Changelog

Version history and release notes for epack CLI and specification.

v0.1.29 March 2025 Latest

Profile and overlay support, multiple collector artifacts, and new top-level commands.

Profiles & Overlays

  • Added profiles and overlays configuration sections in epack.yaml
  • Support for registry-sourced profiles with version locking
  • Profile/overlay digests tracked in manifest for reproducibility

Collector SDK

  • Breaking: Emit() now accepts []CollectedArtifact for multiple artifacts per collection
  • New CollectedArtifact struct with Schema and Path metadata
  • Collectors can emit multiple artifacts in a single call

New Commands

  • epack catalog search — unified search across collectors, tools, remotes, and utilities
  • epack catalog refresh — update local catalog cache
  • epack utility install/list/remove — manage global utilities

Remote Protocol

  • Added runs.sync and auth.whoami feature capabilities
  • Consistent sync behavior across collector, tool, and remote adapters

Bug Fixes

  • Fixed offline verification mode to properly use embedded timestamps
  • Fixed JSON output returning null instead of [] for empty arrays
v0.1.27 March 2025

Verification improvements and remote protocol enhancements.

Verification

  • Improved error messages for attestation verification failures
  • Added support for sigstore-js provenance bundles

Remote Protocol

  • Added sidecar push support for parallel attestation uploads
  • Improved push workflow reliability
v0.1.24 February 2025

Initial public release of the Evidence Pack specification and epack CLI.

Specification

  • Evidence Pack format specification v1.0
  • Manifest schema with SHA-256 digests for all artifacts
  • Sigstore attestation bundle format
  • Pack digest and manifest digest algorithms

CLI (epack-core)

  • build — create packs from artifacts
  • sign — keyless signing via Sigstore
  • verify — integrity and signature verification
  • inspect — view pack contents and metadata
  • diff — compare two packs
  • merge — combine multiple packs
  • list — list artifacts in a pack
  • extract — extract artifacts from a pack

CLI (Full)

  • new — scaffold a new epack project
  • init — initialize epack in existing directory
  • collect — run collectors and build pack
  • push / pull — remote registry operations
  • lock / sync / install / update — dependency management
  • collector / tool — plugin management

Go SDK

  • pack — core pack types and operations
  • pack/builder — fluent API for building packs
  • pack/verify — verification with policy options
  • sign — Sigstore signing integration

Stay Updated

Watch the repository for new releases and subscribe to release notifications.

View Releases

Versioning Policy

epack follows Semantic Versioning:

  • Major versions (1.0, 2.0) may include breaking changes to the specification or CLI
  • Minor versions (0.2, 0.3) add new features in a backwards-compatible manner
  • Patch versions (0.1.1, 0.1.2) include backwards-compatible bug fixes

Specification vs CLI versions

The Evidence Pack specification version is independent of the CLI version. The specification is versioned in the manifest ("spec_version": "1.0") and changes less frequently than the CLI.

Backwards compatibility

The CLI will always be able to read packs created by older versions. New features that require pack format changes will use new specification versions, and the CLI will indicate when a pack requires a newer version.