search

DataONEorg / ca

DataONE Certificate Authority
1 stars 1 forks source link

Cross-Signing Changes & Repo Cleanup #2

Closed artntek closed 9 months ago

artntek commented 9 months ago

see #1

1. Directory Renaming

Prior to this PR, the current directory naming conventions were:

CA                  PRODUCTION                  TEST
------------------------------------------------------------------                
ROOT:              "DataONERootCA"             "DataONETestCA"

INTERMEDIATE:      "DataONEProdCA"             "DataONETestIntCA"

This PR includes the following changes:

# move the old sha-1 stuff out of the way, but keep it for now:

mkdir SHA-1_ARCHIVE
mv  DataONERootCA DataONEProdCA DataONETestCA DataONETestIntCA  SHA-1_ARCHIVE
# create new directories for the sha256 stuff:

CA                  PRODUCTION                  TEST
------------------------------------------------------------------                
ROOT:              "DataONEProdRootCA"         "DataONETestRootCA"

INTERMEDIATE:      "DataONEProdIntCA"             "DataONETestIntCA"

2. Cleaning Up Old Files

The following files were moved, deleted or retained:

### LEAVE IN ROOT: ###
./.gitignore
./ca
./cert_status
./DataONETest256CAChain.crt
./prod_cert_status.csv
./publish_cert
./publish_cert_orcid
./publish_crl
./README.rst
./README.pdf

### MOVE TO sha-1_archive: ###
./20150810_test.csv
./20170418_prod.csv
./cato.py
./cert_status.py
./d1_create_csr
./DataONECAChain.crt
./DataONETestCAChain.crt
./generate_mncheck_certs
./test

### DELETE: ###
./c4
./calendar.html
./Prod_events.ics
./Test_events.ics

3. Script Changes

Update the following scripts to account for the above changes:

4. GitHub Action Changes

Update the GHA yaml and cert_status to pull details for certs in both the archive and the new directory. This is achieved by symlinking the old certs (from ./SHA-1_ARCHIVE/DataONEProdCA/certs) as a subdirectory in the new location (./DataONEProdIntCA/certs/pre_sha-256_ca)

5. README

Convert the README file to markdown, and edit to incorporate the above naming changes. (Full review/edit will be in a separate PR)

mbjones commented 9 months ago

Overall this looks good. I don't have time to review the script changes and verify your file moves, but the procedure seems like what we agreed to. The only thing that pops out to me is that the file ./DataONETest256CAChain.crt should be renamed to be consistent with the new directory naming conventions for the CAs.

artntek commented 9 months ago

The only thing that pops out to me is that the file ./DataONETest256CAChain.crt should be renamed to be consistent with the new directory naming conventions for the CAs.

I'm a bit confused by this. I don't see ./DataONETest256CAChain.crt in the repo:

$ find . -name "*Chain*"
./SHA-1_ARCHIVE/DataONETestCAChain.crt
./SHA-1_ARCHIVE/DataONECAChain.crt

There are still some DataONETestRootCA and DataONETestIntCA files with 256 in the name, but I'm replacing these in a separate PR, so they don't get lost in the noise here. (Will also generate new prod & test chain files.)

Thanks for checking!

mbjones commented 9 months ago

@artntek For that filename, I copied it directly from your "2. Cleaning up old files" listing.

artntek commented 9 months ago

@artntek For that filename, I copied it directly from your "2. Cleaning up old files" listing.

Mea culpa! It’s just a local file I created for testing - sorry 😄