Skip to content

tools: add root certificate update script#47425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 1 commit into from
Apr 7, 2023
Merged

tools: add root certificate update script #47425

nodejs-github-bot merged 1 commit into from
Apr 7, 2023

Conversation

@richardlau
Copy link
Member

@richardlaurichardlau commented Apr 5, 2023

Automates the steps from doc/contributing/maintaining-root-certs.md.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.

I attempted to test the workflow changes over in https://github.com/nodejs/node-auto-test but it looks like the tokens/permissions are not set up for that repository: https://github.com/nodejs/node-auto-test/actions/runs/4621889241

Running the new update script locally updates to NSS 3.89:

Details
$ nvm run 18 tools/dep_updaters/update-root-certs.mjs -vRunning node v18.14.0 (npm v9.3.1)Fetching NSS release scheduleFound NSS version:{ version: '3.89', date: 2023-03-09T00:00:00.000Z, firefoxVersion: '112', firefoxDate: 2023-04-11T00:00:00.000Z}Fetching https://hg.mozilla.org/projects/nss/raw-file/NSS_3_89_RTM/lib/ckfw/builtins/certdata.txtWriting /home/rlau/sandbox/github/node/tools/certdata.txtRunning tools/mk-ca-bundle.plParsing: GlobalSign Root CAParsing: Entrust.net Premium 2048 Secure Server CAParsing: Baltimore CyberTrust RootParsing: Entrust Root Certification AuthorityParsing: Comodo AAA Services rootParsing: QuoVadis Root CA 2Parsing: QuoVadis Root CA 3Parsing: Security Communication Root CAParsing: XRamp Global CA RootParsing: Go Daddy Class 2 CAParsing: Starfield Class 2 CAParsing: DigiCert Assured ID Root CAParsing: DigiCert Global Root CAParsing: DigiCert High Assurance EV Root CAParsing: SwissSign Gold CA - G2Parsing: SwissSign Silver CA - G2Parsing: SecureTrust CAParsing: Secure Global CAParsing: COMODO Certification AuthorityParsing: COMODO ECC Certification AuthorityParsing: CertignaParsing: ePKI Root Certification AuthorityParsing: certSIGN ROOT CAParsing: NetLock Arany (Class Gold) FőtanúsítványParsing: Hongkong Post Root CA 1Parsing: SecureSign RootCA11Parsing: Microsec e-Szigno Root CA 2009Parsing: GlobalSign Root CA - R3Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068Parsing: Izenpe.comParsing: Go Daddy Root Certificate Authority - G2Parsing: Starfield Root Certificate Authority - G2Parsing: Starfield Services Root Certificate Authority - G2Parsing: AffirmTrust CommercialParsing: AffirmTrust NetworkingParsing: AffirmTrust PremiumParsing: AffirmTrust Premium ECCParsing: Certum Trusted Network CAParsing: TWCA Root Certification AuthorityParsing: Security Communication RootCA2Parsing: Actalis Authentication Root CAParsing: Buypass Class 2 Root CAParsing: Buypass Class 3 Root CAParsing: T-TeleSec GlobalRoot Class 3Parsing: D-TRUST Root Class 3 CA 2 2009Parsing: D-TRUST Root Class 3 CA 2 EV 2009Parsing: CA Disig Root R2Parsing: ACCVRAIZ1Parsing: TWCA Global Root CAParsing: TeliaSonera Root CA v1Parsing: E-Tugra Certification AuthorityParsing: T-TeleSec GlobalRoot Class 2Parsing: Atos TrustedRoot 2011Parsing: QuoVadis Root CA 1 G3Parsing: QuoVadis Root CA 2 G3Parsing: QuoVadis Root CA 3 G3Parsing: DigiCert Assured ID Root G2Parsing: DigiCert Assured ID Root G3Parsing: DigiCert Global Root G2Parsing: DigiCert Global Root G3Parsing: DigiCert Trusted Root G4Parsing: COMODO RSA Certification AuthorityParsing: USERTrust RSA Certification AuthorityParsing: USERTrust ECC Certification AuthorityParsing: GlobalSign ECC Root CA - R5Parsing: IdenTrust Commercial Root CA 1Parsing: IdenTrust Public Sector Root CA 1Parsing: Entrust Root Certification Authority - G2Parsing: Entrust Root Certification Authority - EC1Parsing: CFCA EV ROOTParsing: OISTE WISeKey Global Root GB CAParsing: SZAFIR ROOT CA2Parsing: Certum Trusted Network CA 2Parsing: Hellenic Academic and Research Institutions RootCA 2015Parsing: Hellenic Academic and Research Institutions ECC RootCA 2015Parsing: ISRG Root X1Parsing: AC RAIZ FNMT-RCMParsing: Amazon Root CA 1Parsing: Amazon Root CA 2Parsing: Amazon Root CA 3Parsing: Amazon Root CA 4Parsing: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1Parsing: GDCA TrustAUTH R5 ROOTParsing: SSL.com Root Certification Authority RSAParsing: SSL.com Root Certification Authority ECCParsing: SSL.com EV Root Certification Authority RSA R2Parsing: