-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependency auto-installation support for certain Linux platforms #21
base: master
Are you sure you want to change the base?
Conversation
|
Please review regardless of the CLA - will see what legal thinks of it.. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I've been looking again at what mkcert is doing. I'd like to match as much as possible their behavior. In their code, they don't have anything for installing tools to manage the system truststore, but they have for managing the NSS truststore (firefox-based tools).
See truststore_linux.go#L28-L35. Depending on the package manager, they suggest installing certutil
showing the command, instead of automatically executing it.
We probably should also add a SystemTrustCommandHelp
that shows the command to run. Then that command can be displayed on the truststore
binary or step
.
Can you change your PR with something like that? What about adding dnf
or yum
, and apparently zypper
(I didn't know about this one).
My use-case is automatically executing this to add my employer's CA to container images. I've ignored |
Automatically executing this using a tool you have developed? Using cmd/trustore? Using step-cli? |
Using a tool we've developed. |
In that case I think it's better to get the dependencies from truststore, the command too, like truststore_linux.go#L28-L35, and you can call it from your tool. We don't want our tools to install any extra package automatically. |
Name of feature: Linux dependency auto-installation
Pain or issue this feature alleviates:
#20
Is there documentation on how to use this feature? If so, where?
Unfortunately not. If you can point me where docs should go (if not just in the README), I'll gladly write them. It uses two environment variables:
TRUSTSTORE_INSTALL_CA_PACKAGE
andTRUSTSTORE_IGNORE_PACKAGE_CERTS
. If set totrue
, the former attempts to install the needed packages for CA installation from the distro package manager, and the latter will do that while ignoring upstream cert validity. This is useful when you're behind corporate SSL inspection, which is my use-case.In what environments or workflows is this feature supported?
This works for Debian-likes and Alpine.
In what environments or workflows is this feature explicitly NOT supported (if any)?
Anything that isn't a Linux distro. I should note that RHEL and its derivatives do not appear to need this, as they've ensured relevant packages are always available, even on minimal installs.
Supporting links/other PRs/issues:
#20
Please let me know if any clean-up needs to be done.
Changes I've made to the code:
init()
is now done in another function,setCommandAndFileVariables()
, so they can be set again after attempting to install relevant packagesTRUSTSTORE_INSTALL_CA_PACKAGE
andTRUSTSTORE_IGNORE_PACKAGE_CERTS
existsOnPath()
function that returns true when a binary is on path, false when not - this is useful for package manager resolution, and also cleans upsetCommandAndFileVariables()
a bitinstallPlatform()
anduninstallPlatform()
now hittryDetermineOsAndInstall()
, a function that tries to install relevant packages ifTRUSTSTORE_INSTALL_CA_PACKAGE
is trueI've tested this internally with a pipeline that runs a binary using this library on these distros:
The test downloaded a copy of my employer's CA certs, then tried to install them using this library. After that, it tried to verify an SSL connection that uses those certs. Permutations were added for the values of
TRUSTSTORE_INSTALL_CA_PACKAGE
andTRUSTSTORE_IGNORE_PACKAGE_CERTS
.Closes #20.