Merge branch 'master' into hs/scep

This commit is contained in:
Herman Slatman 2021-03-06 22:47:36 +01:00
commit 99654f0efe
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
11 changed files with 28 additions and 74 deletions

View file

@ -20,7 +20,7 @@ jobs:
name: Setup Go name: Setup Go
uses: actions/setup-go@v2 uses: actions/setup-go@v2
with: with:
go-version: '^1.15.8' go-version: '1.15.8'
- -
name: Install Deps name: Install Deps
id: install-deps id: install-deps
@ -105,7 +105,7 @@ jobs:
name: Set up Go name: Set up Go
uses: actions/setup-go@v2 uses: actions/setup-go@v2
with: with:
go-version: '^1.15.8' go-version: '1.15.8'
- -
name: APT Install name: APT Install
id: aptInstall id: aptInstall
@ -135,7 +135,7 @@ jobs:
- name: Setup Go - name: Setup Go
uses: actions/setup-go@v2 uses: actions/setup-go@v2
with: with:
go-version: '^1.15.8' go-version: '1.15.8'
- name: Build - name: Build
id: build id: build
run: | run: |

View file

@ -18,7 +18,7 @@ jobs:
- name: Setup Go - name: Setup Go
uses: actions/setup-go@v2 uses: actions/setup-go@v2
with: with:
go-version: '^1.15.6' go-version: '1.15.6'
- name: Install Deps - name: Install Deps
id: install-deps id: install-deps
run: sudo apt-get -y install libpcsclite-dev run: sudo apt-get -y install libpcsclite-dev

View file

@ -215,7 +215,7 @@ run:
######################################### #########################################
changelog: changelog:
$Q echo "step-certificates ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog $Q echo "step-ca ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog
$Q echo >> debian/changelog $Q echo >> debian/changelog
$Q echo " * See https://github.com/smallstep/certificates/releases" >> debian/changelog $Q echo " * See https://github.com/smallstep/certificates/releases" >> debian/changelog
$Q echo >> debian/changelog $Q echo >> debian/changelog
@ -223,7 +223,7 @@ changelog:
debian: changelog debian: changelog
$Q mkdir -p $(RELEASE); \ $Q mkdir -p $(RELEASE); \
OUTPUT=../step-certificates_*.deb; \ OUTPUT=../step-ca*.deb; \
rm $$OUTPUT; \ rm $$OUTPUT; \
dpkg-buildpackage -b -rfakeroot -us -uc && cp $$OUTPUT $(RELEASE)/ dpkg-buildpackage -b -rfakeroot -us -uc && cp $$OUTPUT $(RELEASE)/
@ -236,7 +236,7 @@ distclean: clean
################################################# #################################################
BINARY_OUTPUT=$(OUTPUT_ROOT)binary/ BINARY_OUTPUT=$(OUTPUT_ROOT)binary/
RELEASE=./.travis-releases RELEASE=./.releases
define BUNDLE_MAKE define BUNDLE_MAKE
# $(1) -- Go Operating System (e.g. linux, darwin, windows, etc.) # $(1) -- Go Operating System (e.g. linux, darwin, windows, etc.)
@ -258,23 +258,7 @@ binary-linux-armv7:
binary-darwin: binary-darwin:
$(call BUNDLE_MAKE,darwin,amd64,,$(BINARY_OUTPUT)darwin/) $(call BUNDLE_MAKE,darwin,amd64,,$(BINARY_OUTPUT)darwin/)
define BUNDLE .PHONY: binary-linux binary-linux-arm64 binary-linux-armv7 binary-darwin
# $(1) -- Binary Output Dir Name
# $(2) -- Step Platform Name
# $(3) -- Step Binary Architecture
# $(4) -- Step Binary Name (For Windows Comaptibility)
$(q) ./make/bundle.sh "$(BINARY_OUTPUT)$(1)" "$(RELEASE)" "$(VERSION)" "$(2)" "$(3)" "$(4)" "$(5)" "$(6)"
endef
bundle-linux: binary-linux binary-linux-arm64 binary-linux-armv7
$(call BUNDLE,linux,linux,amd64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
$(call BUNDLE,linux.arm64,linux,arm64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
$(call BUNDLE,linux.armv7,linux,armv7,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
bundle-darwin: binary-darwin
$(call BUNDLE,darwin,darwin,amd64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
.PHONY: binary-linux binary-darwin bundle-linux bundle-darwin
################################################# #################################################
# Targets for creating step artifacts # Targets for creating step artifacts