SSL.com EV Root Certification Authority ECCParsing: GlobalSign Root CA - R6Parsing: OISTE WISeKey Global Root GC CAParsing: UCA Global G2 RootParsing: UCA Extended Validation RootParsing: Certigna Root CAParsing: emSign Root CA - G1Parsing: emSign ECC Root CA - G3Parsing: emSign Root CA - C1Parsing: emSign ECC Root CA - C3Parsing: Hongkong Post Root CA 3Parsing: Entrust Root Certification Authority - G4Parsing: Microsoft ECC Root Certificate Authority 2017Parsing: Microsoft RSA Root Certificate Authority 2017Parsing: e-Szigno Root CA 2017Parsing: certSIGN Root CA G2Parsing: Trustwave Global Certification AuthorityParsing: Trustwave Global ECC P256 Certification AuthorityParsing: Trustwave Global ECC P384 Certification AuthorityParsing: NAVER Global Root Certification AuthorityParsing: AC RAIZ FNMT-RCM SERVIDORES SEGUROSParsing: GlobalSign Root R46Parsing: GlobalSign Root E46Parsing: GLOBALTRUST 2020Parsing: ANF Secure Server Root CAParsing: Certum EC-384 CAParsing: Certum Trusted Root CAParsing: TunTrust Root CAParsing: HARICA TLS RSA Root CA 2021Parsing: HARICA TLS ECC Root CA 2021Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068Parsing: vTrus ECC Root CAParsing: vTrus Root CAParsing: ISRG Root X2Parsing: HiPKI Root CA - G1Parsing: GlobalSign ECC Root CA - R4Parsing: GTS Root R1Parsing: GTS Root R2Parsing: GTS Root R3Parsing: GTS Root R4Parsing: Telia Root CA v2Parsing: D-TRUST BR Root CA 1 2020Parsing: D-TRUST EV Root CA 1 2020Parsing: DigiCert TLS ECC P384 Root G5Parsing: DigiCert TLS RSA4096 Root G5Parsing: Certainly Root R1Parsing: Certainly Root E1Parsing: E-Tugra Global Root CA RSA v3Parsing: E-Tugra Global Root CA ECC v3Parsing: Security Communication RootCA3Parsing: Security Communication ECC RootCA1Done (137 CA certs processed, 23 skipped).diff --git a/src/node_root_certs.h b/src/node_root_certs.hindex 025df5ca33..010a4d1616 100644--- a/src/node_root_certs.h+++ b/src/node_root_certs.h@@ -474,29 +474,6 @@ "+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IBZQ==\n" "-----END CERTIFICATE-----",-/* Network Solutions Certificate Authority */-"-----BEGIN CERTIFICATE-----\n"-"MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYD\n"-"VQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO\n"-"ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAw\n"-"WhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1\n"-"dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBB\n"-"dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xG\n"-"zuAnlt7e+foS0zwzc7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQ\n"-"NJIg6nPPOCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl\n"-"mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1\n"-"QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMh\n"-"qxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA\n"-"106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MFIGA1Ud\n"-"HwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25z\n"-"Q2VydGlmaWNhdGVBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ot\n"-"t3NHhWrB5KUd5Oc86fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVR\n"-"DuwduIj/h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH\n"-"/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3HtvwKeI8lN3\n"-"s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxDydi8\n"-"NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey\n"-"-----END CERTIFICATE-----",- /* COMODO ECC Certification Authority */ "-----BEGIN CERTIFICATE-----\n" "MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UE\n"@@ -980,36 +957,6 @@ "SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03\n" "-----END CERTIFICATE-----",-/* EC-ACC */-"-----BEGIN