Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support standard PEM bundles #4

Merged
merged 2 commits into from
Feb 11, 2024
Merged

feat: support standard PEM bundles #4

merged 2 commits into from
Feb 11, 2024

Conversation

RaitoBezarius
Copy link
Collaborator

Feature

NixOS does not ship a cacert bundle that can be used with software stacks that does not support OpenSSL specific (non-standard) PEM format, this offers an escape hatch for such users.

shell.nix

The shell.nix was pinning various things like Python 3.9, specific versions of dependencies, had
a reference to Python 2, was using a removed package / moved package (pre-commit) and was overriding
reuse to inject a specific set of packages.

All of this is cleaned up and the shell is now using Python 3.12 if you are using a recent Nixpkgs, at the time
of writing.

In addition, pytest and pre-commit are still behaving as expected.

@RaitoBezarius RaitoBezarius mentioned this pull request Feb 7, 2024
Merged
13 tasks
lukegb
lukegb requested changes Feb 7, 2024
View reviewed changes
@RaitoBezarius
fix: repair shell.nix up to modern Nixpkgs
5e8b682 
The `shell.nix` was pinning various things like Python 3.9, specific versions of dependencies, had
a reference to Python 2, was using a removed package / moved package (pre-commit) and was overriding
`reuse` to inject a specific set of packages.

All of this is cleaned up and the shell is now using Python 3.12 if you are using a recent Nixpkgs, at the time
of writing.

In addition, `pytest` and `pre-commit` are still behaving as expected.

Signed-off-by: Ryan Lahfa <ryan@lahfa.xyz>
lukegb
lukegb reviewed Feb 11, 2024
View reviewed changes
buildcatrust/certstore_output.py Outdated
Comment on lines 38 to 43

def __init__(self, fp: TextIO):
self.fp = fp

def output(self, cert: Optional[types.Certificate], trust: types.Trust) -> None:
super().output(cert, trust)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't do anything different to the parent class; maybe just delete everything here apart from the docstring?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, thank you for taking care of it.

@lukegb
Copy link
Owner

lukegb commented Feb 11, 2024

One more thing :)

Also urgh, I should fix the cachix thing.

@RaitoBezarius @lukegb
feat: support standard PEM bundles
fd6742b 
Some software stack may not be able to enjoy OpenSSL specific PEM formats.

To pay respect to the standard, we offer a compatible bundle output which strips all
additional trust rules of a given certificate, if there's any.

Tests show how this has concretely an impact over distrusted certificates, i.e. you don't see anything about it.

Signed-off-by: Ryan Lahfa <ryan@lahfa.xyz>
@lukegb lukegb merged commit a36908c into lukegb:main Feb 11, 2024
1 check failed
@RaitoBezarius
Copy link
Collaborator Author

Thank you @lukegb !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukegb lukegb lukegb requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RaitoBezarius @lukegb