| Bundle management subsystem | Mechanism changed | [The HAP is no longer decompressed during HAP installation.](changelogs-bundlemanager.md)|
| Bundle management subsystem | Mechanism changed | [The HAP is no longer decompressed during HAP installation.](changelogs-bundlemanager.md)|
| Globalization | API added | [The getStringSync and getStringByNameSync APIs are added.](changelogs-global.md)|
| Globalization | API added | [The getStringSync and getStringByNameSync APIs are added.](changelogs-global.md)|
| Globalization | Behavior changed | [The meaning of the return value for the API used to obtain the rawfile descriptor is changed.](changelogs-global.md)|
| Globalization | Behavior changed | [The meaning of the return value for the API used to obtain the rawfile descriptor is changed.](changelogs-global.md)|
| Security-HUKS | Behavior changed | [HuksKeyStorageType must be passed in for key derivation or key agreement.](changelogs-huks.md) |
| Security-HUKS | Permission changed | [Permission is required for Using attestKeyItem.](changelogs-huks.md) |
| Web | Input parameter added | [The input parameter type Resource is added for the setResponseData API.](changelogs-web.md) |
| Web | Input parameter added | [The input parameter type Resource is added for the setResponseData API.](changelogs-web.md) |
| Resource scheduler subsystem | Behavior changed | [The reminder agent allows you to customize buttons for system applications. Clicking a custom button will redirect you to the specified application page.](changelogs-resourceschedule.md)|
| Resource scheduler subsystem | Behavior changed | [The reminder agent allows you to customize buttons for system applications. Clicking a custom button will redirect you to the specified application page.](changelogs-resourceschedule.md)|
## cl.huks.1 Change of the Permission for Using attestKeyItem
The **attestKeyItem** interface attests a key using a public key encapsulated based on the device certificate chain. Any arbitrary export of the device certificate increases the risks on user privacy. Therefore, certain permissions are required for using this interface.
**Change Impact**
Applications without the **ohos.permission.ACCESS_IDS** permission or the system_basic or system_core permission cannot call **attestKeyItem()**.
The AccessToken permission is verified only for the applications that pass in a tag related to **ATTESTATION_ID**.
- After change:
**attestKeyItem()** can be called only by a system application with the system_basic or system_core permission or an application with the **ohos.permission.ACCESS_IDS** permission.
**Adaptation Guide**
Applications with the system_basic or system_core permission can call **attestKeyItem()**. If an application with the normal permission needs to call **attestKeyItem()**, it must have the **ohos.permission.ACCESS_IDS** permission. For details about how to apply for the permission, see [ACL](../../../application-dev/security/accesstoken-overview.md#acl).
## cl.huks.2 Resolved the Issues in Storage or Export of Derived or Agreed Keys
Before the change, the HUKS supports storage and export of derived keys and agreed keys, which poses security risks.
After the change, the application needs to pass in **HuksKeyStorageType** for key derivation or key agreement. Only storage or export is allowed at a time. If this parameter is not passed in, both storage and export are supported by default, which poses security risks and is not recommended.
**Change Impact**
Behaviors of released JavaScript APIs have been changed.
**Key API/Component Changes**
Released JavaScript APIs remain unchanged, but the parameter set passed to the APIs are changed.
**Adaptation Guide**
For more information, see [HUKS Development](../../../application-dev/security/huks-guidelines.md) and [HUKS](../../../application-dev/reference/apis/js-apis-huks.md).