CERTIFICATE-----\n"-"MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB8zELMAkG\n"-"A1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChO\n"-"SUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNh\n"-"Y2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAo\n"-"YykwMzE1MDMGA1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRh\n"-"bGFuZXMxDzANBgNVBAMTBkVDLUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTla\n"-"MIHzMQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZp\n"-"Y2FjaW8gKE5JRiBRLTA4MDExNzYtSSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBD\n"-"ZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3Zl\n"-"cmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJhcnF1aWEgRW50aXRhdHMgZGUgQ2VydGlmaWNh\n"-"Y2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n"-"MIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R85iKw5K4/0CQBXCHYMkAqbWUZRkiFRfC\n"-"Q2xmRJoNBD45b6VLeqpjt4pEndljkYRm4CgPukLjbo73FCeTae6RDqNfDrHrZqJyTxIThmV6\n"-"PttPB/SnCWDaOkKZx7J/sxaVHMf5NLWUhdWZXqBIoH7nF2W4onW4HvPlQn2v7fOKSGRdghST\n"-"2MDk/7NQcvJ29rNdQlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0aE9jD2z3Il3rucO2n\n"-"5nzbcc8tlGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw0JDnJwIDAQAB\n"-"o4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8EBTADAQH/\n"-"MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4opvpXY0wfwYDVR0g\n"-"BHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBodHRwczovL3d3dy5jYXRjZXJ0\n"-"Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0\n"-"Lm5ldC92ZXJhcnJlbCAwDQYJKoZIhvcNAQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/\n"-"sXE7zDkJlF7W2u++AVtd0x7Y/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPp\n"-"qojlNcAZQmNaAl6kSBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7Awa\n"-"boMMPOhyRp/7SNVel+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOS\n"-"Agu+TGbrIP65y7WZf+a2E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xlnJ2lYJU6\n"-"Un/10asIbvPuW/mIPX64b24D5EI=\n"-"-----END CERTIFICATE-----",- /* Actalis Authentication Root CA */ "-----BEGIN CERTIFICATE-----\n" "MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQx\n"@@ -1670,36 +1617,6 @@ "+SvzZpA3\n" "-----END CERTIFICATE-----",-/* Staat der Nederlanden EV Root CA */-"-----BEGIN CERTIFICATE-----\n"-"MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJOTDEeMBwG\n"-"A1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJs\n"-"YW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0yMjEyMDgxMTEwMjhaMFgxCzAJ\n"-"BgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0\n"-"YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"-"MIICCgKCAgEA48d+ifkkSzrSM4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79\n"-"VWZxXSzFYGgEt9nCUiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs\n"-"3NZmdO3dZ//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p\n"-"rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13lpJhQDBXd\n"-"4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXbj5IusHsMX/FjqTf5\n"-"m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxCKFhmpUZtcALXEPlLVPxdhkqH\n"-"z3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS/ZbV0b5GnUngC6agIk440ME8MLxwjyx1\n"-"zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0XcgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8J\n"-"OV3nI6qaHcptqAqGhYqCvkIH1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZB\n"-"iFxgV6YuCcS6/ZrPpx9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/\n"-"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7\n"-"MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsIeK9p0gtJ\n"-"3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u2dfOWBfoqSmuc0iH\n"-"55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHSv4ilf0X8rLiltTMMgsT7B/Zq\n"-"5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTCwPTxGfARKbalGAKb12NMcIxHowNDXLld\n"-"RqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKyCqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW\n"-"2HNnh/tNf1zuacpzEPuKqf2evTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy\n"-"+TSrK0m1zSBi5Dp6Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCj\n"-"uTaPPoIaGl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL\n"-"eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8FVdMpEbB\n"-"4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc7uzXLg==\n"-"-----END CERTIFICATE-----",- /* IdenTrust Commercial Root CA 1 */ "-----BEGIN CERTIFICATE-----\n" "MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYD\n"NEW_VERSION=3.89COMMIT_MSG<<235daeed-339c-4351-b68f-69a3e44ea577crypto: update root certificates to NSS 3.89This is the certdata.txt[0] from NSS 3.89, released on 2023-03-09.This is the version of NSS that will ship in Firefox 112 on2023-04-11.Certificates removed:- Network Solutions Certificate Authority- EC-ACC- Staat der Nederlanden EV Root CA[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_89_RTM/lib/ckfw/builtins/certdata.txt235daeed-339c-4351-b68f-69a3e44ea577 $

