microsoft/CCF ccf-7.0.5

7.0.5

Repository: microsoft/CCF

Tag: ccf-7.0.5

Published: 2026-06-15T18:44:01Z

Prerelease: no

Release notes:

Changed

• The default and minimal sample constitutions reject set_jwt_issuer proposals whose issuer is not an https:// URL with no query or fragment. Previously, any string was accepted when auto_refresh was false (#7924).
• The default and minimal sample constitutions reject set_ca_cert_bundle proposals containing non-CA certificates or intermediate CA certificates; every certificate in the bundle must be a self-signed (root) CA (#7924).
• The default and minimal sample constitutions validate every JWK in set_jwt_issuer and set_jwt_public_signing_keys proposals: n/e/x/y must be base64url-encoded, kty must match the supplied key material, kid must be unique within a key set, use (if present) must be "sig", and alg (if present) must match the key type and curve per RFC 7518 section 3.4 (RS256 for RSA; ES256/ES384/ES512 bound to P-256/P-384/P-521). RSA keys must be at least 2048 bits, and EC coordinates must use the full zero-padded length for their curve (RFC 7518 section 6.2.1.2). P-521 is now an accepted EC curve (#7924).
• The default and minimal sample constitutions validate that set_member's encryption_pub_key, when present, is a well-formed RSA public key (#7924).

Security

• Host-created files (ledger chunks, snapshots, PID file, and node certificate/key files) are now created with restrictive permissions (0600) instead of relying on the process umask. Existing deployments will not see existing files affected; only newly created files will have these restricted permissions (#7916).

Dependencies

• Updated didx509cpp to 0.99.0 (#7943).