Skip to content

sbkeys: accept --ca-bundle as a parameter #4482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

sbkeys: accept --ca-bundle as a parameter #4482

wants to merge 2 commits into from

Conversation

cbgbt
Copy link
Contributor

@cbgbt cbgbt commented Apr 18, 2025

Description of changes:

sbkeys: accept --ca-bundle as a parameter

This can be useful if your host's native trust store does not have the
appropriate CA certificates to establish trust with AWS APIs.

sbkeys: pass missing vars to sbkeys script

The script self-invokes in either a docker container or by creating a
new bash subprocess, so all variables need to be exported to that
sub-process on creation.

Testing done:

  • Ran the script with --ca-bundle blahblahblah and it failed with SSL errors

  • Used a custom CA bundle inside a docker container

  • Created a new secureboot signing profile

  • Ran the script with --ca-bundle set to my hosts CA bundle, which caused it to succeed

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

cbgbt added 2 commits April 18, 2025 01:33
@cbgbt
sbkeys: accept --ca-bundle as a parameter
5e1b796 
This can be useful if your host's native trust store does not have the
appropriate CA certificates to establish trust with AWS APIs.
@cbgbt
sbkeys: pass missing vars to sbkeys script
12a188d 
The script self-invokes in either a docker container or by creating a
new bash subprocess, so all variables need to be exported to that
sub-process on creation.
@cbgbt cbgbt force-pushed the sbkeys-ca-bundle branch from a1f8003 to 12a188d Compare April 18, 2025 01:33
@cbgbt cbgbt marked this pull request as draft April 21, 2025 15:48
@cbgbt
Copy link
Contributor Author

cbgbt commented Apr 21, 2025

I've noticed that this doesn't help with certs needed to communicate with KMS via GPG. Putting back into draft.

@cbgbt cbgbt mentioned this pull request Apr 23, 2025
Merged
sumukhballal
sumukhballal reviewed Jun 11, 2025
View reviewed changes
sbkeys/generate-aws-sbkeys
@@ -117,6 +132,9 @@ SBKEYS_SCRIPT="$(mktemp)"
AWS_KMS_PKCS11_CONF="$(mktemp)"
cleanup() {
rm -f "${SBKEYS_SCRIPT}" "${AWS_KMS_PKCS11_CONF}"
if [ -n "${CA_BUNDLE:-}" ] ; then
rm -f "${CA_BUNDLE}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While reading the code, I initially thought that we were removing the user inputted CA_BUNDLE which a user running the command with sufficient privileges would cause it to be removed. But I then noticed the set CA_BUNDLE="${CA_BUNDLE_FILE}" a bit earlier in execution. This is more of a readability thing, but should we use a different variable name to avoid confusing the CA_BUNDLE_FILE from the input CA_BUNDLE variable?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sumukhballal sumukhballal sumukhballal left review comments

@jpculp jpculp Awaiting requested review from jpculp

@sam-berning sam-berning Awaiting requested review from sam-berning

@qianxjcraig qianxjcraig Awaiting requested review from qianxjcraig

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cbgbt @sumukhballal