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 5, 2023

Review requested:

  • @nodejs/actions
  • @nodejs/tsc

@nodejs-github-botnodejs-github-bot added meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory. labels Apr 5, 2023
@richardlau
Copy link
MemberAuthor

richardlau commented Apr 5, 2023

One difference from the previous manual steps in doc/contributing/maintaining-root-certs.md is that the automation collapses the two commits into a single commit to fit in with the existing tools workflow.

mhdawson
mhdawson approved these changes Apr 5, 2023
View reviewed changes
Copy link
Member

@mhdawsonmhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once issues flagged by linter are resolved.

@richardlau
tools: add root certificate update script
d264ff6
Automates the steps from `doc/contributing/maintaining-root-certs.md`. Extend "Tools and deps update" workflow to use the new script to update the root certificates.
@richardlau
Copy link
MemberAuthor

richardlau commented Apr 5, 2023

LGTM once issues flagged by linter are resolved.

Fixed now.

@richardlaurichardlau mentioned this pull request Apr 5, 2023
Closed
23 tasks
@richardlau
Copy link
MemberAuthor

richardlau commented Apr 5, 2023

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This was referenced Apr 5, 2023
Closed
Closed
marco-ippolito
marco-ippolito approved these changes Apr 5, 2023
View reviewed changes
Copy link
Member

@marco-ippolitomarco-ippolito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@richardlau
Copy link
MemberAuthor

richardlau commented Apr 5, 2023

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This opened #47429. The second commit in that looks correct. The first commit looks odd, but is probably a side-effect of running the workflow from this branch which hasn't been merged.

@richardlaurichardlau mentioned this pull request Apr 5, 2023
Closed
@richardlau
Copy link
MemberAuthor

richardlau commented Apr 5, 2023

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This opened #47429. The second commit in that looks correct. The first commit looks odd, but is probably a side-effect of running the workflow from this branch which hasn't been merged.

Ah, it's probably because this branch doesn't have #47339. Anyway that shouldn't be an issue when this is merged and the workflow run from main.

@richardlaurichardlau added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 5, 2023
tniessen
tniessen approved these changes Apr 6, 2023
View reviewed changes
.github/workflows/tools.yml
rm temp-output
- id: root-certificates
subsystem: crypto
label: crypto, notable-change
Copy link
Member

@tniessentniessenApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we usually do these as semver-minor? I'm not sure.

Suggested change
label: crypto, notable-change
label: crypto, notable-change, semver-minor

I'm also not sure if it's notable.

Copy link
MemberAuthor

@richardlaurichardlauApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#45490, #40280 and #35546 were not labelled semver-minorPRs that contain new features and should be released in the next minor version. but were labelled notable-changePRs with changes that should be highlighted in changelogs. . I kind of feel that listing the removed and/or added certificates should be in the release notes (hence notable-changePRs with changes that should be highlighted in changelogs. ).

Copy link
MemberAuthor

@richardlaurichardlauApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we usually do these as semver-minor? I'm not sure.

