Replace asherah-cobhan with asherah-ffi v0.6.44

.github/workflows/build.yml

@@ -14,7 +14,7 @@ jobs:
     name: specs ruby-${{ matrix.ruby }} ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ ubuntu-22.04, macos-15 ]
+        os: [ ubuntu-latest, macos-latest ]
         ruby: [ 2.7, 3.0, 3.1, 3.2 ]
       fail-fast: false
 
@@ -43,8 +43,8 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: ubuntu-22.04 , platform: x86_64-linux , ruby: 3.0 }
-          - { os: macos-15 , platform: x86_64-darwin , ruby: 3.0 }
+          - { os: ubuntu-latest , platform: x86_64-linux , ruby: 3.0 }
+          - { os: macos-latest , platform: x86_64-darwin , ruby: 3.0 }
       fail-fast: false
 
     steps:
@@ -77,7 +77,7 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: ubuntu-22.04 , platform: aarch64-linux , ruby: 3.0 }
+          - { os: ubuntu-latest , platform: aarch64-linux , ruby: 3.0 }
       fail-fast: false
 
     steps:
@@ -113,7 +113,7 @@ jobs:
             "
 
   cross_language_tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     name: cross-language-tests
     env:
       MYSQL_HOSTNAME: 127.0.0.1
@@ -162,3 +162,63 @@ jobs:
           ASHERAH_KMS_MODE: static
           CUCUMBER_PUBLISH_QUIET: true
         run: bin/cross-language-test.sh
+
+  cross_language_tests_macos:
+    runs-on: macos-latest
+    name: cross-language-tests-macos
+    env:
+      MYSQL_HOSTNAME: 127.0.0.1
+      MYSQL_DATABASE: testdb
+      MYSQL_USERNAME: root
+      MYSQL_PASSWORD: password
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2
+          bundler: default
+          bundler-cache: true
+
+      - name: Install and start MySQL
+        run: |
+          brew install mysql
+          brew services start mysql
+
+          # Wait for MySQL to be ready
+          for i in {1..30}; do
+            if mysqladmin ping -h127.0.0.1 --silent 2>/dev/null; then
+              echo "MySQL is up"
+              break
+            fi
+            echo "Waiting for MySQL... ($i/30)"
+            sleep 2
+          done
+
+          # Set root password and create database
+          mysql -u root -h 127.0.0.1 -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '${{ env.MYSQL_PASSWORD }}';"
+          mysql -u root -h 127.0.0.1 -p${{ env.MYSQL_PASSWORD }} -e "CREATE DATABASE IF NOT EXISTS ${{ env.MYSQL_DATABASE }};"
+
+      - name: Download binary for current platform
+        run: |
+          bundle exec rake download
+
+      - name: Set up Go
+        uses: actions/setup-go@v6.3.0
+        with:
+          go-version: 1.24
+
+      - name: Test Cross-Language
+        env:
+          TEST_DB_NAME: ${{ env.MYSQL_DATABASE }}
+          TEST_DB_PASSWORD: ${{ env.MYSQL_PASSWORD }}
+          TEST_DB_HOSTNAME: ${{ env.MYSQL_HOSTNAME }}
+          TEST_DB_USER: ${{ env.MYSQL_USERNAME }}
+          TEST_DB_PORT: 3306
+          ASHERAH_SERVICE_NAME: service
+          ASHERAH_PRODUCT_NAME: product
+          ASHERAH_KMS_MODE: static
+          CUCUMBER_PUBLISH_QUIET: true
+        run: bin/cross-language-test.sh

.github/workflows/publish.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   publish:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     env:
       GEM_HOST_API_KEY: ${{ secrets.GEM_HOST_API_KEY }}
     name: publish

CHANGELOG.md

@@ -1,5 +1,10 @@
 ## [Unreleased]
 
+## [0.9.0] - 2026-03-20
+
+- Replace asherah-cobhan with asherah-ffi v0.6.44
+- Remove null_data_check configuration option
+
 ## [0.8.2] - 2026-03-09
 
