bullion 0.10.3 → 0.11.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a737e0d1993b367c9166a9532835ff440c1b73ee2f32ed00911de3223088bbd
-  data.tar.gz: cfc77406aa3ecd9ed8baf0a2df139cd55088640bf3d4209479af14d7116ef49a
+  metadata.gz: 8821e563a9452dbd524f1bdfbd2f944ee4a3d0c071e57bab6d5f9b2c61e18555
+  data.tar.gz: d31913ae560676de68a57ea6aa308126a6d3c92c7a3da69d4d882e032ed56196
 SHA512:
-  metadata.gz: aa1baf722ec612144cbd7fa4d440c938590d3f9e5bb11d48cd1474c54b127994fbe7d47ca6508cd0f4d330d68093e818c5da146e942a8358edde2f218bb3cf85
-  data.tar.gz: 14b11cbeca6044a196416963ce44456ae8db92afa377c2d24b1cb3bf90f0cd97c4ccf2f53bff47142128de12d1744658925d85784507006a74f84f972ee13407
+  metadata.gz: 4bcabcb78421e92a48fbd5485631de98bee3bf0d4452ba5d9c08eb04d34ac171934b073e0a441b5dc95aeeb353765a5445188ca7011b98d3e2f376d130aaf2d4
+  data.tar.gz: 5541be539b018f62d1e466e51ada7985f5e37ee460eb98c4e344f79c443aa60fa3f8b2bf1d26d169a15c0b8efef38c7523c4023a416436e85654b585a5fcae6c

data/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.10.3"
+  ".": "0.11.1"
 }

data/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## [0.11.1](https://github.com/jgnagy/bullion/compare/bullion/v0.11.0...bullion/v0.11.1) (2025-08-24)
+
+
+### Features
+
+* add support for ECDSA CAs ([49b752e](https://github.com/jgnagy/bullion/commit/49b752ef6fde2b0543b59fb1c5977073f21b6731))
+
+
+### Bug Fixes
+
+* improve detection of SANS for cert-manager ([605f80d](https://github.com/jgnagy/bullion/commit/605f80d97135727ab9a962d6c3078b2b4a74b533))
+* loading required bigdecimal gem ([98d1668](https://github.com/jgnagy/bullion/commit/98d1668da600bba890dd0eb035af4a363fa79eef))
+
+## [0.11.0](https://github.com/jgnagy/bullion/compare/bullion/v0.10.3...bullion/v0.11.0) (2025-08-23)
+
+
+### ⚠ BREAKING CHANGES
+
+* **db:** switch to Trilogy, update db indexes
+
+### Features
+
+* **db:** switch to Trilogy, update db indexes ([42b90b5](https://github.com/jgnagy/bullion/commit/42b90b5977cd497b46654ecf17085715fa6db080))
+
 ## [0.10.3](https://github.com/jgnagy/bullion/compare/bullion/v0.10.2...bullion/v0.10.3) (2025-08-23)
 
 

