* Version 1.5.0 "Belt and Braces" (2026.05.24)

Six weeks after Lazarus, gnoMint 1.5.0 closes the running-a-CA-over-
years loop (warning → filter → renew → diff) and finishes pulling the
gnomint-cli interface to parity with the GUI. Every state-mutating
command in ca_commands[] now has shell-test coverage; the test suite
went from 5 suites to 14, all green.

- FEATURE: ECDSA and Ed25519 key support (#49). New ECDSA generator
  selects between NIST P-256, P-384 and P-521 from key_bitlength;
  new Ed25519 generator ignores key length (fixed by the curve).
  Both algorithms are available from the New-CA wizard, the New-CSR
  wizard, and gnomint-cli's addca/addcsr prompts.

- FEATURE: Algorithm-aware key-size selector. The bit-length input
  in the New-CA and New-CSR wizards swaps to match the chosen
  algorithm: spinbutton for RSA/DSA, P-256/P-384/P-521 dropdown for
  ECDSA, hidden entirely for Ed25519 (curve size is fixed). The CLI
  prompts do the same.

- FEATURE: Certificate renewal (#50). Right-click → "Renew with
  fresh key" reissues a certificate with the same subject and SAN,
  signed by the same CA, with a freshly-generated keypair. The old
  cert stays in the database — standard "issue new, deploy, revoke
  old" pattern. CLI verb: renewcert <cert-id>.

- FEATURE: Search / filter box (#53). A GtkSearchEntry above the
  tree view filters certificates and CSRs as you type, matching on
  subject or serial substring (case-insensitive). Ctrl+F focuses
  the entry. CAs are always shown so the tree path to each match
  stays visible. CLI verb: search <pattern>.

- FEATURE: Side-by-side certificate diff (#55). Right-click a cert →
  "Compare with PEM file…" opens a 3-column dialog (field, left,
  right) showing every X.509 property; differing rows are
  highlighted in amber. CLI verb: diff <cert-id-or-path>
  <cert-id-or-path> (either argument can be a DB id or a path to a
  PEM file).

- FEATURE: Startup expiry banner (#56). Opening a database surfaces
  a GtkInfoBar above the tree counting any certificates whose
  effective expiration is inside the warning window (default 30
  days, configurable via expire-warning-days). The banner's "Show
  them" action filters the tree to only the expiring rows; closing
  the banner restores the full view. gnomint-cli prints the same
  notice on stderr at startup.

- FEATURE: Editable SAN list when signing a CSR (#40). The sign-CSR
  dialog now embeds the full SAN manager widget, pre-populated from
  the CSR's request. A CA operator can add, remove, or override SAN
  entries before signing — restoring the authority a CA is supposed
  to have.

- FEATURE: GitHub Pages site under docs/. A new Jekyll site (landing
  page, features overview, install guide, task-oriented user manual,
  tutorial, release history) lives in the docs/ tree and is served
  from https://davefx.github.io/gnoMint/ once Pages is enabled in
  repo settings. The same content is browsable offline as Markdown.

- FEATURE: Full user manual (#57). docs/manual.md covers every
  workflow: quick start, concepts, bootstrapping a CA, issuing
  certificates, wizards, importing CSRs, renewing/revoking/CRLs,
  exporting, bulk operations, search/filter, comparing certificates,
  expiry warnings, importing OpenSSL CA layouts, the CLI, and a
  troubleshooting section.

- FEATURE: CLI parity pass. gnomint-cli gained renewcert, exportchain,
  revokemany, deletemany, search, diff, and the per-algorithm prompt
  flow. Every GUI menu entry now has a matching CLI verb. The CLI
  also prints the expiry-window notice on database open.

- FEATURE: Comprehensive CLI test coverage. Every state-mutating
  command in ca_commands[] is now tested by at least one shell or
  python-pty script. New test files: check_cli_info.sh,
  check_cli_lifecycle.sh, check_cli_keys.sh, check_cli_banner.sh,
  check_cli_import.sh, check_cli_importdir.sh, check_cli_dhgen.sh,
  check_cli_passphrase.py. The pty-driven script in particular
  exercises extractcertpkey, extractcsrpkey, and changepassword
  end-to-end — the commands that read passphrases via getpass().

