fix(packaging): preserve operator TLS cert across the cert-shipping → rc.10 transition#598
Merged
Merged
Conversation
…> rc.10 upgrade The #596 generate-if-absent fix protects rc.10->onward upgrades, but the one-time transition FROM a release that shipped the cert in its payload (<= rc.9) removed the operator's cert entirely: rc.9 owned /etc/openwatch/tls/cert.pem, rc.10 does not, so the package manager reclaimed the orphaned file AFTER rc.10's provisioning had already run and skipped it. RPM left it missing (service can't start TLS); DEB regenerated a demo (operator cert lost). Found via the Stage-3 gap-closure RPM/DEB install-transition tests. Fix: - RPM: declare the cert/key paths %ghost so rpm tracks them with no payload content and does not reclaim the operator's file on the transition. - DEB: preinst stashes an existing cert/key to .dpkg-bak on upgrade (before dpkg removes the orphan); postinst restores it before provisioning. - AC-22 updated: assert %ghost (flag 'g', no content) on RPM and the preinst/postinst preserve dance on DEB; upgrade-container-test.sh now asserts an operator cert survives the rpm -U upgrade. - release-package-build spec v1.3.0 (C-05 + AC-22 extended). Verified in containers: genuine published rc.9 -> rc.10 preserves the operator cert+key on both RPM (%ghost) and DEB (preinst/postinst); fresh install still generates a demo; steady-state reinstall preserves.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Running the Stage-3 gap-closure (real
rpm/dpkginstall-transition tests) surfaced a regression in the rc.10 TLS fix (#596): the steady-state case is correct, but the one-time upgrade from a release that shipped the cert in its payload (rc.9 and earlier) removed the operator's cert entirely.Root cause: rc.9 owned
/etc/openwatch/tls/cert.pem; rc.10 does not. On upgrade, the package manager reclaims the orphaned file — and on RPM it does so after rc.10's%postprovisioning already ran and skipped (seeing the cert present). Net: RPM leaves it missing (service can't start TLS); DEB regenerates a demo (operator cert lost).Fix (both proven in containers)
%ghost— rpm tracks the paths with no payload content (still "not shipped"), so it does not reclaim the operator's file on the transition.%ghostequivalent, sopreinststashes an existing cert/key to.dpkg-bakon upgrade (before dpkg removes the orphan) andpostinstrestores it before provisioning.Verified: genuine published rc.9 → rc.10 now preserves the operator cert+key on both formats; fresh install still generates a demo; steady-state reinstall preserves.
Tests / spec
%ghost(flagg, no content) and that the DEBpreinst/postinstimplement the preserve dance. Passes against freshly built packages.upgrade-container-test.sh(run by package-smoke) now writes an operator cert before therpm -Uupgrade and asserts it survives — a CI guard that also fails if anyone re-introduces a payload cert.release-package-buildspec v1.3.0 (C-05 + AC-22 extended).Release impact
This lands the fix for re-spinning rc.10 (the published rc.10 carries the transition bug). After merge I'll delete + re-push the
v0.2.0-rc.10tag so the published RC carries the fix.🤖 Generated with Claude Code