You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(packaging): generate demo TLS cert at install, never ship it (#596)
A package upgrade silently reverted an operator's TLS certificate. The
demo cert/key were shipped in the payload at the production path
/etc/openwatch/tls/{cert,key}.pem and were not marked %config(noreplace)
(RPM) or listed in conffiles (DEB), so dnf/apt overwrote a replaced
certificate with a freshly-built demo cert on every upgrade (each build
mints a different self-signed pair). Flagged by the 2026-06-16 pre-release
security review.
Fix mirrors the identity-key model: ship only the empty tls/ dir plus a
provision-tls-cert.sh helper invoked from %post / postinst that generates
a demo cert generate-if-absent (never overwrites). An operator's
certificate now survives upgrades untouched. The post-upgrade scripts
already never touched the keys dir or secrets.env, and never print the
DB password (sourced silently).
- packaging/common/provision-tls-cert.sh (new, generate-if-absent)
- RPM spec + DEB postinst invoke it; cert/key dropped from both payloads
- build-rpm.sh / build-deb.sh no longer stage a cert (gen-demo-cert.sh
retained only for the runtime-boot / fips tests)
- release-package-build spec v1.2.0: C-05 revised, AC-04/06 updated,
AC-22 added (+regression test, builds real packages and asserts the
cert is absent from the payload)
0 commit comments