search

sassoftware / relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows
Apache License 2.0
151 stars 41 forks source link

Context prematurely canceled using gcloudtoken #44

Open hodbn opened 2 months ago

hodbn commented 2 months ago

When using gcloudtoken with ADC, the context might be prematurely canceled.

The expected behavior is that gcloudtoken will use pin if configured and ADC otherwise. The actual behavior is that it only works if pin is configured, but might now work otherwise. I've encountered this on MacOS + v8.0.0.

I'll open a PR to fix this issue.

How to reproduce?

foo@bar:~$ gcloud auth application-default login
[snip]
foo@bar:~$ gcloud auth application-default print-access-token
[snip]
foo@bar:~$ cat ./relic.yml
---
tokens:
  gcloud:
    type: gcloud
keys:
  tmpkey:
    token: gcloud
    id: projects/redacted/locations/us-central1/keyRings/tmpkr/cryptoKeys/tmpkey/cryptoKeyVersions/1
    x509certificate: ./tmpkey.cer
foo@bar:~$ go run ./ sign --config ./relic.yml --file ./test.ps1 -k tmpkey -o ./test.ps1.sign --ps-style .ps1
ERROR: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: Post "https://oauth2.googleapis.com/token": context canceled

Possible solution

Google Cloud SDK docs state:

        // Do not set a timeout on the context passed to NewClient: dialing happens
        // asynchronously, and the context is used to refresh credentials in the
        // background.

So the code should pass a context without deadline when initializing and only add the deadline in actual calls.