@nodejs/releasers @nodejs/crypto Thoughts? We haven't been labelling root certificates updates as semver-minor, but maybe we should be?

Copy link
Member

@targostargosApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say no, but I understand if people think differently. To me this is more a bug fix (a certificate that would error before is then accepted). It doesn't add anything to the public API.

Copy link
MemberAuthor

@richardlaurichardlauApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify my stance on notable-changePRs with changes that should be highlighted in changelogs. -- I'm thinking that when certificates are removed (often for security reasons) that at least noting that will help anyone running into issues because of it.

Copy link
Member

@bnoordhuisbnoordhuisApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in the semver-minor camp but with only one toe and it's not even my big toe. Call it +.1

@richardlaurichardlau removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 6, 2023
This was referenced Apr 6, 2023
Closed
Merged
bnoordhuis
bnoordhuis approved these changes Apr 6, 2023
View reviewed changes
Copy link
Member

@bnoordhuisbnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, and good idea.

.github/workflows/tools.yml
rm temp-output
- id: root-certificates
subsystem: crypto
label: crypto, notable-change
Copy link
Member

@bnoordhuisbnoordhuisApr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in the semver-minor camp but with only one toe and it's not even my big toe. Call it +.1

@richardlaurichardlau added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 6, 2023
@richardlau
Copy link
MemberAuthor

richardlau commented Apr 6, 2023
edited
Loading

I may not be around much over the Easter weekend (Friday and Monday are public holidays here). I've added the commit-queueAdd this label to land a pull request using GitHub Actions. label so this can land after the wait period (and no objections). Not labelling the updates semver-minorPRs that contain new features and should be released in the next minor version. (the current state of this PR) is what we've been doing, which I am persuadable to change. If we do decide to make these updates semver-minorPRs that contain new features and should be released in the next minor version. by default, that's easily done in a follow up PR.

lpinca
lpinca approved these changes Apr 7, 2023
View reviewed changes
Copy link
Member

@lpincalpinca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSLGTM

@nodejs-github-botnodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 7, 2023
@nodejs-github-botnodejs-github-bot merged commit a75871a into mainApr 7, 2023
@nodejs-github-botnodejs-github-bot deleted the update-root-certs branch April 7, 2023 19:10
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 7, 2023

Landed in a75871a

@RafaelGSSRafaelGSS mentioned this pull request Apr 11, 2023
Merged
RafaelGSS pushed a commit that referenced this pull request Apr 13, 2023
@richardlau@RafaelGSS
tools: add root certificate update script
26b2584
Automates the steps from `doc/contributing/maintaining-root-certs.md`. Extend "Tools and deps update" workflow to use the new script to update the root certificates. PR-URL: #47425 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
danielleadams pushed a commit that referenced this pull request Jul 6, 2023
@richardlau@danielleadams
tools: add root certificate update script
88729e8
Automates the steps from `doc/contributing/maintaining-root-certs.md`. Extend "Tools and deps update" workflow to use the new script to update the root certificates. PR-URL: #47425 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
MoLow pushed a commit to MoLow/node that referenced this pull request Jul 6, 2023
@richardlau@MoLow
tools: add root certificate update script
c57dabe
Automates the steps from `doc/contributing/maintaining-root-certs.md`. Extend "Tools and deps update" workflow to use the new script to update the root certificates. PR-URL: nodejs#47425 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
@danielleadamsdanielleadams mentioned this pull request Jul 10, 2023
Merged
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@targostargostargos left review comments

@bnoordhuisbnoordhuisbnoordhuis approved these changes

@lpincalpincalpinca approved these changes

@tniessentniessentniessen approved these changes

@mhdawsonmhdawsonmhdawson approved these changes

@marco-ippolitomarco-ippolitomarco-ippolito approved these changes

Assignees

No one assigned

Labels

metaIssues and PRs related to the general management of the project.toolsIssues and PRs related to the tools directory.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@richardlau@nodejs-github-bot@bnoordhuis@lpinca@targos@tniessen@mhdawson@marco-ippolito