- BUGFIX: ECDSA prompt no longer aborts. addca and addcsr pre-set
  key_bitlength to 2048 before the algorithm prompt, then the ECDSA
  branch called dialog_ask_for_number(min=256, max=521, default=2048)
  and tripped an assertion. The default is now clamped to a valid
  curve size before the prompt fires.

- BUGFIX: gnomint-cli importfile no longer segfaults. The shared
  import path called dialog_refresh_list() on success;
  dialog_refresh_list() dereferenced a NULL function pointer because
  the CLI never registers a refresh callback (the GUI does).
  Added a null check.

- BUGFIX: Copyright bumped from 2006-2016 to 2006-2026 and dead
  sourceforge URLs replaced with GitHub repo links throughout. The
  legacy gnomint.sourceforge.net site is gone; its content has been
  archived into docs/.

- POLISH: GTK 3 screenshots throughout the docs site, captured live
  from the build (main window with a sample CA hierarchy, all four
  key-algorithm wizard states, the new-CA / new-CSR / export / import
  / preferences dialogs).

This release is database-compatible with 1.4.0 — no migration step
needed.


* Version 1.4.0 "Lazarus" (2026.05.19)

After a decade-long hiatus since 1.3.0, gnoMint returns. This
release accumulates ten years of patches from the Debian downstream
community, modernizes the build for current toolchains, and adds a
test suite to keep regressions out of the next release.

- FEATURE: Subject Alternative Name (SAN) support throughout the
  workflow: a SAN editor when creating a CA or CSR, SAN display in
  certificate and CSR property dialogs, and proper parsing of SANs
  from existing certificates.

- FEATURE: Year 2038 (Y2K38) safe handling of certificate dates. The
  build now forces 64-bit time_t even on 32-bit systems, so
  certificates with validity periods decades past 2038 work
  correctly.

- FEATURE: XDG Base Directory Specification compliance. The default
  database lives under $XDG_DATA_HOME/gnomint/ instead of
  ~/.gnomint/. Existing databases at the old location are migrated
  automatically on first run.

- FEATURE: AppData file for software-center integration, and
  improved gnomint.desktop entry (Exec=gnomint %f so .gnomint files
  open from file managers).

- FEATURE: New test suite runnable via "make check". Includes a
  static .ui consistency checker (catches GtkBuilder layout files
  that fail to load, GtkGrid cell collisions, and orphan signal
  handlers) plus a runtime workflow regression test that exercises
  GUI callbacks under a headless Wayland compositor.

- FEATURE: Devcontainer configuration for VS Code Dev Containers
  with all build dependencies pre-installed, plus a GitHub Actions
  workflow for build verification.

- FIX: Crash when exporting a certificate's private key on 64-bit
  systems, caused by passing a gint pointer to gtk_tree_model_get
  for a G_TYPE_UINT64 column.

- FIX: Segmentation fault when right-clicking a CA certificate in
  the tree view.

- FIX: Latent layout collision in the certificate properties dialog
  where the "Validity" header overlapped the issuer's OU row.

- FIX: CSR field inheritance now correctly respects CA policy using
  an integer check rather than a string comparison.

- FIX: Memory leak in ca_file_insert_cert_in_db.

- FIX: Various uninitialized-variable warnings cleaned up.

- FIX: User-facing spelling errors corrected ("Emmited" -> "Emitted",
  "appropiate" -> "appropriate", and others).

- FIX: Build system now respects external CFLAGS instead of
  hardcoding -Wall, and configure.ac no longer references a
  non-existent m4/Makefile that caused autoreconf failures.

- FIX: All GtkBuilder .ui files ported to the GTK 3 widget set
  (GtkVBox/HBox/Table/Alignment/HButtonBox -> GtkBox/Grid/ButtonBox).
  Forward-port from the Debian community gtk3-port.patch.

- I18N: New Italian translation. POT template regenerated (456 ->
  617 msgids); all 12 existing translation files updated.


* Version 1.3.0 "Sha Sha dance" (2016.03.15)

- FEATURE: New certificates are now signed with SHA512 by default,
  upgraded from SHA1.

- FEATURE: SHA256 support, including SHA256 fingerprint display in
  the certificate properties dialog.