 - Upgrade to use asherah-cobhan v0.5.3

README.md

@@ -1,6 +1,6 @@
 # Asherah
 
-Asherah is a Ruby FFI wrapper around Go version of [Asherah](https://github.com/godaddy/asherah) application-layer encryption SDK. Asherah provides advanced encryption features and defense in depth against compromise. It uses a technique known as "envelope encryption" and supports cloud-agnostic data storage and key management.
+Asherah is a Ruby FFI wrapper around the Rust version of [Asherah](https://github.com/godaddy/asherah-ffi) application-layer encryption SDK. Asherah provides advanced encryption features and defense in depth against compromise. It uses a technique known as "envelope encryption" and supports cloud-agnostic data storage and key management.
 
 Check out the following documentation to get more familiar with the concepts and configuration options:
 
@@ -45,7 +45,7 @@ Asherah.configure do |config|
 end
 ```
 
-See [config.rb](lib/asherah/config.rb) for all evailable configuration options.
+See [config.rb](lib/asherah/config.rb) for all available configuration options.
 
 Encrypt some data for a `partition_id`
 
@@ -71,7 +71,7 @@ For tests requiring secrets (AWS KMS, database credentials), copy `.env.secrets.
 
 ### Cross-Language Tests
 
-Cross-language tests verify that data encrypted with the Go implementation can be decrypted with the Ruby implementation and vice versa.
+Cross-language tests verify that data encrypted with the Rust implementation can be decrypted with the Ruby implementation and vice versa.
 
 **Prerequisites:**
 - MySQL running locally

bin/cross-language-test.sh

@@ -10,7 +10,7 @@ ASHERAH_GO_TEST_DIR=$(pwd)/tmp/asherah/tests/cross-language/go
 export TEST_DB_NAME=${TEST_DB_NAME:-testdb}
 export TEST_DB_USER=${TEST_DB_USER:-root}
 export TEST_DB_PASSWORD=${TEST_DB_PASSWORD:-}
-export TEST_DB_HOSTNAME=${TEST_DB_HOSTNAME:-localhost}
+export TEST_DB_HOSTNAME=${TEST_DB_HOSTNAME:-127.0.0.1}
 export TEST_DB_PORT=${TEST_DB_PORT:-3306}
 
 # Set Asherah environment variables

ext/asherah/checksums.yml

@@ -1,5 +1,5 @@
-version:                v0.5.3
-libasherah-arm64.so:    9315240c2eb0aafb342ddbd399ada545faf51cbc651c8f69c3d2dd64eb31c63c
-libasherah-x64.so:      a873fafb85b0ee310c78d1cbf8cd5db1684bea7d4db9c6b53dcd8e68e546fcf2
-libasherah-arm64.dylib: 76b4652b02e745992ff1c064722628432fa5e04f49ef2cfed2299215ea71290a
-libasherah-x64.dylib:   0e78b9318a35bbb4bbe12aeed09ee2b850de43ba3660460c5d3b220b010c04f0
+version:                v0.6.44
+libasherah-arm64.so:    a43189b122d29bcb1731a9dc1b386faba0d8445aa46f2182ab286d2174ed8407
+libasherah-x64.so:      4945a44e2302b8ff5c27b52bafca67e8a6dfff4dc1f76e61ce2092ee979a9df5
+libasherah-arm64.dylib: d57267516cbb47fbc4a2f5e453053b8a3db64ed05c5a1153d71043bf17e46833
+libasherah-x64.dylib:   57c7c64817fb9f318eead8e371e20f17c76dce76e08f8bea2ff5a08aa368c4d8

ext/asherah/native_file.rb

@@ -47,7 +47,7 @@ def download_content(file_name)
 
       begin
         tries += 1
-        url = "https://github.com/godaddy/asherah-cobhan/releases/download/#{VERSION}/#{file_name}"
+        url = "https://github.com/godaddy/asherah-ffi/releases/download/#{VERSION}/#{file_name}"
         puts "Downloading #{url}"
         URI.parse(url).open.read
