Added
- Support for customization of SVID and CA attributes through CredentialComposer plugins (3819, 3832, 3862, 3869)
- Experimental support to validate container images signatures through sigstore selectors (3159)
- Published scratch images now support ARM64 architecture (3607)
- Published scratch images are now signed using Sigstore (3707)
- `spire-server mint` and `spire-server token generate` CLI commands now support the `-output` flag (3800)
- `spire-agent api` CLI command now supports the `-output` flag (3818)
- Release images now include a non-root user and default folders (3811)
- Agent accepts bootstrap bundles in SPIFFE format (3753)
- Database index for registration entry hint column (3828)
Changed
- Plugins are configured and executed in the order they are defined (3797)
- Documentation improvements (3826, 3842, 3870)
Fixed
- Server crash when authorization layer was unable to talk to the datastore (3829)
- Timestamps in logs are now consistently in local time (3734)
Removed
- Non-scratch images are no longer published (3785)
- `k8s-workload-registar` is no longer released and maintained (3853)
- Unused database column `x509_svid_ttl` from `registered_entries` table (3808)
- The deprecated `enabled` flag from InMem telemetry config (3796)
- The deprecated `default_svid_ttl` configurable (3795)
- The deprecated `omit_x509svid_uid` configurable (3794)