Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate that a supplied vendor cert is not in PEM format #646

Merged
merged 1 commit into from
Mar 19, 2024
Merged

Validate that a supplied vendor cert is not in PEM format #646

merged 1 commit into from
Mar 19, 2024

Conversation

steve-mcintyre
Copy link
Collaborator

If we see "BEGIN CERTIFICATE", it's a PEM certificate and won't work. Fail the build early and say so.

Fixes #645

@vathpela
Copy link
Contributor

vathpela commented Mar 19, 2024
edited
Loading

Probably should just check for "BEGIN"? There's other PEM stuff people might be dumb enough to shove in there. I don't know why someone would shove e.g. a GPG pubkey in there, but I have faith in humanity's abilities.

Validate that a supplied vendor cert is not in PEM format
d6621a4 
If we see "BEGIN", it's likely a PEM certificate and won't work. Fail
the build early and say so.

Fixes rhboot#645

Signed-off-by: Steve McIntyre <[email protected]>
@steve-mcintyre
Copy link
Collaborator Author

Probably should just check for "BEGIN"? There's other PEM stuff people might be dumb enough to shove in there. I don't know why someone would shove e.g. a GPG pubkey in there, but I have faith in humanity's abilities.

Done!

@jsetje
Copy link
Collaborator

jsetje commented Mar 19, 2024

I guess we can't count on siglist tools to be installed? Otherwise we could test the siglist with them explicitly.

@steve-mcintyre
Copy link
Collaborator Author

I guess we can't count on siglist tools to be installed? Otherwise we could test the siglist with them explicitly.

Yeah, deliberately trying to stay simple here, hence not even using file to check the contents.

@jsetje
Copy link
Collaborator

jsetje commented Mar 19, 2024

I'm happy with not creating additional build dependencies, since I really don't want to have to fix them for 7. :)

The complete version would probably be to use openssl to validate vendor cert and the siglist tools to validate vendor db

@steve-mcintyre
Copy link
Collaborator Author

I'm happy with not creating additional build dependencies, since I really don't want to have to fix them for 7. :)

The complete version would probably be to use openssl to validate vendor cert and the siglist tools to validate vendor db

Sure, we can revisit this to add more features. I'd just like to get something in to catch the obvious failures now. :-)

@steve-mcintyre steve-mcintyre merged commit 126a07e into rhboot:main Mar 19, 2024
21 checks passed
@aronowski aronowski mentioned this pull request Nov 18, 2024
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsetje jsetje jsetje approved these changes

@vathpela vathpela Awaiting requested review from vathpela

@julian-klode julian-klode Awaiting requested review from julian-klode

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fail the build if VENDOR_CERT_FILE is PEM-encoded
3 participants
@steve-mcintyre @vathpela @jsetje