data/Gemfile.lock

@@ -1,25 +1,25 @@
 PATH
   remote: .
   specs:
-    bullion (0.10.3)
+    bullion (0.11.1)
       benchmark (~> 0.4)
       dry-configurable (~> 1.1)
       httparty (~> 0.21)
       itsi (~> 0.2)
       json (~> 2.6)
       jwt (~> 2.7)
-      mysql2 (~> 0.5)
       openssl (~> 3.0)
       prometheus-client (~> 4.2)
       sinatra (~> 3.1)
       sinatra-activerecord (~> 2.0)
       sinatra-contrib (~> 3.1)
       sqlite3 (~> 2.7)
+      trilogy (~> 2.9)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.22)
+    acme-client (2.0.25)
       base64 (~> 0.2)
       faraday (>= 1.0, < 3.0.0)
       faraday-retry (>= 1.0, < 3.0.0)
@@ -61,7 +61,7 @@ GEM
       concurrent-ruby (~> 1.0)
       logger
       zeitwerk (~> 2.6)
-    faraday (2.13.2)
+    faraday (2.13.4)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
@@ -75,18 +75,18 @@ GEM
       multi_xml (>= 0.5.2)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    itsi (0.2.18)
-      itsi-scheduler (~> 0.2.18)
-      itsi-server (~> 0.2.18)
-    itsi-scheduler (0.2.18)
+    itsi (0.2.19)
+      itsi-scheduler (~> 0.2.19)
+      itsi-server (~> 0.2.19)
+    itsi-scheduler (0.2.19)
       rb_sys (~> 0.9.91)
-    itsi-server (0.2.18)
+    itsi-server (0.2.19)
       json (~> 2)
       prism (~> 1.4)
       rack (>= 1.6)
       rb_sys (~> 0.9.91)
     jaro_winkler (1.6.1)
-    json (2.12.2)
+    json (2.13.2)
     jwt (2.10.2)
       base64
     kramdown (2.5.1)
@@ -98,39 +98,38 @@ GEM
     logger (1.7.0)
     mini_mime (1.1.5)
     minitest (5.25.5)
-    multi_json (1.15.0)
+    multi_json (1.17.0)
     multi_xml (0.7.2)
       bigdecimal (~> 3.1)
-    mustermann (3.0.3)
+    mustermann (3.0.4)
       ruby2_keywords (~> 0.0.1)
-    mysql2 (0.5.6)
     net-http (0.6.0)
       uri
-    nokogiri (1.18.8-aarch64-linux-gnu)
+    nokogiri (1.18.9-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.8-aarch64-linux-musl)
+    nokogiri (1.18.9-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.8-arm-linux-gnu)
+    nokogiri (1.18.9-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.8-arm-linux-musl)
+    nokogiri (1.18.9-arm-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-darwin)
+    nokogiri (1.18.9-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-musl)
+    nokogiri (1.18.9-x86_64-linux-musl)
       racc (~> 1.4)
     observer (0.1.2)
     openssl (3.3.0)
-    ostruct (0.6.2)
+    ostruct (0.6.3)
     parallel (1.27.0)
-    parser (3.3.8.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
     prism (1.4.0)
-    prometheus-client (4.2.4)
+    prometheus-client (4.2.5)
       base64
     racc (1.8.1)
     rack (2.2.17)
@@ -142,11 +141,11 @@ GEM
     rainbow (3.1.1)
     rake (13.3.0)
     rake-compiler-dock (1.9.1)
-    rb_sys (0.9.116)
+    rb_sys (0.9.117)
       rake-compiler-dock (= 1.9.1)
     rbs (3.9.4)
       logger
-    regexp_parser (2.10.0)
+    regexp_parser (2.11.2)
     reverse_markdown (3.0.0)
       nokogiri
     rexml (3.4.1)
@@ -162,8 +161,8 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.4)
-    rubocop (1.77.0)
+    rspec-support (3.13.5)
+    rubocop (1.80.0)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -171,10 +170,10 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.45.1, < 2.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.45.1)
+    rubocop-ast (1.46.0)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     rubocop-rake (0.7.1)
@@ -193,7 +192,7 @@ GEM
     simplecov-cobertura (2.1.0)
       rexml
       simplecov (~> 0.19)
-    simplecov-html (0.13.1)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
     sinatra (3.2.0)
       mustermann (~> 3.0)
@@ -229,20 +228,21 @@ GEM
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
       yard-solargraph (~> 0.1)
-    sqlite3 (2.7.1-aarch64-linux-gnu)
-    sqlite3 (2.7.1-aarch64-linux-musl)
-    sqlite3 (2.7.1-arm-linux-gnu)
-    sqlite3 (2.7.1-arm-linux-musl)
-    sqlite3 (2.7.1-arm64-darwin)
-    sqlite3 (2.7.1-x86_64-darwin)
-    sqlite3 (2.7.1-x86_64-linux-gnu)
-    sqlite3 (2.7.1-x86_64-linux-musl)
-    thor (1.3.2)
-    tilt (2.6.0)
+    sqlite3 (2.7.3-aarch64-linux-gnu)
+    sqlite3 (2.7.3-aarch64-linux-musl)
+    sqlite3 (2.7.3-arm-linux-gnu)
+    sqlite3 (2.7.3-arm-linux-musl)
+    sqlite3 (2.7.3-arm64-darwin)
+    sqlite3 (2.7.3-x86_64-darwin)
+    sqlite3 (2.7.3-x86_64-linux-gnu)
+    sqlite3 (2.7.3-x86_64-linux-musl)
+    thor (1.4.0)
+    tilt (2.6.1)
     timeout (0.4.3)
+    trilogy (2.9.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.4)
+    unicode-display_width (3.1.5)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
     uri (1.0.3)

