v1.14.0

Added

• New azure_imds node attestor plugin for attesting nodes running in Microsoft Azure using the Azure Instance Metadata Service (IMDS) (#6312)
• The AWS KMS key manager plugin now supports key tagging (#6410)
• The JWT-SVID profile on spire server can now be disabled using the disable_jwt_svids config (#6272)
• spire-server validate now supports validating plugin configuration (#6355)
• Support for ec-p384 curve in the workload_x509_svid_key_type configuration option in spire-agent (#6389)
• The docker workload attestor now supports the docker:image_config_digest selector (#6391)
• GCP CAs now specify a certificate_id in CreateCertificateRequest for Enterprise tier compatibility (#6392)
• Dummy implementations for the WIT-SVID profile (#6399)
• GCP cloudsql-proxy can now be used with postgres (#6463)
• The KeyManager directory is now validated to exist and be writeable on agent startup (#6397)

Changed

• QueryContext is now used for querying the version database version and CTE support (#6461)
• The k8s and docker workload attestors now ignore cgroup mountinfo with root == / (#6462)
• spire-server now stops fetching all events if a context cancelled error is returned while processing a list of events (#6472)

Removed

• Removed the deprecated 'retry_rebootstrap' agent config (#6431)
• Removed unused database model, V3AttestedNode (#6381)

Fixed

• Added k8s_configmap BundlePublisher to documentation (#6437)
• Added tpm_devid to supported Agent plugins documentation (#6449)

v1.13.3

Added

• X.509 CA metric with absolute expiration time in addition to TTL-based metric (#6303)
• spire-agent configuration to source join tokens from files to support integration with third-party credential providers (#6330)
• Capability to filter on caller path in spire-server Rego authorization policies (#6320)

Changed

• spire-server will use the SHA-256 algorithm for X.509-SVID Subject Key Identifiers when the GODEBUG environment variable contains fips140=only (#6294)
• Attested node entries are now purged at a fixed interval with jitter (#6315)
• oidc-discovery-provider now fails to initialize when started with unrecognized arguments (#6297)

Fixed

• Documentation fixes (#6309, #6323, #6377)

v1.13.2

Security

• Upgrade Go to 1.25.2 to address CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, and CVE-2025-58188 (#6363)

v1.12.6

Security

• Upgrade Go to 1.24.8 to address CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, and CVE-2025-58188 (#6363)

v1.13.1

Added

• aws_iid NodeAttestor can now verify that nodes belong to specified EKS clusters (#5969)
• The server now supports configuring how long to cache attested node information, reducing node fetch dependency for RPCs (#6176)
• aws_s3, gcp_cloudstorage, and k8s_configmap BundlePublisher plugins now support setting a refresh hint for the published bundle (#6276)

Changed

• The "Subscribing to cache changes" log message from the DelegatedIdentity agent API is now logged at Debug level (#6255)
• Integration tests now exercise currently supported Postgres versions (#6275)
• Minor documentation improvements (#6280, #6293, #6296)

Fixed

• spire-server entry delete CLI command now properly displays results when no failures are involved (#6176)

Security

• Fixed agent name length validation in the http_challenge NodeAttestor plugin, to prevent issues with web servers that cannot handle very large URLs (#6324)

v1.12.5

Security

• Upgrade Go to 1.24.6 for GO-2025-3849 (#6250)

v1.13.0

Added:

• Server configurable for periodically purging expired agents (#6152)
• The experimental events-based cache now implements a full cache reload (#6151)
• Support for automatic agent rebootstrap when the server CA goes invalid (#5892)

Changed:

• Default values for rebootstrapMode and rebootstrapDelay in SPIRE Agent (#6227)
• "No identities issued" error log now includes the attested selectors (#6179)
• Server configuration validation to verify agent_ttl compatibility with current ca_ttl (#6178)
• Small documentation improvements (#6169)

Deprecated:

• retry_bootstrap experimental agent setting (#5906)

Fixed:

• Health checks and metrics initialization when retry_bootstrap is enabled (#6164)

Removed:

• The deprecated use_legacy_downstream_x509_ca_ttl server configurable (#5703)
• The deprecated use_rego_v1 server configurable (#6219)

v1.12.4

Added

• k8s_configmap BundlePublisher plugin (#6105, #6139)
• UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
• Integration tests running on ARM64 platform (#6059)
• The OIDC Discovery Provider can now read the trust bundle from a file (#6025)

Changed

• The "Container id not found" log message in the k8s WorkloadAttestor has been lowered to Debug level (#6128)
• Improvements in lookup performance for entries (#6100, #6034)
• Agent no longer pulls the bundle from trust_bundle_url if it is not required (#6065)

Fixed

• The subject_types_supported value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
• SPIRE Server gRPC servers are now gracefully stopped (#6076)

v1.12.3

Security

• Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
  This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
  Thanks to Edoardo Geraci for reporting this issue.

v1.11.3

Security

• Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
  This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
  Thanks to Edoardo Geraci for reporting this issue.