New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --re-sign flag to cert command #2391
Conversation
👍 Thanks! |
@bronzdoc The failures look like a bundler (?) issue. Maybe restart the job? |
@djberg96 nope not a bundler issue, is just i'm asserting a linux path and in windows is not the same 😁 already fixed that locally, just finishing up some things, it will be ready today :) |
b58a4af
to
4895554
Compare
6c605a6
to
b558711
Compare
@bronzdoc Looks green, thanks! @segiddins Ok to merge? |
@@ -89,6 +93,11 @@ def initialize | |||
'Days before the certificate expires') do |days, options| | |||
options[:expiration_length_days] = days.to_i | |||
end | |||
|
|||
add_option('-R', '--re-sign', | |||
'Re-sign the certificate from -C with the key from -K') do |resign, options| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to make it clear to the user that -C
and -K
are options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Re-sign the certificate specified by the --certificate option with the key specified by the --private-key option"
How does that sound?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the description of the --sign
flag, i just wanted to make it familiar with what users already have.
add_option('-s', '--sign CERT',
'Signs CERT with the key from -K',
'and the certificate from -C') do |cert_file, options|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so let's use the same message, just changing "Signs" to "Re-signs". I guess '--re-sign' should be changed to '--re-sign CERT' then, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The command will be used like:
gem cert --certificate ~/cert.pem --private-key ~/private_key.pem --re-sign
So the --re-sign
flag does not take any CERT
argument
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, nevermind that comment then. 😄
@@ -290,6 +303,13 @@ def sign_certificates # :nodoc: | |||
end | |||
end | |||
|
|||
def re_sign_cert(cert, private_key) | |||
Gem::Security::Signer.re_sign_cert(cert, private_key) do |cert_path, expired_cert_path| | |||
alert("Your cert #{cert_path} has been re-signed") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use certificate
instead of cert
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there possible confusion with a method name? Otherwise I'm ok with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there's no confusion with a method name, but maybe certificate
is more clear, thanks
23b4a6f
to
847aaf3
Compare
@@ -15,6 +15,8 @@ def initialize | |||
:add => [], :remove => [], :list => [], :build => [], :sign => [] | |||
|
|||
OptionParser.accept OpenSSL::X509::Certificate do |certificate| | |||
@certificate_file = certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OptionParser::accept is used to verify an argument is valid and to convert it to the correct type, not to set values for the input. If we end up needing to validate and convert arguments with these types and pull this code out it will cause breakage for this command.
Instead OptionParser#on (which add_option calls in RubyGems) must be used to record options given to a command, -C
/--certificate
below for this option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
… to preserve the file this acceptor can return both the certificate and the certificate location.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is something the acceptor can do or is something that needs to be implemented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 17 can become … do |certificate_file|
Line 19 (21 new) can become:
certificate = OpenSSL::X509::Certificate.new File.read certificate_file
[certificate, certificate_file] # return both converted certificate and location of certificate
And line 70–71 (74–75 new) can become:
… do |(cert, file), options|
options[:issuer_cert] = cert
options[:issuer_cert_file] = cert_file
So the acceptor still only validates, but returns both the loaded Certificate and certificate path and opt.on '-C'
stores both in options
@@ -26,6 +28,8 @@ def initialize | |||
end | |||
|
|||
OptionParser.accept OpenSSL::PKey::RSA do |key_file| | |||
@key_file = key_file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto on OptionParser.accept, -K
/--private-key
is used to record arguments
@@ -114,6 +123,10 @@ def execute | |||
build email | |||
end | |||
|
|||
if options[:resign] | |||
re_sign_cert(@certificate_file, @key_file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should use values from options
after removing the instance variables
@@ -290,6 +303,13 @@ def sign_certificates # :nodoc: | |||
end | |||
end | |||
|
|||
def re_sign_cert(cert, private_key) | |||
Gem::Security::Signer.re_sign_cert(cert, private_key) do |cert_path, expired_cert_path| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this needs the certificate location to store the expired certificate when we generate a new one that should be passed in as well, then have Gem::Security::Signer::re_sign_cert accept three arguments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
e476898
to
6a4adbc
Compare
@drbrain changes are done, build failing is not related to this PR... something weird with rubocop not being installed is happening in specific builds... |
I tried restarting a couple of the builds to no avail. Not sure what's happening, but I thought I saw some curl failures in there. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My name is Eric Hodel and I approve this pull request
6a4adbc
to
54ede15
Compare
@bundlerbot r+ |
📌 Commit 54ede15 has been approved by |
…nzdoc Add --re-sign flag to cert command # Description: Follow up of: #1720 (i'll squash the commits when i'm done) I will abide by the [code of conduct](https://github.com/rubygems/rubygems/blob/master/CODE_OF_CONDUCT.md).
☀️ Test successful - status-travis |
Woohoo, thanks! |
This commits includes tiny bugfix and new features listed here: * Add --re-sign flag to cert command by bronzdoc: rubygems/rubygems#2391 * Download gems with threads. by indirect: rubygems/rubygems#1898 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64769 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Description:
Follow up of: #1720
(i'll squash the commits when i'm done)
I will abide by the code of conduct.