data/README.md

@@ -36,7 +36,7 @@ Whether run locally or via Docker, the following environment variables configure
 | `CA_CERT_PATH` | `$CA_DIR/tls.crt` | Public cert for Bullion. If Bullion is an intermediate CA, you'll want to include the root CA's public cert in this file as well the signed cert for Bullion. |
 | `CA_DOMAINS` | `example.com` | A comma-delimited list of domains for which Bullion will sign certificate requests. Subdomains are automatically allowed. Certificates containing other domains will be rejected. |
 | `CERT_VALIDITY_DURATION` | `7776000` | How long should issued certs be valid (in seconds)? Default is 90 days. |
-| `DATABASE_URL` | _None_ | **(Required)** A shorthand for telling Bullion how to connect to a database. Acceptable URLs will either begin with `sqlite3:` or [`mysql2://`](https://github.com/brianmario/mysql2#using-active-records-database_url). |
+| `DATABASE_URL` | _None_ | **(Required)** A shorthand for telling Bullion how to connect to a database. Acceptable URLs will either begin with `sqlite3:` or [`trilogy://`](https://github.com/trilogy-libraries/trilogy/tree/main/contrib/ruby). |
 | `DNS01_NAMESERVERS` | _None_ | A comma-delimited list of nameservers to use for resolving [DNS-01](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) challenges. Usually you'll want this to be set to your _internal_ nameservers so internal names resolve correctly. When not set, it'll use the host's DNS. |
 | `LOG_LEVEL` | `warn` | Log level for Bullion. Supported levels (starting with the noisiest) are debug, info, warn, error, and fatal. |
 | `BULLION_PORT` | `9292` | TCP port Bullion will listen on. |

data/Rakefile

@@ -62,6 +62,8 @@ end
 
 require "openssl"
 require "sqlite3"
+require "bigdecimal"
+require "trilogy"
 require "sinatra/activerecord/rake"
 
 namespace :db do

data/bullion.gemspec

@@ -32,13 +32,13 @@ Gem::Specification.new do |spec|
   spec.add_dependency "itsi",                 "~> 0.2"
   spec.add_dependency "json",                 "~> 2.6"
   spec.add_dependency "jwt",                  "~> 2.7"
-  spec.add_dependency "mysql2",               "~> 0.5"
   spec.add_dependency "openssl",              "~> 3.0"
   spec.add_dependency "prometheus-client",    "~> 4.2"
   spec.add_dependency "sinatra",              "~> 3.1"
   spec.add_dependency "sinatra-activerecord", "~> 2.0"
   spec.add_dependency "sinatra-contrib",      "~> 3.1"
   spec.add_dependency "sqlite3",              "~> 2.7"
+  spec.add_dependency "trilogy",              "~> 2.9"
 
   spec.add_development_dependency "acme-client",         "~> 2.0"
   spec.add_development_dependency "bundler",             "~> 2.4"

data/db/migrate/20210104000000_create_accounts.rb

@@ -5,7 +5,7 @@ class CreateAccounts < ActiveRecord::Migration[6.1]
   def change
     create_table :accounts do |t|
       t.boolean :tos_agreed, null: false, default: true, index: true
-      t.text :public_key, null: false, index: { unique: true }
+      t.text :public_key, null: false
       t.text :contacts, null: false
 
       t.timestamps

data/db/migrate/20250823073342_add_public_key_hash_to_accounts.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "bullion/models/account"
+
+# Adds a public_key_hash column to the accounts table, ensuring uniqueness
+class AddPublicKeyHashToAccounts < ActiveRecord::Migration[8.0]
+  def change
+    add_column :accounts, :public_key_hash, :string, null: false, limit: 44
+    add_index :accounts, :public_key_hash, unique: true
+
+    reversible do |dir|
+      dir.up do
+        say_with_time "Generating public_key_hash for existing accounts" do
+          require "digest"
+
+          Bullion::Models::Account.reset_column_information
+          Bullion::Models::Account.find_each do |account|
+            digest = Digest::SHA256.base64digest(account.public_key.to_json)
+            account.update_column(:public_key_hash, digest)
+          end
+        end
+      end
+    end
+  end
+end

