Closed bdd closed 2 years ago
Well, simply updating the test cert to RSA 2048 will drop the lumped in test case for key size warning emitted.
Warnings:
Size of RSA key should be at least 2048 bits
Moreover, the chain verification failure messages are not different between platforms:
e.g.
Failed to verify certificate chain:
- x509: certificate signed by unknown authority
+ x509: “Acme Co” certificate is not trusted
The new error, citing the issuer name is coming from Apple Security Framework, particularly this format string with its fancy quotes.
So the PR would be more involved than new key, new cert and change expected output.
Thanks for the detailed writeup, we'll take a look!
I decided that we should just change the test to successfully verify the cert chain instead of relying on a platform-specific error string.
Problem:
TestConnect
fails on macOS when using Go 1.18Dive:
Where does this
certificate is using a broken key size
error come from?Looks like from from Apple Security Framework https://cs.github.com/apple-open-source/macos/blob/4c64a93f78278a48fd0c9bce26737010c16668e6/Security/OSX/sec/Security/SecFrameworkStrings.h#L246.
Apple's App Transport Security (ATS) on all platforms now requires:
Go uses Apple Security Framework now?
Go 1.18 switched TLS verification path to platform APIs for macOS and iOS. From: Go 1.18 Release Notes:
Next:
Update
localhostKey
to at least 2048-bits and generating a newlocalhostCert
with it in cli/cli_test.go. https://github.com/square/certigo/blob/41b5b73f75ee1b5817a8d32951f9dd9c12324391/cli/cli_test.go#L19