tools icon indicating copy to clipboard operation
tools copied to clipboard
verified publisher icon gokrazy

Switch from bremcl/rootcerts to x/crypto/x509roots

Open stapelberg opened this issue 2 years ago • 4 comments

We first need to add a Bundle() accessor to the x509roots/fallback package, then we can dump the certificates (in internal/packer/cacerts.go) like so:

	b := new(bytes.Buffer)
	for _, cert := range fallback.Bundle() {
		fmt.Fprintf(b, "# %s\n# %x\n", cert.Subject.String(), sha256.Sum256(cert.Raw))
		pem.Encode(b, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
	}

	return string(b.Bytes()), nil

stapelberg avatar Jun 24 '23 20:06 stapelberg

@stapelberg I'm working on it!

dolmen avatar Feb 22 '25 17:02 dolmen

@stapelberg I'm working on it!

Nope. The Bundle() accessor isn't available.

dolmen avatar Feb 22 '25 17:02 dolmen

Yeah, I filed https://github.com/golang/go/issues/69898 to export it. I’ll ping Roland again to see where this stands.

stapelberg avatar Feb 23 '25 08:02 stapelberg

What about this alternative: just to download the certificates directly from the Mozilla source while building the image and store the file where Go expects it.

dolmen avatar Feb 28 '25 08:02 dolmen

This is done with commit https://github.com/gokrazy/tools/commit/19d09ffb32b78f5e868812eeef905e7452d391f4 🎉

stapelberg avatar Sep 12 '25 07:09 stapelberg