View file

@ -142,13 +142,13 @@ $ brew install step
Download the Debian package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest): Download the Debian package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest):
``` ```
$ wget https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_X.Y.Z_amd64.deb $ wget https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-ca_X.Y.Z_amd64.deb
``` ```
Install the Debian package: Install the Debian package:
``` ```
$ sudo dpkg -i step-certificates_X.Y.Z_amd64.deb $ sudo dpkg -i step-ca_X.Y.Z_amd64.deb
``` ```
#### Arch Linux #### Arch Linux
@ -184,14 +184,14 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
Download the Linux package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest): Download the Linux package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest):
``` ```
$ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_linux_X.Y.Z_amd64.tar.gz $ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-ca_linux_X.Y.Z_amd64.tar.gz
``` ```
Install `step-ca` by unzipping and copying the executable over to `/usr/bin`: Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
``` ```
$ tar -xf step-ca.tar.gz $ tar -xf step-ca.tar.gz
$ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin $ sudo cp step-ca_X.Y.Z/bin/step-ca /usr/bin
``` ```
See the [`systemctl` setup section](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon) for a See the [`systemctl` setup section](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon) for a

2
debian/changelog vendored
View file

@ -1,4 +1,4 @@
step-certificates (0.8.4-14-ge72f087-dev) unstable; urgency=medium step-ca (0.8.4-14-ge72f087-dev) unstable; urgency=medium
* See https://github.com/smallstep/certificates/releases * See https://github.com/smallstep/certificates/releases

6
debian/control vendored
View file

@ -1,4 +1,4 @@
Source: step-certificates Source: step-ca
Section: utils Section: utils
Priority: optional Priority: optional
Maintainer: Smallstep Labs, Inc. <techadmin@smallstep.com> Maintainer: Smallstep Labs, Inc. <techadmin@smallstep.com>
@ -8,8 +8,8 @@ Homepage: https://github.com/smallstep/certificates
Vcs-Browser: https://github.com/smallstep/certificates.git Vcs-Browser: https://github.com/smallstep/certificates.git
Vcs-Git: https://github.com/smallstep/certificates.git Vcs-Git: https://github.com/smallstep/certificates.git
Package: step-certificates Package: step-ca
Architecture: any Architecture: any
Depends: ${misc:Depends} Depends: ${misc:Depends}
Description: Smallstep Certificate Authority Description: Smallstep Certificate Authority
step-certificates is the Smallstep Certificate Authority. step-ca is the Smallstep Certificate Authority.

6
debian/copyright vendored
View file

@ -1,13 +1,13 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: step-certificates Upstream-Name: step-ca
Source: https://github.com/smallstep/certificates Source: https://github.com/smallstep/certificates
Files: * Files: *
Copyright: 2020 Smallstep Labs, Inc. Copyright: 2021 Smallstep Labs, Inc.
License: Apache 2.0 License: Apache 2.0
License: Apache 2.0 License: Apache 2.0
Copyright (c) 2019 Smallstep Labs, Inc. Copyright (c) 2021 Smallstep Labs, Inc.
. .
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