- FIX: Bug #2931708 — invalid DSA key lengths can no longer be
  entered when creating a CA or CSR.

- FIX: "make dist" works correctly again.

- FIX: Compilation on Ubuntu 15.04 and other modern toolchains.

- BUILD: -Werror removed; deprecated GnuTLS functions cleaned up;
  autotools and .gitignore tidied.

- I18N: Spanish translation completed.


* Version 1.2.1 "All you need is a giant pacifier" (2010.08.11)

- FIX: Crash when revoking a CA certificate if revoked certificates
  were hidden in the tree view.

- FIX: Use-after-free in ca-cli-callbacks.c (RedHat Bugzilla #584069).

- FEATURE: Distinct warning message when revoking a CA certificate
  versus a leaf certificate.

- I18N: New Occitan (oc) translation; all translations updated.


* Version 1.2.0 (2010.08.10)

- FEATURE: Microsoft Windows support, by Jaroslav Imrich.

- FEATURE: CRL distribution points can be configured per-CA and
  embedded in issued certificates.

- FIX: Bug #3006946 — CA policies could no longer be established.

- FIX: Export-from-menu action.

- I18N: New Slovak translation, by Jaroslav Imrich.


* Version 1.1.0 (2009.11.08)

- FEATURE: Hierarchical tree built using node routes instead of
  subject-name matching, so CAs with identical common names work
  correctly.

- FIX: Bug #2890061 — gnomint-cli showpolicy failed with "invalid
  ca-id".

- BUILD: libgcrypt is now explicitly checked in configure
  (Debian bug #554669).

- I18N: Translations updated; gettext comments preserved.


* Version 1.0.0 (2009.06.05)

- FEATURE: When creating a certificate whose expiration date is past
  the CA's, gnoMint clamps the expiration to the CA's and shows an
  informational message.

- FEATURE: New dialog_info helper for informational messages.

- BUILD: Compiles cleanly with GnuTLS 2.8.0.

- FIX: gnomint-cli's crlgen subcommand was missing from the CLI
  dispatch table.

- I18N: New Russian and Finnish translations.


* Version 0.9.9 (2009.04.18)

- FEATURE: Functional toolbar with proper action sensitivity
  (Extract private key correctly disables when there's no selection,
  etc.).

- FEATURE: New password-ciphering scheme with a unique initialisation
  vector and counter per encrypted key, replacing the previous
  scheme that reused both.

- FIX: Encrypted private key exports produced incorrect output.

- FIX: Attempting to export a CSR as PKCS#12 is no longer possible
  (PKCS#12 is certificate-only).

- FIX: Extracting a CSR's private key was returning the certificate's
  key instead.

- FIX: While importing a CA certificate, the grand-children's
  parent-route is correctly updated alongside the children's.

- FIX: uint160_write is now platform-independent.

- FIX: When the database is password-unprotected, the password entry
  is reset and the old password property is deleted.

- FIX: PKCS#12 export works against password-less databases.

- BUILD: libgnomeui dependency removed.

- I18N: Translations updated.


* Version 0.9.1 (2008.12.18)

- FIX: Missing include that prevented compilation on OpenSUSE.


* Version 0.9.0 (2008.12.16)

- FEATURE: New gnomint-cli command-line interface using readline,
  with commands addca, addcsr, delete, crlgen, dhgen,
  changepassword, and informational commands.


* Version 0.6.0 (2008.12.01)

- FEATURE: OpenSSL CA import — full CA hierarchies with certificates,
  private keys, and last-serial state can be imported from an
  on-disk OpenSSL CA directory.

- FEATURE: PKCS#12 import and export.

- FEATURE: PKCS#8 import.

- FEATURE: PKCS#7 import (untested at release time — no PKCS#7 file
  found in the wild yet).

- FEATURE: --enable-debug configure option for building with -g -O0.

- FIX: Buffer overrun in uint160_read_escaped.

- FIX: Architecture-dependent value saved in the database (now
  serialised portably).

- FIX: Serial-number display from imported certificates.

- I18N: New German and Italian translations.


* Version 0.5.4 (2008.10.02)

- FEATURE: Certificate import: single files and entire OpenSSL CA
  directories, including hierarchies.

- FEATURE: CSR import, including the corresponding private key.

