Embed Apple root and intermediate certificates into quill binary #34
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR makes the following changes to quill:
QUILL_SIGN_FAIL_WITHOUT_FULL_CHAIN
env var set tofalse
.go generate
step. These certificates are checked into the repo. Note: no automation updates these certificates, they will need to be updated manually and checked in withmake update-apple-certs
quill embedded-certificates
command to enumerate the Apple certificates embedded in the quill binarypem
package topki
(more accurate, especially with the current additions)pki
packages intoload
for loading material from sources andcertchain
for operating on a cert store or chain.TODO:
QUILL_SIGN_FAIL_WITHOUT_FULL_CHAIN
tofalse
and shows the previous test steps pass.pki.FindRemainingChainCerts
to show that the embedded lookup works as expected with test-fixture certs.quill apple-certs
command? [renamed toembedded-certificates
]Closes #8
Closes #16