Release 2.5.0

`webauthn-server-core`:

Breaking changes to experimental features:

- Added Jackson annotation `@JsonProperty` to method
  `RegisteredCredential.isBackedUp()`, changing the property name from
  `backedUp` to `backupState`. `backedUp` is still accepted during
  deserialization but will no longer be emitted during serialization.

New features:

- Added method `.isUserVerified()` to `RegistrationResult` and `AssertionResult`
  as a shortcut for accessing the UV flag in authenticator data.
- Updated README and JavaDoc to use the "passkey" term and provide more guidance
  around passkey use cases.
- Added `Automatic-Module-Name` to jar manifest.

Fixes:

- `AuthenticatorAttestationResponse` now tolerates and ignores properties
  `"publicKey"` and `"publicKeyAlgorithm"` during JSON deserialization. These
  properties are emitted by the `PublicKeyCredential.toJSON()` method added in
  WebAuthn Level 3.
- Relaxed Guava dependency version constraint to include major version 32.
- `RelyingParty.finishAssertion` now behaves the same if
  `StartAssertionOptions.allowCredentials` is explicitly set to a present, empty
  list as when absent.

`webauthn-server-attestation`:

New features:

- Added option `verifyDownloadsOnly(boolean)` to `FidoMetadataDownloader`. When
  set to `true`, the BLOB signature will not be verified when loading a BLOB
  from cache or when explicitly given. Default setting is `false`, which
  preserves the previous behaviour.
- Added `Automatic-Module-Name` to jar manifest.

Fixes:

- Made Jackson setting `PROPAGATE_TRANSIENT_MARKER` unnecessary for JSON
  serialization with Jackson version 2.15.0-rc1 and later.

.github/workflows/build.yml

@@ -44,9 +44,6 @@ jobs:
     - name: Compile libraries and tests
       run: ./gradlew clean testClasses
 
-    - name: Build archives
-      run: ./gradlew assemble
-
     - name: Set up JDK ${{ matrix.java }}
       uses: actions/setup-java@v3
       with:
@@ -56,6 +53,19 @@ jobs:
     - name: Run tests against JDK17-compiled code
       run: ./gradlew test --exclude-task compileJava
 
+    - name: Archive HTML test report on failure
+      if: ${{ failure() }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: test-reports-java17-java${{ matrix.java }}-${{ matrix.distribution }}-html
+        path: "*/build/reports/**"
+
+    - name: Build and test with JDK ${{ matrix.java }}
+      run: ./gradlew clean test
+
+    - name: Build archives
+      run: ./gradlew assemble
+
     - name: Archive HTML test report
       if: ${{ always() }}
       uses: actions/upload-artifact@v3
@@ -71,6 +81,7 @@ jobs:
         path: "*/build/test-results/**/*.xml"
 
     - name: Check binary reproducibility
+      if: ${{ matrix.java != 8 }}  # JDK 8 does not produce reproducible binaries
       run: |
         ./gradlew clean primaryPublishJar
         find . -name '*.jar' | xargs sha256sum | tee checksums.sha256sum

.github/workflows/release-verify-signatures.yml

@@ -39,7 +39,7 @@ jobs:
 
     strategy:
       matrix:
-        java: [17]
+        java: ["17.0.7"]
         distribution: [temurin, zulu, microsoft]
 
     steps:

