New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[match] select cert with the most furthest expiration date in the future #21809
base: master
Are you sure you want to change the base?
Conversation
@rogerluan, I would appreciate feedback on this. At some point, it slightly changes the renewal certs behavior introduced in #21691. |
Well if that removes the just freshly added |
I'm good with both options ) |
I can create a small PR that removes the option, but the logic stays the same. Give me a couple of mins |
And new PR: #21812 |
Hi, @rogerluan and @lacostej. We are experiencing some issues with encryption. I don't know at this moment if it's this PR, or #21691. It's a double encryption or no encryption at all, idk. I think it's better to revert to #21691, and I'll be able to return back to this PR in 2 weeks. I'll try to make it faster, but no promises. Sorry for the bother 😥. |
@nekrich what encryption issues are you running into? Could it be related to the encryption changes I made since the last release? |
@nekrich so to summarize.
and you would like #21812 to be merged while you fix this one. The plan sounds OK, but I would really like to know more about the encryption failures you are having, and make sure they are not related to other changes. |
@lacostej I'll be able to look only after Feb 20. I'll definitely describe what's wrong. |
Stumbled upon this and just want to let you know we've passed Feb 20 now :) |
@nekrich looking forward to this feature 😄 🙏 |
Checklist
bundle exec rspec
from the root directory to see all new and existing tests passbundle exec rubocop -a
to ensure the code style is validci/circleci
builds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
In most cases, there is only one cert/key pair in the match storage.
But when dealing with developer_id certificates, there could be two or even three. The reason for this is that developer ID certs have a 5-year lifespan. And it looks like an app signed with developer_id cert stops working when the developer id cert used to sign it is expired. Every couple of years, we issue a new developer id cert and use it to sign new app versions. In this case, we are sure that the latest release will work for a couple more years, and users will have plenty of time to update the app.
Since the developer id cert is not expired we use manual import. After that, we have two cert/key pairs in the match storage.
The problem I want to address is that the match uses a cert with the biggest id (filename). And this is wrong. We need a match to select a cert with the furthest expiration date in the future.
Description
Cert renewal updates
Other improvements
keys
variable. We need only certs with corresponding p12 keys.PS. Looks like failing tests on Ubuntu is not related to my changes.
Testing Steps
Run the match with storage having 2 or more certs of the same type.
Run the match with storage having 2 or more certs that are expired.