moby
Fix cryptographic certificates for post go 1.19
- What I did
Go 1.19 changed the way cryptographic certificates were verified, which broke a certain edge case of root CA rotation. This edge case is now disallowed.
- How I did it
As of go 1.19, the logic for certificate trust chain validation changed, and a chain including two certs with the same key will not validate. This case would usually occur when reissuing the same cert with a later expiration date. Because of this validation failure, our root rotation algorithm fails. While it might be possible to adjust the rotation procedure to accommodate such a cert change, it is somewhat of an edge case, and, more importantly, we do not currently possess the cryptographic expertise to safely make such a change. So, as a result, this operation is disallowed. The new root cert must have a new key.
- How to test it
Test changes within.
Looks like generated files need an update (also golangci-lint failing; could be out of memory?)
Something is broken with the linter. Even on my local machine, running make lint gets to the golang-ci lint stage and very rapidly consumes some 20GB of RAM, then dies to the OOM killer.
Wondering if it needs settings tweaked; if it's a case of it running in a container and trying to spawn too many parallel things 🤔
I know I had to tweak GOMAXPROCS and some other things some years back for moby/moby
Codecov Report
Merging #3161 (8a140cf) into master (911c976) will increase coverage by
0.07%. The diff coverage is40.00%.
Additional details and impacted files
@@ Coverage Diff @@
## master #3161 +/- ##
==========================================
+ Coverage 57.28% 57.35% +0.07%
==========================================
Files 144 144
Lines 30598 30603 +5
==========================================
+ Hits 17528 17553 +25
+ Misses 11732 11709 -23
- Partials 1338 1341 +3
