Open nieznanysprawiciel opened 4 months ago
Testing main certificate expiration
To not break production providers, we cannot touch current certificate pointed with https://ca.golem.network/cert/scalepoint.signed.json
url.
We probably need a special build of facade which will point to a different certificate URL than the one currently used.
Tests to conclude (assuming no changes to the way how certificate is provided - static URL pointing to one certificate):
Testability
The proposition is to use env variable like ALLOWED_REQUESTORS_CERTS
with value as ,
-separated URLs to certificates. When this variable is present we can substitute the default hardcoded value.
I don't think there is any security issue with this solution since there would be a default certificate hardcoded.
Certificate update on provider
Currently, the certificate is downloaded at golem facade startup. On running apps, this can be enforced by releasing a new version of the Gamerhash app appropriately early so that most of the users are updated before the certificate expires. Releasing a new version of the Gamerhash app just to refresh certificates might be assessed as an overkill. In that case, we probably need to implement some kind of cron or thread to observe certificate expiration dates and scheduling updates and reload during app runtime.
Situation when requestor's node descriptor gets expired.
Requestor yagna log:
Provider yagna log:
No anomalies spotted. GamerHash desktop app did not show any error.