NEWS

@@ -1,3 +1,50 @@
+== Version 2.5.0 ==
+
+`webauthn-server-core`:
+
+Breaking changes to experimental features:
+
+* Added Jackson annotation `@JsonProperty` to method
+  `RegisteredCredential.isBackedUp()`, changing the property name from
+  `backedUp` to `backupState`. `backedUp` is still accepted during
+  deserialization but will no longer be emitted during serialization.
+
+New features:
+
+* Added method `.isUserVerified()` to `RegistrationResult` and `AssertionResult`
+  as a shortcut for accessing the UV flag in authenticator data.
+* Updated README and JavaDoc to use the "passkey" term and provide more guidance
+  around passkey use cases.
+* Added `Automatic-Module-Name` to jar manifest.
+
+Fixes:
+
+* `AuthenticatorAttestationResponse` now tolerates and ignores properties
+  `"publicKey"` and `"publicKeyAlgorithm"` during JSON deserialization. These
+  properties are emitted by the `PublicKeyCredential.toJSON()` method added in
+  WebAuthn Level 3.
+* Relaxed Guava dependency version constraint to include major version 32.
+* `RelyingParty.finishAssertion` now behaves the same if
+  `StartAssertionOptions.allowCredentials` is explicitly set to a present, empty
+  list as when absent.
+
+
+`webauthn-server-attestation`:
+
+New features:
+
+* Added option `verifyDownloadsOnly(boolean)` to `FidoMetadataDownloader`. When
+  set to `true`, the BLOB signature will not be verified when loading a BLOB
+  from cache or when explicitly given. Default setting is `false`, which
+  preserves the previous behaviour.
+* Added `Automatic-Module-Name` to jar manifest.
+
+Fixes:
+
+* Made Jackson setting `PROPAGATE_TRANSIENT_MARKER` unnecessary for JSON
+  serialization with Jackson version 2.15.0-rc1 and later.
+
+
 == Version 2.4.1 ==
 
 Changes:

build.gradle

@@ -4,11 +4,14 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
+
+    if (project.findProperty('yubicoPublish') == 'true') {
+      classpath 'io.github.gradle-nexus:publish-plugin:1.3.0'
+    }
   }
 }
 plugins {
   id 'java-platform'
-  id 'io.github.gradle-nexus.publish-plugin' version '1.3.0'
 
   // The root project has no sources, but the dependency platform also needs to be published as an artifact
   // See https://docs.gradle.org/current/userguide/java_platform_plugin.html
@@ -21,10 +24,7 @@ import com.yubico.gradle.GitUtils
 rootProject.description = "Metadata root for the com.yubico:webauthn-server-* module family"
 
 project.ext.isCiBuild = System.env.CI == 'true'
-
-project.ext.publishEnabled = !isCiBuild &&
-  project.hasProperty('yubicoPublish') && project.yubicoPublish &&
-  project.hasProperty('ossrhUsername') && project.hasProperty('ossrhPassword')
+project.ext.publishEnabled = !isCiBuild && project.findProperty('yubicoPublish') == 'true'
 
 wrapper {
   gradleVersion = '8.1.1'
@@ -65,6 +65,8 @@ allprojects {
 }
 
 if (publishEnabled) {
+  apply plugin: 'io.github.gradle-nexus.publish-plugin'
+
   nexusPublishing {
     repositories {
       sonatype {

buildSrc/build.gradle.kts

@@ -10,8 +10,12 @@ repositories {
 }
 
 dependencies {
-  implementation("com.diffplug.spotless:spotless-plugin-gradle:6.13.0")
   implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.9.11")
   implementation("io.franzbecker:gradle-lombok:5.0.0")
-  implementation("io.github.cosmicsilence:gradle-scalafix:0.1.14")
+
+  // Spotless dropped Java 8 support in version 2.33.0
+  if (JavaVersion.current().isJava11Compatible) {
+    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.19.0")
+    implementation("io.github.cosmicsilence:gradle-scalafix:0.1.14")
+  }
 }

buildSrc/src/main/groovy/project-convention-code-formatting-internal.gradle

@@ -0,0 +1,33 @@
+project.apply(plugin: "com.diffplug.spotless")
+project.apply(plugin: "io.github.cosmicsilence.scalafix")
+
+spotless {
+    java {
+        googleJavaFormat()
+    }
+    scala {
+        scalafmt("2.6.3").configFile(project.rootProject.file("scalafmt.conf"))
+    }
+}
+
+scalafix {
+    configFile.set(project.rootProject.file("scalafix.conf"))
+
+    // Work around dependency resolution issues in April 2022
+    semanticdb.autoConfigure.set(true)
+    semanticdb.version.set("4.5.5")
+}
+
+project.dependencies.scalafix("com.github.liancheng:organize-imports_2.13:0.6.0")
+
+
+project.afterEvaluate {
+    // These need to be in afterEvaluate due to this plugin
+    // being conditionally applied for Java 11+ only
+    project.tasks.spotlessApply.configure { dependsOn(project.tasks.scalafix) }
+    project.tasks.spotlessCheck.configure { dependsOn(project.tasks.checkScalafix) }
+
+    // Scalafix adds tasks in afterEvaluate, so their configuration must be deferred
+    project.tasks.scalafix.finalizedBy(project.tasks.spotlessApply)
+    project.tasks.checkScalafix.finalizedBy(project.tasks.spotlessCheck)
+}

