is globally committed or invalidated. The callback receives a CommittedTxInfo& struct (containing rpc_ctx, tx_id, status, write_set_digest, commit_evidence, claims_digest). See the logging sample app (/log/private/optional_commit and /log/blocking/private) for example usage (#7562, #7785).
  • Added support for inline transaction receipt construction at commit time. Endpoint authors can use build_receipt_for_committed_tx() to construct a full TxReceiptImpl from the CommittedTxInfo passed to their consensus committed callback. See the logging sample app (/log/blocking/private/receipt) for example usage (#7785).
  • Added COSEVerifier::verify_decomposed() method that accepts pre-parsed COSE_Sign1 components, bypassing envelope parsing.
  • Added ccf::describe_cose_receipt_v1(receipt) to obtain COSE receipts with Merkle proof (#7700).
  • Added make_cose_verifier_from_pem_cert() and make_cose_verifier_from_der_cert(). The existing make_cose_verifier_cert() is renamed to make_cose_verifier_any_cert() (#7768).
  • NetworkIdentitySubsystemInterface now exposes get_trusted_keys(), returning all trusted network identity keys as a TrustedKeys map (#7690).
  • Added ccf::IdentityHistoryNotFetched exception type to distinguish identity-history-fetching errors from other logic errors in the network identity subsystem (#7708).

##### Changed

  • cchost is removed, and each application now provides its own executable. CCF nodes no longer contain a separate cchost executable and enclave library (.so) file. Each former enclave library is now its own executable. The js_generic sample app is now an executable installed at /ccf/bin/js_generic. The add_ccf_app function in CMake now builds an executable rather than a library — the caller should provide a main function and call ccf::run() from include/ccf/run.h to start the node (see samples/apps/main.cpp for a minimal example).
  • Crypto interface refactored for RSA and EC keys (#7425):
  • ccf::crypto::PublicKey becomes ccf::crypto::ECPublicKey.
  • ccf::crypto::KeyPair becomes ccf::crypto::ECKeyPair.
  • Error-prone inheritance between RSA and EC key classes has been removed.
  • RSA keys no longer re-use CSR functionality from the EC key interface.
  • set_consensus_committed_function() has moved from an endpoint-registration-time decorator to a runtime call on ctx.rpc_ctx->set_consensus_committed_function(). The callback signature now receives a CommittedTxInfo& struct instead of individual arguments. This allows the same endpoint to conditionally block until committed based on per-request state. ccf::endpoints::default_respond_on_commit_func has been removed from the public API; a sample implementation is provided in the logging and basic sample apps (#7785).
  • In the C++ API, get_txid() on ccf::kv::ReadOnlyStore has been renamed to current_txid() (#7477).
  • ccf::crypto::HashProvider::Hash() has been renamed to ccf::crypto::HashProvider::hash() (#7660).
  • ccf::historical::verify_self_issued_receipt now verifies COSE CCF receipts against the current service identity, including receipts signed by past service identities if they were back-endorsed (#7494, #7546).
  • Application code (in both C++ and JS) can now access the current time directly, with no concept of enclave time vs untrusted host time.
  • Application logging no longer traverses the ringbuffer and is now immediately sent to stdout. The format of CCF's stdout logging has changed: alignment padding for enclave timestamps has been removed (#7491).

##### Removed

  • ccf::historical::adapter_v3 has been removed; use ccf::historical::read_only_adapter_v4 and ccf::historical::read_write_adapter_v4 instead (#7553).
  • Removed CHECK0() from ccf::crypto::OpenSSL in the public header openssl_wrappers.h (#7817).
  • Removed aes_gcm_encrypt(), aes_gcm_decrypt(), and default_iv from ccf::crypto (#7811).
  • Removed get_responder() from the public ccf::RpcContext API and made http_responder.h a private header (#7818).
  • Removed ccf::crypto::openssl_sha256_init() and ccf::crypto::openssl_sha256_shutdown() (#7251).
  • Removed the ccf/pal/hardware_info.h header (#7117).
  • Removed the…

Excerpt shown — open the source for the full document.