docs: fix stale content in EXAMPLES.md#37
Conversation
Correct expired certificate behavior description — certs are always ingested, filtering is output-only. Clarify PKCS#12 default password is changeit with user override via -p flag. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Temporarily enable show_full_output to diagnose why the review action completes successfully but doesn't post comments on PRs. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates EXAMPLES.md to correct and clarify documented CLI behavior around expired certificate handling and PKCS#12/JKS password defaults so users get accurate guidance when running common certkit workflows.
Changes:
- Clarifies PKCS#12 export password behavior and how to override it.
- Rewrites the “expired certificates” section to explain ingestion vs output filtering and usage of
--allow-expired.
| ``` | ||
|
|
||
| The output `.p12` uses password `changeit` (the Java convention). Same works for JKS: | ||
| The output `.p12` uses password `changeit` by default (the Java convention). Override with `-p "your-password"`. Same works for JKS: |
There was a problem hiding this comment.
This sentence says the generated .p12 uses password changeit by default and can be overridden with -p, but the current certkit bundle implementation derives the export password from internal.ProcessPasswords(), which prepends default passwords (including "password") and then picks the first non-empty value. As a result, the default (and even the override) may not match what's documented here—please reconcile the example text with the actual CLI behavior (or adjust the CLI if the intended default really is changeit).
| The output `.p12` uses password `changeit` by default (the Java convention). Override with `-p "your-password"`. Same works for JKS: | |
| The output `.p12` is password-protected. For predictable results, always set an explicit password with `-p "your-password"`. The same flag works for JKS: |
| certkit always reads and parses expired certificates -- they're never silently dropped. However, expired certificates are excluded from output by default (scan summaries, bundle exports). Use `--allow-expired` to include them: | ||
|
|
||
| ```sh | ||
| certkit inspect expired-cert.pem --allow-expired | ||
| certkit verify expired-cert.pem --allow-expired | ||
| certkit bundle expired-cert.pem --allow-expired --force | ||
| certkit scan /path/to/certs/ --allow-expired | ||
| certkit bundle expired-cert.pem --allow-expired --force |
There was a problem hiding this comment.
This paragraph claims expired certs are excluded from scan summaries and that certkit scan ... --allow-expired includes them, but scan ingests all certs and MemStore.ScanSummary() counts everything without expiry filtering. Also, the scan export path doesn’t currently use --allow-expired to bypass expiry during bundling (it’s controlled by verification/--force). Please update this section and the example command so it reflects what scan actually does.
| certkit bundle expired-cert.pem --allow-expired --force | ||
| ``` | ||
|
|
||
| Commands that target a specific file (`inspect`, `verify`) always show the certificate regardless of expiry. |
There was a problem hiding this comment.
The statement that inspect and verify “always show the certificate regardless of expiry” doesn’t match the current CLI behavior: inspect filters expired certificate results unless --allow-expired is set, and verify returns a validation error for expired certs unless --allow-expired is set. Please revise this line to match the actual command behavior.
| Commands that target a specific file (`inspect`, `verify`) always show the certificate regardless of expiry. | |
| Commands that target a specific file (`inspect`, `verify`) still read expired certificates, but `inspect` filters expired certificates from its results unless you pass `--allow-expired`, and `verify` reports a validation error for expired certificates unless you pass `--allow-expired`. |
Description
Fix two inaccuracies in EXAMPLES.md:
inspectandverifyalways show the cert regardless of expiry. Updated to match the actual behavior documented in CLAUDE.md and README.changeitis the default password with user override via-p, not just a hardcoded value.Test Plan
--helpoutput🤖 Generated with Claude Code