- FEATURE: CRL import.

- FEATURE: Full hierarchical view of CAs and their issued
  certificates and CSRs.

- FEATURE: Subject fields inherited from the parent CA when
  creating a CSR; the CA used to generate a CSR is remembered as
  the default when signing it later.

- FEATURE: 20-byte (160-bit) certificate serial numbers, with a new
  uint160 type for portable handling.

- FEATURE: Database password protection covering all private keys
  in the database.

- FEATURE: Dependences between certificate uses (key usage) and
  certificate purposes (extended key usage).

- FEATURE: RFC 5280-compliant Authority Key Identifier and Subject
  Key Identifier extensions, including reuse of an existing AKI
  when the signing CA has one.

- FEATURE: gconf-backed preferences (window size, view options,
  optional export of new certificates to gnome-keyring-manager).

- FEATURE: Recent-files menu.

- FEATURE: Pop-up context menus for certificates and CSRs.

- FEATURE: Diffie-Hellman parameter generation.

- FIX: Several segmentation faults (during CRL generation; when
  CSR/CA fields are NULL; when sorting more than 10 certificates).

- FIX: Race condition assigning serial numbers when multiple CAs
  share a database.

- FIX: Bug #2100270 — CRLs can now be generated for every CA in
  a hierarchy.

- FIX: DSA-keyed CSR generation.

- FIX: i18n setup for languages other than Spanish (patch from
  Staněk Luboš).

- FIX: Permissions on newly-created database files (now 0600).

- I18N: New French translation (Ahmed Baizid); new Czech
  translation (Staněk Luboš); new Swedish translation.


* Version 0.3.2 (2007.11.03)

- FIX: Fixing database upgrading from version 3 (gnoMint 0.1.5 or
  lower).

* Version 0.3.1 (2007.11.01)

- FEATURE: now, PKCS#12 structures can be exported, so certificates
  created in gnoMint can be easily imported in other programs as web
  browsers, or mail clients.

- FEATURE: gnoMint is able to revoke certificates, and generate the
  corresponding Certificate Revocation Lists (CRLs).

- FEATURE: gnoMint license has changed to GNU-GPLv3.

- FIX: Fixed a lot of compilation errors in x86-64 architecture.

- FIX: Fixing internal serial number in created certificates.


* Version 0.1.5 (2007.05.15)

- FEATURE: gnoMint can import the public part of Certificate Signing
  Requests made by other applications as long as they are formatted in
  PEM or in DER formats. This way, gnoMint now is able to make
  certificates for remote people or systems that can create their CSRs
  with other instances of gnoMint or other software.

- FEATURE: gnoMint DB format version 3. This version of database
  format ensures that there won't be two or more CSRs in the database
  with the same Distinguished Name (DN).

- FIX: Now the private key of CSRs can be exported without errors.

- FIX: A just created CA has a default policy so it will be able to
  create useful certificates without change its default properties.

- FIX: Some UI bugs are corrected: some label alignments now look OK,
  and the progress bar again moves while creating certificates or
  CSRs.

* Version 0.1.4 (2007.05.14)

- FEATURE: It allows defining policies for each Certification
  Authorities in the database, so as all the new certificates signed
  by the CA have common properties (uses, purposes and validity time).

- FEATURE: It requires SQLite3, for proper UTF-8 support. Due to this
  change, all the pre 0.1.4 databases must be converted to a new
  format. A conversion script is included in the package.


* Version 0.1.3 (2006.11.10)

- FEATURE: it allows exporting uncrypted private keys (useful for
  unattended SSL/TLS servers).

- FEATURE: it requires a minimum length (8 characters) for private-key
  export passphrase (so OpenSSL can import this keys)

- FIX: checks that passphrase and confirmation are the same in
  private-key export passphrase

- FIX: The focus is grabbed correctly when asking for passphrase, so
  no mouse action is needed.

* Version 0.1.2 (2006.10.15)

- FIX: version 0.1.1 couldn't save the certification authority
  database if the new file and /tmp were in different partitions.

* Version 0.1.1 (2006.09.17)

- FIX: version 0.1.0 couldn't be compiled on 64-bit architectures due to an type-conversion error

* Version 0.1.0 (2006.09.15)

- Initial version
