Closed steve-mcintyre closed 6 months ago
Probably should just check for "BEGIN"? There's other PEM stuff people might be dumb enough to shove in there. I don't know why someone would shove e.g. a GPG pubkey in there, but I have faith in humanity's abilities.
Probably should just check for "BEGIN"? There's other PEM stuff people might be dumb enough to shove in there. I don't know why someone would shove e.g. a GPG pubkey in there, but I have faith in humanity's abilities.
Done!
I guess we can't count on siglist tools to be installed? Otherwise we could test the siglist with them explicitly.
I guess we can't count on siglist tools to be installed? Otherwise we could test the siglist with them explicitly.
Yeah, deliberately trying to stay simple here, hence not even using file
to check the contents.
I'm happy with not creating additional build dependencies, since I really don't want to have to fix them for 7. :)
The complete version would probably be to use openssl to validate vendor cert and the siglist tools to validate vendor db
I'm happy with not creating additional build dependencies, since I really don't want to have to fix them for 7. :)
The complete version would probably be to use openssl to validate vendor cert and the siglist tools to validate vendor db
Sure, we can revisit this to add more features. I'd just like to get something in to catch the obvious failures now. :-)
If we see "BEGIN CERTIFICATE", it's a PEM certificate and won't work. Fail the build early and say so.
Fixes #645