Releases: ballerina-platform/ballerina-distribution
2201.9.2-rc1
Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.
Overview of Ballerina Swan Lake Update 9 (2201.9.2)
Swan Lake Update 9 (2201.9.2) is the second patch release of Ballerina 2201.9.0 (Swan Lake Update 9) and it includes a new set of bug fixes to the language server, runtime, library and developer tooling.
Update Ballerina
Run the command below to update your current Ballerina installation directly to 2201.9.2 by using the Ballerina Update Tool.
$ bal dist pull 2201.9.2
Install Ballerina
If you have not installed Ballerina, then, download the installers to install.
Language updates
Bug fixes
To view bug fixes, see the GitHub milestone for Swan Lake Update 9 (2201.9.2).
Runtime updates
Bug fixes
To view bug fixes, see the GitHub milestone for Swan Lake Update 9 (2201.9.2).
Ballerina library updates
Bug fixes
To view bug fixes, see the GitHub milestone for Swan Lake Update 9 (2201.9.2).
Developer tools updates
Improvements
Introduced the WSDL CLI-tool as an experimental feature which generates Ballerina types from a WSDL file. This tool can be accessed by pulling it from Ballerina Central and running it with an input WSDL file.
# To pull the tool from Ballerina Central
bal tool pull wsdl
# To use the tool to generate Ballerina types from a WSDL file:
bal wsdl -i <FILE_NAME> --operations <COMMA_SEPARATED_OPERATION_NAMES>
# -i <FILE_NAME>: Specifies the input WSDL file from which to generate Ballerina types.
# --operations <COMMA_SEPARATED_OPERATION_NAMES> (Optional):
# Lists specific operations to generate Ballerina types for.Bug fixes
To view bug fixes, see the GitHub milestone for Swan Lake Update 9 (2201.9.2) of the repositories below.
Ballerina packages updates
Improvements
Introduced an experimental build option to enable memory-efficient compilation of package dependencies. This can help prevent out-of-memory issues during the initial compilation with a clean central cache. Pass the flag to the bal command or specify the build option in the Ballerina.toml file to enable this experimental feature.
$ bal build --optimize-dependency-compilationSpecifying the build option in the Ballerina.toml file:
[build-options]
optimizeDependencyCompilation = true1.2.52
v1.2.52 [maven-release-plugin] copy for tag v1.2.52
2201.8.7
Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.
You can use one of the methods below to verify the above artifacts.
Verify using the Cosign CLI
Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to verify the artifacts using the Cosign CLI.
-
Download the desired artifact from the table above.
-
Execute the command below to verify the artifacts.
$ cosign verify-blob ballerina-2201.8.7-swan-lake-macos-x64.pkg --certificate ballerina-2201.8.7-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.8.7-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/2201.8.x --certificate-oidc-issuer=https://token.actions.githubusercontent.com
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
Verify using the Rekor API
The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature and the certificate chain.
-
Download the desired artifact from the table above.
-
Generate an SHA256 Hash for the artifact and store it in a variable.
$ SHASUM=$(shasum -a 256 ballerina-2201.8.7-swan-lake-macos-x64.pkg |awk '{print $1}') -
Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.
$ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}" -
Assign the UUID returned by the above API call to a variable as shown below.
Tip: Replace the
<UUID_VALUE>in the below exmaple with the UUID value you recieved$ UUID=<UUID_VALUE> -
Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.
$ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" -
Retrieve the signature and public certificate, which are required to verify the artifact.
-
Retrieve the signature:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .content' | base64 -d > ballerina-2201.8.7-swan-lake-macos-x64.pkg.sig -
Retrieve the certificate:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .publicKey .content' | base64 -d > ballerina-2201.8.7-swan-lake-macos-x64.pkg.crt
-
-
Extract the
public keyfrom thecertificatefile usingopenssl.$ openssl x509 -in ballerina-2201.8.7-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.8.7-swan-lake-macos-x64.pkg.pubkey.crt -
Verify the artifact using the public key.
$ openssl sha256 -verify ballerina-2201.8.7-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.8.7-swan-lake-macos-x64.pkg.sig ballerina-2201.8.7-swan-lake-macos-x64.pkg
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
2201.8.7-rc2
v2201.8.7-rc2 [Gradle Release Plugin] - creating tag: 'v2201.8.7-rc2'.
