Closed steve-mcintyre closed 6 months ago
vathpela
commented
6 months ago Probably should just check for "BEGIN"? There's other PEM stuff people might be dumb enough to shove in there. I don't know why someone would shove e.g. a GPG pubkey in there, but I have faith in humanity's abilities.
steve-mcintyre
commented
6 months ago Probably should just check for "BEGIN"? There's other PEM stuff people might be dumb enough to shove in there. I don't know why someone would shove e.g. a GPG pubkey in there, but I have faith in humanity's abilities.
Done!
jsetje
commented
6 months ago I guess we can't count on siglist tools to be installed? Otherwise we could test the siglist with them explicitly.
steve-mcintyre
commented
6 months ago I guess we can't count on siglist tools to be installed? Otherwise we could test the siglist with them explicitly.
Yeah, deliberately trying to stay simple here, hence not even using file to check the contents.
jsetje
commented
6 months ago I'm happy with not creating additional build dependencies, since I really don't want to have to fix them for 7. :)
The complete version would probably be to use openssl to validate vendor cert and the siglist tools to validate vendor db
steve-mcintyre
commented
6 months ago I'm happy with not creating additional build dependencies, since I really don't want to have to fix them for 7. :)
The complete version would probably be to use openssl to validate vendor cert and the siglist tools to validate vendor db
Sure, we can revisit this to add more features. I'd just like to get something in to catch the obvious failures now. :-)
If we see "BEGIN CERTIFICATE", it's a PEM certificate and won't work. Fail the build early and say so.
Fixes #645