From 279d3c09711bd75f1ba3b31eb942f69052d3bbed Mon Sep 17 00:00:00 2001 From: nl6720 Date: Thu, 1 Jun 2023 09:33:00 +0300 Subject: .gitlab/ci/build_archiso.sh: improve CI codesigning certificate Adjust subject name to more closely match what's used in create_ephemeral_pgp_key. Reduce the certificate validity to two days. These are just temporary certificates, they will not be used anywhere. Fixes #196 --- .gitlab/ci/build_archiso.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.gitlab/ci/build_archiso.sh b/.gitlab/ci/build_archiso.sh index 3e1211b..248cb8c 100755 --- a/.gitlab/ci/build_archiso.sh +++ b/.gitlab/ci/build_archiso.sh @@ -219,12 +219,12 @@ create_ephemeral_codesigning_keys() { local ca_dir="${codesigning_dir}/ca/" local ca_conf="${ca_dir}/certificate_authority.cnf" - local ca_subj="/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/CN=archlinux.org" + local ca_subj='/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/emailAddress=arch-releng@lists.archlinux.org/CN=Arch Linux Release Engineering (Ephemeral Certificate Authority)' ca_cert="${ca_dir}/cacert.pem" ca_key="${ca_dir}/private/cakey.pem" local codesigning_conf="${codesigning_dir}/code_signing.cnf" - local codesigning_subj="/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/CN=archlinux.org" + local codesigning_subj='/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/emailAddress=arch-releng@lists.archlinux.org/CN=Arch Linux Release Engineering (Ephemeral Signing Key)' codesigning_cert="${codesigning_dir}/codesign.crt" codesigning_key="${codesigning_dir}/codesign.key" @@ -249,6 +249,7 @@ create_ephemeral_codesigning_keys() { -keyout "${ca_key}" \ -config "${ca_conf}" \ -subj "${ca_subj}" \ + -days 2 \ -out "${ca_cert}" cat <>"${ca_conf}" @@ -285,7 +286,7 @@ EOF -batch \ -config "${ca_conf}" \ -extensions v3_intermediate_ca \ - -days 3650 \ + -days 2 \ -notext \ -md sha256 \ -in "${codesigning_cert}.csr" \ -- cgit v1.2.3-70-g09d2