data/db/schema.rb

@@ -10,22 +10,23 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2021_01_06_060335) do
+ActiveRecord::Schema[8.0].define(version: 2025_08_23_073342) do
   create_table "accounts", force: :cascade do |t|
     t.boolean "tos_agreed", default: true, null: false
     t.text "public_key", null: false
     t.text "contacts", null: false
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.index ["public_key"], name: "index_accounts_on_public_key", unique: true
+    t.string "public_key_hash", limit: 44, null: false
+    t.index ["public_key_hash"], name: "index_accounts_on_public_key_hash", unique: true
     t.index ["tos_agreed"], name: "index_accounts_on_tos_agreed"
   end
 
   create_table "authorizations", force: :cascade do |t|
     t.string "status", default: "pending", null: false
-    t.datetime "expires", precision: nil, null: false
+    t.datetime "expires", null: false
     t.text "identifier", null: false
-    t.integer "order_id"
+    t.bigint "order_id"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.index ["expires"], name: "index_authorizations_on_expires"
@@ -52,10 +53,10 @@ ActiveRecord::Schema[8.0].define(version: 2021_01_06_060335) do
   create_table "challenges", force: :cascade do |t|
     t.string "acme_type", null: false
     t.string "status", default: "pending", null: false
-    t.datetime "expires", precision: nil, null: false
+    t.datetime "expires", null: false
     t.string "token", null: false
-    t.datetime "validated", precision: nil
-    t.integer "authorization_id"
+    t.datetime "validated"
+    t.bigint "authorization_id"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.index ["acme_type"], name: "index_challenges_on_acme_type"
@@ -73,12 +74,12 @@ ActiveRecord::Schema[8.0].define(version: 2021_01_06_060335) do
 
   create_table "orders", force: :cascade do |t|
     t.string "status", default: "pending", null: false
-    t.datetime "expires", precision: nil, null: false
+    t.datetime "expires", null: false
     t.text "identifiers", null: false
-    t.datetime "not_before", precision: nil, null: false
-    t.datetime "not_after", precision: nil, null: false
-    t.integer "certificate_id"
-    t.integer "account_id"
+    t.datetime "not_before", null: false
+    t.datetime "not_after", null: false
+    t.bigint "certificate_id"
+    t.bigint "account_id"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.index ["account_id"], name: "index_orders_on_account_id"

data/lib/bullion/helpers/acme.rb

@@ -119,13 +119,13 @@ module Bullion
         csr_attrs = extract_csr_attrs(csr)
         csr_sans = extract_csr_sans(csr_attrs)
         csr_domains = extract_csr_domains(csr_sans)
-        csr_cn = cn_from_csr(csr)
+        csr_cn = cn_from_csr(csr) || csr_domains.first
 
         # Make sure the CSR has a valid public key
         raise Bullion::Acme::Errors::BadCsr unless csr.verify(csr.public_key)
 
         return false unless order.ready_status?
-        raise Bullion::Acme::Errors::BadCsr unless csr_domains.include?(csr_cn)
+        raise Bullion::Acme::Errors::BadCsr if csr_cn && !csr_domains.include?(csr_cn)
         raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order.domains.sort
 
         true

data/lib/bullion/helpers/ssl.rb

@@ -127,9 +127,7 @@ module Bullion
         )
 
         # Alternate Names
-        cn = cn_from_csr(csr)
-        existing_sans = filter_sans(csr_sans(csr))
-        valid_alts = (["DNS:#{cn}"] + [*existing_sans]).uniq
+        valid_alts = build_valid_alt_names(csr)
 
         new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))
 
@@ -137,21 +135,6 @@ module Bullion
         [new_cert, valid_alts]
       end
 
-      def csr_sans(csr)
-        raw_attributes = csr.attributes
-        return [] unless raw_attributes
-
-        seq = extract_csr_attrs(csr)
-        return [] unless seq
-
-        values = extract_san_values(seq)
-        return [] unless values
-
-        values = OpenSSL::ASN1.decode(values).value
-
-        values.select { |v| v.tag == 2 }.map { |v| "DNS:#{v.value}" }
-      end
-
       def extract_csr_attrs(csr)
         csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
       end
@@ -161,8 +144,9 @@ module Bullion
       end
 
       def extract_csr_domains(csr_sans)
-        csr_decoded_sans = OpenSSL::ASN1.decode(csr_sans.first.value[1].value)
-        csr_decoded_sans.select { |v| v.tag == 2 }.map(&:value)
+        subject_alt_names = csr_sans.first.value.find { |v| v.tag == 4 }
+        csr_decoded_sans = OpenSSL::ASN1.decode(subject_alt_names.value)
+        csr_decoded_sans.value.select { |v| v.tag == 2 }.map(&:value)
       end
 
       def extract_san_values(sequence)
@@ -184,13 +168,33 @@ module Bullion
       end
 
       def cn_from_csr(csr)
-        if csr.subject.to_s
-          cns = csr.subject.to_s.split("/").grep(/^CN=/)
+        return unless csr.subject.to_s
 