View file

@ -77,10 +77,10 @@ e.g. `v1.0.2`
Travis will build and upload the following artifacts: Travis will build and upload the following artifacts:
* **step-certificates_1.0.3_amd64.deb**: debian package for installation on linux. * **step-ca_1.0.3_amd64.deb**: debian package for installation on linux.
* **step-certificates_1.0.3_linux_amd64.tar.gz**: tarball containing a statically compiled linux binary. * **step-ca_linux_1.0.3_amd64.tar.gz**: tarball containing a statically compiled linux binary.
* **step-certificates_1.0.3_darwin_amd64.tar.gz**: tarball containing a statically compiled darwin binary. * **step-ca_darwin_1.0.3_amd64.tar.gz**: tarball containing a statically compiled darwin binary.
* **step-certificates.tar.gz**: tarball containing a git archive of the full repo. * **step-ca_1.0.3.tar.gz**: tarball containing a git archive of the full repo.
3. **Update the AUR Arch Linux package** 3. **Update the AUR Arch Linux package**

View file

@ -5,8 +5,8 @@ private keys and sign certificates.
Support for multiple KMS are planned, but currently the only Google's Cloud KMS, Support for multiple KMS are planned, but currently the only Google's Cloud KMS,
and Amazon's AWS KMS are supported. A still experimental version for YubiKeys is and Amazon's AWS KMS are supported. A still experimental version for YubiKeys is
also available if you compile also available if you compile [step-ca](https://github.com/smallstep/certificates)
[step-certificates](https://github.com/smallstep/certificates) yourself. yourself.
## Google's Cloud KMS ## Google's Cloud KMS

View file

@ -1,32 +0,0 @@
#/bin/sh
set -ex;
OUTPUT_DIR=$1
RELEASE_DIR=$2
STEP_VERSION=$3
STEP_PLATFORM=$4
STEP_ARCH=$5
STEP_EXEC_NAME=$6
STEP_CLOUDKMS_EXEC_NAME=$7
STEP_AWSKMS_EXEC_NAME=$8
BUNDLE_DIR=${OUTPUT_DIR}/bundle
mkdir -p "$BUNDLE_DIR" "$RELEASE_DIR"
TMP=$(mktemp -d "$BUNDLE_DIR/tmp.XXXX")
trap "rm -rf $TMP" EXIT INT QUIT TERM
stepName=step-certificates_${STEP_VERSION}
newdir="$TMP/${stepName}"
mkdir -p "$newdir/bin"
cp "$OUTPUT_DIR/bin/${STEP_EXEC_NAME}" "$newdir/bin/${STEP_EXEC_NAME}"
cp "$OUTPUT_DIR/bin/${STEP_CLOUDKMS_EXEC_NAME}" "$newdir/bin/${STEP_CLOUDKMS_EXEC_NAME}"
cp "$OUTPUT_DIR/bin/${STEP_AWSKMS_EXEC_NAME}" "$newdir/bin/${STEP_AWSKMS_EXEC_NAME}"
cp README.md "$newdir"
NEW_BUNDLE="${RELEASE_DIR}/step-certificates_${STEP_PLATFORM}_${STEP_VERSION}_${STEP_ARCH}.tar.gz"
rm -f "$NEW_BUNDLE"
tar -zcvf "$NEW_BUNDLE" -C "$TMP" "${stepName}"

View file

@ -15,7 +15,7 @@ User=step
Group=step Group=step
Environment=STEPPATH=/etc/step-ca Environment=STEPPATH=/etc/step-ca
WorkingDirectory=/etc/step-ca WorkingDirectory=/etc/step-ca
ExecStart=/usr/local/bin/step-ca config/ca.json --password-file password.txt ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
ExecReload=/bin/kill --signal HUP $MAINPID ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure Restart=on-failure
RestartSec=5 RestartSec=5
@ -32,6 +32,8 @@ NoNewPrivileges=yes
; Sandboxing ; Sandboxing
; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely ; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely
; too restrictive for PKCS#11 HSMs. ; too restrictive for PKCS#11 HSMs.
;
; NOTE: Comment out the rest of this section for troubleshooting.
ProtectSystem=full ProtectSystem=full
ProtectHome=true ProtectHome=true
RestrictNamespaces=true RestrictNamespaces=true