v1.3.0

• The crypto.pickle_path and crypto.pickle_key options have been
  removed. In their place, the required crypto.request_secret_path
  option must be set to the path of a file containing a Base64-encoded
  X25519 private key.

  The private key file can be generated using openssl:

  openssl genpkey -algorithm X25519 -outform DER \
  | openssl asn1parse -inform DER -strparse 14 -out /dev/stdout -noout \
  | openssl enc -base64 -A > ./path/to/request_secret
  

  Or if you have an existing private key PEM file that you'd like to
  use, it can be converted to a base64-encoded version of its raw bytes
  using the following:

  openssl pkey -in x25519-private.pem -outform DER \
  | openssl asn1parse -inform DER -strparse 14 -out /dev/stdout -noout \
  | openssl enc -base64 -A > ./path/to/request_secret
  

  Otherwise if you are operating in a managed deployment environment
  (i.e. Kubernetes) it is recommend to use its tooling for generating
  the file instead.

  Note that existing deployments generating an entirely new key is
  acceptable and will not break clients. Clients will fetch the public
  key from MCS on every request; thus rotating said will not affect
  clients.

  If you use an array of MCS instances that are load balanced, ensure
  each are using the same key so that a client does not fetch the public
  component of one key from one MCS instance, and try to encrypt to
  another instance. (#82)

• Drop support for Python 3.8 and 3.9 as they are now end-of-life.

  Note that this MCS version does not yet support Python 3.14. Please
  use Python interpreter with version 3.10-3.13 if running MCS directly.
  The official docker file uses Python 3.11. (#81)

• A new option, download.headers_to_forward, allows specifying headers
  that will be copied and forwarded from the client request to the
  upstream media server when fetching encrypted media. See the sample
  config file for more details. (#80)

• Update link to PkEncryption in docs/api.md to point to an
  up-to-date branch. (#75)

• Many dependencies were updated to recent versions.

Docker

The image may be downloaded from DockerHub using:

docker pull vectorim/matrix-content-scanner:v1.3.0

PyPI

Install this release from PyPI using:

pip install matrix-content-scanner

v1.2.1

Fixes the docker build.
No changes from v1.2.0.

v1.2.0

The Matrix Content Scanner is now released by Element under an AGPLv3.0 licence.

Improvements

• Add support for authenticated media (#69, #70, #73)
• Add support for MIME block list instead of allow list (#67)

License

• Change repository license to AGPL (#66)

Misc

• Switch to ruff as linter/formatter (#67)

v1.1.0

Improvements

• Remove libolm as a dependency (#65)
• Switch to poetry for dependency management (#65)
• Implement Enhanced Error Handling for Disallowed MIME Types (#58)

v1.0.8

Improvements

• Remove check of matching claimed and detected MIME type. (#60)

v1.0.7

Improvements

• Add the ICAP client in the Docker image. (#62)

v1.0.6

Improvements

• Sign built docker images. (#59)

Bugfixes

• Return JSON error responses for unknown routes/methods. (#55)

v1.0.5

Bugfixes

• Allow the server to concurrently invoke multiple instances of the scanning script. This significantly improves performance. (#54)

v1.0.4

Improvements

• Update download config schema (#47)
• Distinguish between nonexistent and unreachable media. (#49)

Documentation

• Clarify documentation of the scan endpoint. (#44)

Miscellaneous

• Fix typechecking. (#53)
• Pin CI to Python 3.11. (#51)
• Link to repository in package metadata. (#45)

v1.0.3

• Include CORS headers in responses
• Handle OPTIONS requests