From 0aa96a936fb4b3904283c700bd336a1ba6b6750f Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 1 Mar 2021 15:42:34 -0800 Subject: [PATCH 1/7] [systemd] change executable location of step-ca --- systemd/step-ca.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/step-ca.service b/systemd/step-ca.service index 11fdffae..48dae272 100644 --- a/systemd/step-ca.service +++ b/systemd/step-ca.service @@ -15,7 +15,7 @@ User=step Group=step Environment=STEPPATH=/etc/step-ca WorkingDirectory=/etc/step-ca -ExecStart=/usr/local/bin/step-ca config/ca.json --password-file password.txt +ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt ExecReload=/bin/kill --signal HUP $MAINPID Restart=on-failure RestartSec=5 From ad48c8a88144397c127a9f01a9ad42e60baf1d13 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 1 Mar 2021 15:48:07 -0800 Subject: [PATCH 2/7] [systemd file] add note about commenting sandboxing section for troubleshooting --- systemd/step-ca.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd/step-ca.service b/systemd/step-ca.service index 48dae272..d500ab59 100644 --- a/systemd/step-ca.service +++ b/systemd/step-ca.service @@ -32,6 +32,8 @@ NoNewPrivileges=yes ; Sandboxing ; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely ; too restrictive for PKCS#11 HSMs. +; +; NOTE: Comment out the rest of this section for troubleshooting. ProtectSystem=full ProtectHome=true RestrictNamespaces=true From 43b4e5b4f8f3709548948d3b09757a7ba56005b8 Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 2 Mar 2021 10:57:17 -0800 Subject: [PATCH 3/7] [action] rename debian --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 37539348..93d52a1b 100644 --- a/Makefile +++ b/Makefile @@ -223,7 +223,7 @@ changelog: debian: changelog $Q mkdir -p $(RELEASE); \ - OUTPUT=../step-certificates_*.deb; \ + OUTPUT=../step-ca*.deb; \ rm $$OUTPUT; \ dpkg-buildpackage -b -rfakeroot -us -uc && cp $$OUTPUT $(RELEASE)/ From 8a1c8b394a831cec7e9fbff20084479d9eec6ea8 Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 2 Mar 2021 11:21:37 -0800 Subject: [PATCH 4/7] [action] change debian package and src name in debian build files --- debian/changelog | 2 +- debian/control | 6 +++--- debian/copyright | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 48efaee7..8267efed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -step-certificates (0.8.4-14-ge72f087-dev) unstable; urgency=medium +step-ca (0.8.4-14-ge72f087-dev) unstable; urgency=medium * See https://github.com/smallstep/certificates/releases diff --git a/debian/control b/debian/control index 14589884..0a3f6680 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -Source: step-certificates +Source: step-ca Section: utils Priority: optional Maintainer: Smallstep Labs, Inc. @@ -8,8 +8,8 @@ Homepage: https://github.com/smallstep/certificates Vcs-Browser: https://github.com/smallstep/certificates.git Vcs-Git: https://github.com/smallstep/certificates.git -Package: step-certificates +Package: step-ca Architecture: any Depends: ${misc:Depends} Description: Smallstep Certificate Authority - step-certificates is the Smallstep Certificate Authority. + step-ca is the Smallstep Certificate Authority. diff --git a/debian/copyright b/debian/copyright index f0c162d1..5c6bf9de 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,13 +1,13 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: step-certificates +Upstream-Name: step-ca Source: https://github.com/smallstep/certificates Files: * -Copyright: 2020 Smallstep Labs, Inc. +Copyright: 2021 Smallstep Labs, Inc. License: Apache 2.0 License: Apache 2.0 - Copyright (c) 2019 Smallstep Labs, Inc. + Copyright (c) 2021 Smallstep Labs, Inc. . Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 9cfdd2f3df1a526a597a7c5b2068d6ce596777a0 Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 2 Mar 2021 11:58:42 -0800 Subject: [PATCH 5/7] [action] change step-certificates to step-ca where possible --- Makefile | 22 +++------------------- README.md | 8 ++++---- distribution.md | 8 ++++---- docs/kms.md | 4 ++-- make/bundle.sh | 32 -------------------------------- 5 files changed, 13 insertions(+), 61 deletions(-) delete mode 100755 make/bundle.sh diff --git a/Makefile b/Makefile index 93d52a1b..b019651f 100644 --- a/Makefile +++ b/Makefile @@ -215,7 +215,7 @@ run: ######################################### changelog: - $Q echo "step-certificates ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog + $Q echo "step-ca ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog $Q echo >> debian/changelog $Q echo " * See https://github.com/smallstep/certificates/releases" >> debian/changelog $Q echo >> debian/changelog @@ -236,7 +236,7 @@ distclean: clean ################################################# BINARY_OUTPUT=$(OUTPUT_ROOT)binary/ -RELEASE=./.travis-releases +RELEASE=./.ci-releases define BUNDLE_MAKE # $(1) -- Go Operating System (e.g. linux, darwin, windows, etc.) @@ -258,23 +258,7 @@ binary-linux-armv7: binary-darwin: $(call BUNDLE_MAKE,darwin,amd64,,$(BINARY_OUTPUT)darwin/) -define BUNDLE - # $(1) -- Binary Output Dir Name - # $(2) -- Step Platform Name - # $(3) -- Step Binary Architecture - # $(4) -- Step Binary Name (For Windows Comaptibility) - $(q) ./make/bundle.sh "$(BINARY_OUTPUT)$(1)" "$(RELEASE)" "$(VERSION)" "$(2)" "$(3)" "$(4)" "$(5)" "$(6)" -endef - -bundle-linux: binary-linux binary-linux-arm64 binary-linux-armv7 - $(call BUNDLE,linux,linux,amd64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME)) - $(call BUNDLE,linux.arm64,linux,arm64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME)) - $(call BUNDLE,linux.armv7,linux,armv7,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME)) - -bundle-darwin: binary-darwin - $(call BUNDLE,darwin,darwin,amd64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME)) - -.PHONY: binary-linux binary-darwin bundle-linux bundle-darwin +.PHONY: binary-linux binary-linux-arm64 binary-linux-armv7 binary-darwin ################################################# # Targets for creating step artifacts diff --git a/README.md b/README.md index fbe0a244..afa013dc 100644 --- a/README.md +++ b/README.md @@ -142,13 +142,13 @@ $ brew install step Download the Debian package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest): ``` - $ wget https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_X.Y.Z_amd64.deb + $ wget https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-ca_X.Y.Z_amd64.deb ``` Install the Debian package: ``` - $ sudo dpkg -i step-certificates_X.Y.Z_amd64.deb + $ sudo dpkg -i step-ca_X.Y.Z_amd64.deb ``` #### Arch Linux @@ -184,14 +184,14 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages. Download the Linux package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest): ``` - $ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_linux_X.Y.Z_amd64.tar.gz + $ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-ca_linux_X.Y.Z_amd64.tar.gz ``` Install `step-ca` by unzipping and copying the executable over to `/usr/bin`: ``` $ tar -xf step-ca.tar.gz - $ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin + $ sudo cp step-ca_X.Y.Z/bin/step-ca /usr/bin ``` See the [`systemctl` setup section](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon) for a diff --git a/distribution.md b/distribution.md index 703be042..cf4306f5 100644 --- a/distribution.md +++ b/distribution.md @@ -77,10 +77,10 @@ e.g. `v1.0.2` Travis will build and upload the following artifacts: - * **step-certificates_1.0.3_amd64.deb**: debian package for installation on linux. - * **step-certificates_1.0.3_linux_amd64.tar.gz**: tarball containing a statically compiled linux binary. - * **step-certificates_1.0.3_darwin_amd64.tar.gz**: tarball containing a statically compiled darwin binary. - * **step-certificates.tar.gz**: tarball containing a git archive of the full repo. + * **step-ca_1.0.3_amd64.deb**: debian package for installation on linux. + * **step-ca_linux_1.0.3_amd64.tar.gz**: tarball containing a statically compiled linux binary. + * **step-ca_darwin_1.0.3_amd64.tar.gz**: tarball containing a statically compiled darwin binary. + * **step-ca_1.0.3.tar.gz**: tarball containing a git archive of the full repo. 3. **Update the AUR Arch Linux package** diff --git a/docs/kms.md b/docs/kms.md index 976963c0..4f293132 100644 --- a/docs/kms.md +++ b/docs/kms.md @@ -5,8 +5,8 @@ private keys and sign certificates. Support for multiple KMS are planned, but currently the only Google's Cloud KMS, and Amazon's AWS KMS are supported. A still experimental version for YubiKeys is -also available if you compile -[step-certificates](https://github.com/smallstep/certificates) yourself. +also available if you compile [step-ca](https://github.com/smallstep/certificates) +yourself. ## Google's Cloud KMS diff --git a/make/bundle.sh b/make/bundle.sh deleted file mode 100755 index 269e15dd..00000000 --- a/make/bundle.sh +++ /dev/null @@ -1,32 +0,0 @@ -#/bin/sh -set -ex; - -OUTPUT_DIR=$1 -RELEASE_DIR=$2 - -STEP_VERSION=$3 -STEP_PLATFORM=$4 -STEP_ARCH=$5 -STEP_EXEC_NAME=$6 -STEP_CLOUDKMS_EXEC_NAME=$7 -STEP_AWSKMS_EXEC_NAME=$8 - -BUNDLE_DIR=${OUTPUT_DIR}/bundle - -mkdir -p "$BUNDLE_DIR" "$RELEASE_DIR" -TMP=$(mktemp -d "$BUNDLE_DIR/tmp.XXXX") -trap "rm -rf $TMP" EXIT INT QUIT TERM - -stepName=step-certificates_${STEP_VERSION} -newdir="$TMP/${stepName}" -mkdir -p "$newdir/bin" - -cp "$OUTPUT_DIR/bin/${STEP_EXEC_NAME}" "$newdir/bin/${STEP_EXEC_NAME}" -cp "$OUTPUT_DIR/bin/${STEP_CLOUDKMS_EXEC_NAME}" "$newdir/bin/${STEP_CLOUDKMS_EXEC_NAME}" -cp "$OUTPUT_DIR/bin/${STEP_AWSKMS_EXEC_NAME}" "$newdir/bin/${STEP_AWSKMS_EXEC_NAME}" - -cp README.md "$newdir" -NEW_BUNDLE="${RELEASE_DIR}/step-certificates_${STEP_PLATFORM}_${STEP_VERSION}_${STEP_ARCH}.tar.gz" - -rm -f "$NEW_BUNDLE" -tar -zcvf "$NEW_BUNDLE" -C "$TMP" "${stepName}" From aef1e8ca7b6fa1d3f7e7f4d366ca9f86f2b2a23a Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 2 Mar 2021 14:02:08 -0800 Subject: [PATCH 6/7] [action] build artifacts in .releases dir to match actions --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b019651f..a8907b8b 100644 --- a/Makefile +++ b/Makefile @@ -236,7 +236,7 @@ distclean: clean ################################################# BINARY_OUTPUT=$(OUTPUT_ROOT)binary/ -RELEASE=./.ci-releases +RELEASE=./.releases define BUNDLE_MAKE # $(1) -- Go Operating System (e.g. linux, darwin, windows, etc.) From 94a895994f1c4d0e5b4974b78880c42c50e3af0b Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 2 Mar 2021 14:27:02 -0800 Subject: [PATCH 7/7] [action] pin to 1.15.8 not ^1.15.8 - was bumping all the way to 1.16 --- .github/workflows/release.yml | 6 +++--- .github/workflows/test.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dc65b334..be59fadd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,7 @@ jobs: name: Setup Go uses: actions/setup-go@v2 with: - go-version: '^1.15.8' + go-version: '1.15.8' - name: Install Deps id: install-deps @@ -105,7 +105,7 @@ jobs: name: Set up Go uses: actions/setup-go@v2 with: - go-version: '^1.15.8' + go-version: '1.15.8' - name: APT Install id: aptInstall @@ -135,7 +135,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: '^1.15.8' + go-version: '1.15.8' - name: Build id: build run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4ddc6d21..74e435fd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,7 +18,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: '^1.15.6' + go-version: '1.15.6' - name: Install Deps id: install-deps run: sudo apt-get -y install libpcsclite-dev