Yubico
diff --git a/‎.github/actions/pit-results-comment/action.yml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/pit-results-comment/action.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/pit-results-comment/stats-to-comment.sh
Lines changed: 8 additions & 1 deletion b/‎.github/actions/pit-results-comment/stats-to-comment.sh
Lines changed: 8 additions & 1 deletion
diff --git a/‎NEWS
Lines changed: 43 additions & 0 deletions b/‎NEWS
Lines changed: 43 additions & 0 deletions
diff --git a/‎README
Lines changed: 42 additions & 42 deletions b/‎README
Lines changed: 42 additions & 42 deletions
diff --git a/‎build.gradle
Lines changed: 3 additions & 1 deletion b/‎build.gradle
Lines changed: 3 additions & 1 deletion
diff --git a/‎doc/Migrating_from_v1.adoc
Lines changed: 27 additions & 5 deletions b/‎doc/Migrating_from_v1.adoc
Lines changed: 27 additions & 5 deletions
diff --git a/‎doc/releasing.md
Lines changed: 2 additions & 2 deletions b/‎doc/releasing.md
Lines changed: 2 additions & 2 deletions
@@ -49,7 +49,7 @@ runs:
           cp "${NEW_STATS_FILE}" "${PREV_STATS_FILE}"
         fi
 
-        ./.github/actions/pit-results-comment/stats-to-comment.sh "${PREV_STATS_FILE}" "${NEW_STATS_FILE}" "${{ inputs.prev-commit }}" > "${RESULTS_COMMENT_FILE}"
+        ./.github/actions/pit-results-comment/stats-to-comment.sh "${PREV_STATS_FILE}" "${NEW_STATS_FILE}" "${{ inputs.prev-commit }}" "${{ github.sha }}" > "${RESULTS_COMMENT_FILE}"
 
         curl -X POST \
            -H "Authorization: Bearer ${{ inputs.token }}" \
 
@@ -63,10 +63,17 @@ EOF
     "${1}" "${2}" --raw-output
 
   if [[ -n "${3}" ]]; then
-    cat << EOF
+    if [[ -n "${4}" ]]; then
+      cat << EOF
+
+Previous run: ${3} - [Diff](/${GITHUB_REPOSITORY}/compare/${3}...${4})
+EOF
+    else
+      cat << EOF
 
 Previous run: ${3}
 EOF
+    fi
 
     cat << EOF
 
 
@@ -1,3 +1,46 @@
+== Version 2.4.0 ==
+
+`webauthn-server-core`:
+
+New features:
+
+* Added support for RS384 and RS512 signature algorithms.
+ ** Thanks to GitHub user JohnnyJayJay for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/235
+* Added `userHandle` field to `AssertionRequest` as part of the second bug fix
+  below. `userHandle` is mutually exclusive with `username`. This was originally
+  released in pre-release `1.12.3-RC3`, but was accidentally left out of the
+  `1.12.3` release.
+
+Fixes:
+
+* During `RelyingParty.finishRegistration()` if an `attestationTrustSource` is
+  configured, if the `aaguid` in the authenticator data is zero, the call to
+  `AttestationTrustSource.findTrustRoots` will fall back to reading the AAGUID
+  from the attestation certificate if possible.
+* Fixed bug in `RelyingParty.finishAssertion` where if
+  `StartAssertionOptions.userHandle` was set, it did not propagate to
+  `RelyingParty.finishAssertion` and caused an error saying username and user
+  handle are both absent unless a user handle was returned by the authenticator.
+  This was originally released in pre-release `1.12.3-RC3`, but was accidentally
+  left out of the `1.12.3` release.
+* Fixed regression in
+  `PublicKeyCredentialCreationOptions.toCredentialsCreateJson()`, which has not
+  been emitting a `requireResidentKey` member since version `2.0.0`. This meant
+  the JSON output was not backwards compatible with browsers that only support
+  the Level 1 version of the WebAuthn spec.
+
+
+`webauthn-server-attestation`:
+
+Fixes:
+
+* `findEntries` and `findTrustRoots` methods in `FidoMetadataService` now
+  attempt to read AAGUID from the attestation certificate if the `aaguid`
+  argument is absent or zero.
+* Method `FidoMetadataService.Filters.allOf` now has `@SafeVarargs` annotation.
+
+
 == Version 2.3.0 ==
 
 New features:
 
@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.12.1'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.13.0'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'
   }
 }
@@ -144,6 +144,8 @@ subprojects { project ->
   }
 
   tasks.withType(JavaCompile) {
+    options.compilerArgs += '-Xlint:unchecked'
+    options.deprecation = true
     options.encoding = 'UTF-8'
   }
   tasks.withType(ScalaCompile) {
 
@@ -26,10 +26,12 @@ Here is a high-level outline of what needs to be updated:
 - Update `getUserVerification()` and `getResidentKey()` calls
   to expect `Optional` values.
 
