-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements in DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.
#235
Improvements in DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.
#235
Conversation
DiskSigner
and DiskVerifier
and refactors for signing certificate chain.DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.
DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@maxlambrecht good work here, nice abstraction and good config explanations, just some minors to improve code's readability
DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.DiskSigner
and DiskVerifier
and refactors for the use of signing certificate chains.
…rtificate chain Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
baa222b
to
3d68af9
Compare
Signed-off-by: Max Lambrecht <[email protected]>
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, I really don't know why you are so reluctant in changing a name to meet the real implementation. Again, even if you plan to change in the future, the current implementation is using SHA256, so make it clear. The implementation itself will not change, just the name, the flexibility that you mention will not be affected by the name, nor any of the encapsulation and functionality.
My reluctance to change the name to reflect the current implementation is due to the following reasons:
I hope this helps in understanding my standpoint. |
Signed-off-by: Max Lambrecht <[email protected]>
Pull request check list
Description of change
This PR introduces several enhancements to the
DiskSigner
andDiskVerifier
. Key changes include the addition of support for intermediate CAs and the signing certificate chain. Two new configuration properties have been added to theDiskSigner
:trust_bundle_path
which is required when theca_cert_path
contains a non root CA, andsigning_cert_ttl
which allows to configure the TTL of the signing certificate to align it with the expiration time of the SPIRE bundle.Test coverage has been expanded to ensure these new features perform as expected.
The API has also been updated to accurately reflect that the signing certificate is now a certificate chain, ensuring consistency between the implementation and the APIs.
Corresponding updates have also been made to the DB schema names storing the signing certificate chain.
Finally, the related documentation has been updated.
Which issue this pull requests fixes