buildSrc/src/main/groovy/project-convention-publish.gradle

@@ -49,8 +49,10 @@ project.afterEvaluate {
         }
     }
 
-    signing {
-        useGpgCmd()
-        sign(publishing.publications.jars)
+    if (project.findProperty("yubicoPublish") == "true") {
+        signing {
+            useGpgCmd()
+            sign(publishing.publications.jars)
+        }
     }
 }

buildSrc/src/main/kotlin/project-convention-code-formatting.gradle.kts

@@ -1,32 +1,4 @@
-plugins {
-    id("com.diffplug.spotless")
-    id("io.github.cosmicsilence.scalafix")
-}
-
-spotless {
-    java {
-        googleJavaFormat()
-    }
-    scala {
-        scalafmt("2.6.3").configFile(project.rootProject.file("scalafmt.conf"))
-    }
-}
-
-scalafix {
-    configFile.set(project.rootProject.file("scalafix.conf"))
-
-    // Work around dependency resolution issues in April 2022
-    semanticdb.autoConfigure.set(true)
-    semanticdb.version.set("4.5.5")
-}
-
-project.dependencies.scalafix("com.github.liancheng:organize-imports_2.13:0.6.0")
-
-project.tasks.spotlessApply.configure { dependsOn(project.tasks["scalafix"]) }
-project.tasks.spotlessCheck.configure { dependsOn(project.tasks["checkScalafix"]) }
-
-// Scalafix adds tasks in afterEvaluate, so their configuration must be deferred
-project.afterEvaluate {
-    project.tasks["scalafix"].finalizedBy(project.tasks.spotlessApply)
-    project.tasks["checkScalafix"].finalizedBy(project.tasks.spotlessCheck)
+// Spotless dropped Java 8 support in version 2.33.0
+if (JavaVersion.current().isJava11Compatible) {
+    apply(plugin = "project-convention-code-formatting-internal")
 }

buildSrc/src/main/kotlin/project-convention-java.gradle.kts

@@ -2,22 +2,15 @@ plugins {
     java
 }
 
-java {
-    toolchain {
-        // Java 8 binaries are not reproducible
-        languageVersion.set(JavaLanguageVersion.of(11))
-    }
-}
-
 tasks.withType(JavaCompile::class) {
     options.compilerArgs.add("-Xlint:deprecation")
     options.compilerArgs.add("-Xlint:unchecked")
     options.encoding = "UTF-8"
-    options.release.set(8)
-}
 
-tasks.withType(Test::class) {
-    javaLauncher.set(javaToolchains.launcherFor {
-        languageVersion.set(JavaLanguageVersion.of(8))
-    })
+    if (JavaVersion.current().isJava9Compatible) {
+        options.release.set(8)
+    } else {
+        targetCompatibility = "1.8"
+        sourceCompatibility = "1.8"
+    }
 }

buildSrc/src/main/kotlin/project-convention-scala.gradle.kts

@@ -8,7 +8,4 @@ tasks.withType(ScalaCompile::class) {
     // See: https://github.com/gradle/gradle/pull/23198
     // See: https://github.com/gradle/gradle/pull/23751
     scalaCompileOptions.additionalParameters = mutableListOf("-Wunused")
-    javaLauncher.set(javaToolchains.launcherFor {
-        languageVersion.set(JavaLanguageVersion.of(8))
-    })
 }

doc/development.md

@@ -2,6 +2,20 @@ Developer docs
 ===
 
 
+Setup for publishing
+---
+
+To enable publishing to Maven Central via Sonatype Nexus, set
+`yubicoPublish=true` in `$HOME/.gradle/gradle.properties` and add your Sonatype
+username and password. Example:
+
+```properties
+yubicoPublish=true
+ossrhUsername=8pnmjKQP
+ossrhPassword=bmjuyWSIik8P3Nq/ZM2G0Xs0sHEKBg+4q4zTZ8JDDRCr
+```
+
+
 Code formatting
 ---