-This migration guide is written for version `2.0.0` of the
+Although the next section references version `2.4.0-RC2` for reasons detailed there,
+this migration guide is written for version `2.0.0` of the
 `webauthn-server-core` module. Later `2.x` versions may introduce new features
-but should remain compatible without further changes; consult the release notes
-for a full list of new features.
+but should remain compatible without further changes; please consult the
+link:https://developers.yubico.com/java-webauthn-server/Release_Notes.html[release notes]
+for an up to date list of new features.
 
 
 == Replace dependency on `webauthn-server-core-minimal`
@@ -46,7 +48,7 @@ Maven example:
 -  <artifactId>webauthn-server-core-minimal</artifactId>
 -  <version>1.12.2</version>
 +  <artifactId>webauthn-server-core</artifactId>
-+  <version>2.0.0</version>
++  <version>2.4.0-RC2</version>
    <scope>compile</scope>
  </dependency>
 ----------
@@ -56,10 +58,30 @@ Gradle:
 [source,diff]
 ----------
 -compile 'com.yubico:webauthn-server-core-minimal:1.12.2'
-+compile 'com.yubico:webauthn-server-core:2.0.0'
++compile 'com.yubico:webauthn-server-core:2.4.0-RC2'
 ----------
 
 
+[WARNING]
+.*Backwards-incompatible regression in versions 2.0.0 to 2.4.0-RC1*
+==========
+Versions in the inclusive range `2.0.0` to `2.4.0-RC1` have
+a backwards-incompatible regression in
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.html#toCredentialsCreateJson()[`PublicKeyCredentialCreationOptions.toCredentialsCreateJson()`]:
+When the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.3.0/com/yubico/webauthn/StartRegistrationOptions.StartRegistrationOptionsBuilder.html#authenticatorSelection(com.yubico.webauthn.data.AuthenticatorSelectionCriteria)[`authenticatorSelection`].link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.3.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#residentKey(com.yubico.webauthn.data.ResidentKeyRequirement)[`residentKey`]
+parameter is set, a corresponding
+link:https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey[`requireResidentKey`]
+member is not emitted in the JSON output.
+This is not backwards compatible with browsers that only support the
+link:https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#authenticatorSelection[Level 1 version of the WebAuthn spec].
+The regression is fixed in version `2.4.0-RC2` and greater.
+We therefore urge users to upgrade from versions `1.x` directly to `2.4.0-RC2` or greater to maintain backwards compatibility.
+Please consult the link:https://developers.yubico.com/java-webauthn-server/Release_Notes.html[release notes]
+for an up to date list of additional changes and new features added since version `2.0.0`.
+==========
+
+
 == Add JCA provider for EdDSA
 
 The library no longer depends explicitly on BouncyCastle for cryptography back-ends.
 
@@ -54,7 +54,7 @@ Release candidate versions
     - Note which JDK version was used to build the artifacts.
 
  7. Check that the ["Reproducible binary"
-    workflow](/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
+    workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
 
 
@@ -133,5 +133,5 @@ Release versions
     - Note which JDK version was used to build the artifacts.
 
 12. Check that the ["Reproducible binary"
-    workflow](/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
+    workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ buildscript {`
`4`	`4`	`}`
`5`	`5`	`dependencies {`
`6`	`6`	`classpath 'com.cinnober.gradle:semver-git:2.5.0'`
`7`		`- classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.12.1'`
	`7`	`+ classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.13.0'`
`8`	`8`	`classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'`
`9`	`9`	`}`
`10`	`10`	`}`
`@@ -144,6 +144,8 @@ subprojects { project ->`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`tasks.withType(JavaCompile) {`
	`147`	`+ options.compilerArgs += '-Xlint:unchecked'`
	`148`	`+ options.deprecation = true`
`147`	`149`	`options.encoding = 'UTF-8'`
`148`	`150`	`}`
`149`	`151`	`tasks.withType(ScalaCompile) {`