-          return cns.first.split("=").last if cns && !cns.empty?
-        end
+        cns = csr.subject.to_s.split("/").grep(/^CN=/)
+
+        cns.first.split("=").last if cns && !cns.empty?
+      end
+
+      def cn_or_first_san_from_csr(csr)
+        cn = cn_from_csr(csr)
+        return cn if cn
+
+        csr_attrs = extract_csr_attrs(csr)
+        csr_sans = extract_csr_sans(csr_attrs)
+        extract_csr_domains(csr_sans).first
+      end
+
+      def domains_from_csr(csr)
+        csr_attrs = extract_csr_attrs(csr)
+        csr_sans = extract_csr_sans(csr_attrs)
+        extract_csr_domains(csr_sans)
+      end
 
-        csr_sans(csr).first.split(":").last
+      def build_valid_alt_names(csr)
+        cn = cn_or_first_san_from_csr(csr)
+        csr_domains = domains_from_csr(csr)
+        existing_sans = filter_sans(csr_domains).map { |d| "DNS:#{d}" }
+        (["DNS:#{cn}"] + [*existing_sans]).uniq
       end
 
       # Signs an ACME CSR
@@ -206,7 +210,7 @@ module Bullion
         csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)
 
         # Force a subject if the cert doesn't have one
-        cert.subject = simple_subject(cn_from_csr(csr)) unless cert.subject
+        cert.subject = simple_subject(cn_or_first_san_from_csr(csr)) unless cert.subject
 
         csr_cert.subject = simple_subject(cert.subject.to_s)
 

data/lib/bullion/models/account.rb

@@ -7,10 +7,17 @@ module Bullion
       serialize :contacts, coder: JSON
       serialize :public_key, coder: JSON
 
-      validates_uniqueness_of :public_key
+      validates_uniqueness_of :public_key_hash
 
       has_many :orders
 
+      before_save :generate_public_key_hash
+
+      def generate_public_key_hash
+        digest = Digest::SHA256.base64digest(public_key.to_json)
+        self.public_key_hash = digest
+      end
+
       def kid
         id
       end

data/lib/bullion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bullion
-  VERSION = "0.10.3"
+  VERSION = "0.11.1"
 end

data/lib/bullion.rb

@@ -7,6 +7,7 @@ require "securerandom"
 require "time"
 require "logger"
 require "openssl"
+require "bigdecimal"
 
 # External requirements
 require "benchmark"
@@ -14,7 +15,7 @@ require "dry-configurable"
 require "sinatra/base"
 require "sinatra/contrib"
 require "sinatra/custom_logger"
-require "mysql2"
+require "trilogy"
 require "sinatra/activerecord"
 require "jwt"
 require "prometheus/client"
@@ -68,7 +69,11 @@ module Bullion
   MetricsRegistry = Prometheus::Client.registry
 
   def self.ca_key
-    @ca_key ||= OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
+    @ca_key ||= begin
+      OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
+    rescue OpenSSL::PKey::RSAError
+      OpenSSL::PKey::EC.new(File.read(config.ca.key_path), config.ca.secret)
+    end
   end
 
   def self.ca_cert_file

data/scripts/docker-entrypoint.sh

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 # Starts the server
-rake db:migrate
 itsi

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bullion
 version: !ruby/object:Gem::Version
-  version: 0.10.3
+  version: 0.11.1
 platform: ruby
 authors:
 - Jonathan Gnagy
@@ -93,20 +93,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: mysql2
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.5'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -191,6 +177,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: trilogy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
 - !ruby/object:Gem::Dependency
   name: acme-client
   requirement: !ruby/object:Gem::Requirement
@@ -406,6 +406,7 @@ files:
 - db/migrate/20210106052306_create_authorizations.rb
 - db/migrate/20210106055421_create_challenges.rb
 - db/migrate/20210106060335_create_nonces.rb
+- db/migrate/20250823073342_add_public_key_hash_to_accounts.rb
 - db/schema.rb
 - lib/bullion.rb
 - lib/bullion/acme/error.rb