From 7751bfb1796b4a8d56ac1ad975c97da0071f0db5 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 15 Nov 2024 17:25:29 +0000
Subject: NEWS: systemd-keyutil, --certificate-source, --certificate-provider

---
 NEWS | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 9e9f729895..cf609e6e00 100644
--- a/NEWS
+++ b/NEWS
@@ -399,6 +399,15 @@ CHANGES WITH 257 in spe:
           be extended, and a --measure-base= switch to support measurement
           of multi-profile UKIs.
 
+        * ukify gained a --certificate-provider switch to use an OpenSSL
+          provider to load the certificate used to sign artifacts, instead of
+          having to provide the path to a file on disk.
+
+        * bootctl, systemd-keyutil, systemd-measure, systemd-repart, and
+          systemd-sbsign gained a new --certificate-source switch that allows
+          loading the X.509 certificate from an OpenSSL provider instead of a
+          file system path.
+
         * systemd-boot's menu will now react to volume up/down rocker presses
           the same way as to arrow up/down presses: they move the menu item up
           or down. This is useful on device form factors that have only a
@@ -437,6 +446,9 @@ CHANGES WITH 257 in spe:
           and providers, with pin caching support for PKCS11. ukify supports it
           as an alternative to sbsigntool and pesign.
 
+        * A new systemd-keyutil tool has been added, that can be used to perform
+          various operations on private keys and X.509 certificates.
+
         The journal:
 
         * journalctl can now list invocations of a unit with the
-- 
cgit v1.2.3