       rescue Net::OpenTimeout, Net::ReadTimeout => e

features/support/env.rb

@@ -10,7 +10,7 @@
 DB_USER           = ENV.fetch('TEST_DB_USER')
 DB_PASS           = ENV.fetch('TEST_DB_PASSWORD')
 DB_PORT           = ENV.fetch('TEST_DB_PORT')
-DB_HOST           = ENV.fetch('TEST_DB_HOSTNAME', 'localhost')
+DB_HOST           = ENV.fetch('TEST_DB_HOSTNAME', '127.0.0.1')
 CONNECTION_STRING = "#{DB_USER}:#{DB_PASS}@tcp(#{DB_HOST}:#{DB_PORT})/#{DB_NAME}?tls=skip-verify"
 TMP_DIR           = '/tmp/'
 FILE_NAME         = 'ruby_encrypted'
@@ -21,10 +21,11 @@
     config.service_name = SERVICE_NAME
     config.product_id = PRODUCT_ID
     config.metastore = METASTORE
+    config.sql_metastore_db_type = 'mysql'
     config.connection_string = CONNECTION_STRING
     config.kms = KMS
     config.enable_session_caching = true
-    config.verbose = false
+    config.verbose = true
   end
 end
 

lib/asherah/config.rb

@@ -22,7 +22,6 @@ module Asherah
   # @attr [Integer] check_interval, The amount of time in seconds before cached keys are considered stale
   # @attr [Boolean] enable_session_caching, Enable shared session caching
   # @attr [Boolean] disable_zero_copy, Disable zero-copy FFI input buffers to prevent use-after-free from caller runtime
-  # @attr [Boolean] null_data_check, Log an error if input data is all null before or after encryption
   # @attr [Boolean] verbose, Enable verbose logging output
   class Config
     MAPPING = {
@@ -43,7 +42,6 @@ class Config
       session_cache_duration: :SessionCacheDuration,
       enable_session_caching: :EnableSessionCaching,
       disable_zero_copy: :DisableZeroCopy,
-      null_data_check: :NullDataCheck,
       expire_after: :ExpireAfter,
       check_interval: :CheckInterval,
       verbose: :Verbose

lib/asherah/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Asherah
-  VERSION = '0.8.2'
+  VERSION = '0.9.0'
 end

spec/asherah_spec.rb

@@ -91,24 +91,4 @@ def capture_stderr
     # ENV set by CGO is visible in Ruby
     expect(ENV.fetch('VAR1')).to eq('VALUE1')
   end
-
-  it 'encrypts null bytes with null_data_check enabled' do
-    Asherah.shutdown
-    Asherah.configure do |config|
-      base_config.call(config)
-      config.null_data_check = true
-    end
-
-    null_data = "\x00" * 100
-    json = nil
-    stderr_output = capture_stderr { json = Asherah.encrypt(partition_id, null_data) }
-
-    expect(json).to include('Data')
-    expect(json).to include('Key')
-    expect(stderr_output).to include(
-      'asherah-cobhan: EncryptToJson: input data buffer is all null before encryption (len=100)'
-    )
-    decrypted = Asherah.decrypt(partition_id, json)
-    expect(decrypted).to eq(null_data)
-  end
 end

spec/config_spec.rb

@@ -206,7 +206,6 @@
       config.session_cache_duration = 3600
       config.enable_session_caching = true
       config.disable_zero_copy = true
-      config.null_data_check = true
       config.expire_after = 7200
       config.check_interval = 1800
       config.verbose = true
@@ -231,7 +230,6 @@
         'SessionCacheDuration' => 3600,
         'EnableSessionCaching' => true,
         'DisableZeroCopy' => true,
-        'NullDataCheck' => true,
         'ExpireAfter' => 7200,
         'CheckInterval' => 1800,
         'Verbose' => true