open-eid
Required TSL and config files are downloaded from network at build time
Hi,
Various files are needed for the signing feature to work (see for example https://github.com/open-eid/DigiDoc4-Client/issues/1281 for what happens when some are missing), and it is currently easy to miss at least the config files, as the build doesn't abort when they are missing.
I suggest that these critical files should be copied (bundled) in the git repositories and updated when needed, so that anyone can fetch the source and build it offline.
Thanks for the great software!
We’ve avoided committing these artifacts because several of them are maintained by external authorities and change frequently. Vendoring them would go stale fast and risk broken/offline signing. Instead, we document how to fetch the current set here: https://github.com/open-eid/DigiDoc4-Client/wiki/DeveloperTips
I've open this issue because of investigating a build with broken signing (whether offline or online). The build system should fail if the files are missing at least, as it seems they can't be fetched from the network at run time.
(Currently the build proceeds normally if none of the config.json/config.pub/config.rsa in the common submodule are present, which breaks the signing feature).
Another reason to carry a copy: these files are otherwise not versioned, and could either vanish (due to operational problems of the servers they're hosted on) or change anytime, perhaps introducing breakage). A local copy that was tested to work with the software makes sense to me.