2201.8.7-rc1
v2201.8.7-rc1 [Gradle Release Plugin] - creating tag: 'v2201.8.7-rc1'.
2201.9.1
Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.
You can use one of the methods below to verify the above artifacts.
Verify using the Cosign CLI
Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to verify the artifacts using the Cosign CLI.
-
Download the desired artifact from the table above.
-
Execute the command below to verify the artifacts.
$ cosign verify-blob ballerina-2201.9.1-swan-lake-macos-x64.pkg --certificate ballerina-2201.9.1-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.9.1-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/2201.9.1-stage --certificate-oidc-issuer=https://token.actions.githubusercontent.com
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
Verify using the Rekor API
The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature and the certificate chain.
-
Download the desired artifact from the table above.
-
Generate an SHA256 Hash for the artifact and store it in a variable.
$ SHASUM=$(shasum -a 256 ballerina-2201.9.1-swan-lake-macos-x64.pkg |awk '{print $1}') -
Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.
$ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}" -
Assign the UUID returned by the above API call to a variable as shown below.
Tip: Replace the
<UUID_VALUE>in the below exmaple with the UUID value you recieved$ UUID=<UUID_VALUE> -
Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.
$ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" -
Retrieve the signature and public certificate, which are required to verify the artifact.
-
Retrieve the signature:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .content' | base64 -d > ballerina-2201.9.1-swan-lake-macos-x64.pkg.sig -
Retrieve the certificate:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .publicKey .content' | base64 -d > ballerina-2201.9.1-swan-lake-macos-x64.pkg.crt
-
-
Extract the
public keyfrom thecertificatefile usingopenssl.$ openssl x509 -in ballerina-2201.9.1-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.9.1-swan-lake-macos-x64.pkg.pubkey.crt -
Verify the artifact using the public key.
$ openssl sha256 -verify ballerina-2201.9.1-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.9.1-swan-lake-macos-x64.pkg.sig ballerina-2201.9.1-swan-lake-macos-x64.pkg
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
1.2.51
v1.2.51 [maven-release-plugin] copy for tag v1.2.51
2201.9.0
Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.
You can use one of the methods below to verify the above artifacts.
Verify using the Cosign CLI
Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to verify the artifacts using the Cosign CLI.
-
Download the desired artifact from the table above.
-
Execute the command below to verify the artifacts.
$ cosign verify-blob ballerina-2201.9.0-swan-lake-macos-x64.pkg --certificate ballerina-2201.9.0-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.9.0-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/2201.9.x --certificate-oidc-issuer=https://token.actions.githubusercontent.com
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
Verify using the Rekor API
The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature and the certificate chain.
-
Download the desired artifact from the table above.
-
Generate an SHA256 Hash for the artifact and store it in a variable.
$ SHASUM=$(shasum -a 256 ballerina-2201.9.0-swan-lake-macos-x64.pkg |awk '{print $1}') -
Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.
$ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}" -
Assign the UUID returned by the above API call to a variable as shown below.
Tip: Replace the
<UUID_VALUE>in the below exmaple with the UUID value you recieved$ UUID=<UUID_VALUE> -
Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.
$ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" -
Retrieve the signature and public certificate, which are required to verify the artifact.
-
Retrieve the signature:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .content' | base64 -d > ballerina-2201.9.0-swan-lake-macos-x64.pkg.sig -
Retrieve the certificate:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .publicKey .content' | base64 -d > ballerina-2201.9.0-swan-lake-macos-x64.pkg.crt
-
-
Extract the
public keyfrom thecertificatefile usingopenssl.$ openssl x509 -in ballerina-2201.9.0-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.9.0-swan-lake-macos-x64.pkg.pubkey.crt -
Verify the artifact using the public key.
$ openssl sha256 -verify ballerina-2201.9.0-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.9.0-swan-lake-macos-x64.pkg.sig ballerina-2201.9.0-swan-lake-macos-x64.pkg
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
2201.9.0-rc3
v2201.9.0-rc3 [Gradle Release Plugin] - creating tag: 'v2201.9.0-rc3'.
2201.9.0-rc2
v2201.9.0-rc2 [Gradle Release Plugin] - creating tag: 'v2201.9.0-rc2'.