Skip to content

nginx/selfsign: use standard RSA key size#2035

Merged
alxndrsn merged 4 commits into
getodk:nextfrom
alxndrsn:selfsign-keysize
Jul 11, 2026
Merged

nginx/selfsign: use standard RSA key size#2035
alxndrsn merged 4 commits into
getodk:nextfrom
alxndrsn:selfsign-keysize

Conversation

@alxndrsn

@alxndrsn alxndrsn commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

The previous size of 4086 was likely copied from the README for marvambass/nginx-ssl-secure (https://github.com/MarvAmBass/docker-nginx-ssl-secure). This was the original nginx base image used in this repo, introduced in 7cd48f7.

Update: per MarvAmBass/docker-nginx-ssl-secure#8, 4086 was a typo.

There's no obvious benefit to using a non-standard key size, and it's likely to cause confusion, and maybe affect security scoring.

For a comparison:

Closes #2034

What has been done to verify that this works as intended?

  • ci

Why is this the best possible solution? Were any other approaches considered?

There's no obvious benefit to using a non-standard key size, and it's likely to cause confusion, and maybe affect security scoring.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Unlikely to have an effect - new self-signing self-hosters shouldn't notice, existing users shouldn't have a new key generated.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

The previous size of 4086 was likely copied from the README for `marvambass/nginx-ssl-secure` (https://github.com/MarvAmBass/docker-nginx-ssl-secure).  This was the original nginx base image used in this repo, introduced in 7cd48f7.

There's no obvious benefit to using a non-standard key size, and it's likely to cause confusion, and maybe affect security scoring.

For a comparison:

* https://www.google.com/search?q=%22openssl+req+-x509+-newkey+rsa%3A4086%22: 10 results
* https://www.google.com/search?q=%22openssl+req+-x509+-newkey+rsa%3A4096%22: 275 results
@alxndrsn alxndrsn marked this pull request as ready for review July 2, 2026 08:50
@alxndrsn alxndrsn requested a review from yanokwa July 9, 2026 11:54
@alxndrsn alxndrsn merged commit 1440f41 into getodk:next Jul 11, 2026
7 checks passed
@alxndrsn alxndrsn deleted the selfsign-keysize branch July 11, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants