RTradeLtd · bonedaddy · Nov 22, 2019 · Nov 22, 2019 · Dec 20, 2019 · Jan 6, 2020
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -0,0 +1,77 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.18
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Get dependencies
+      run: go mod download
+
+    - name: Run tests
+      run: GODEBUG=x509sha1=1 go test -v ./...
+
+    - name: Build binaries
+      run: go build -o . ./...
+
+    - name: Run integration tests
+      run: GODEBUG=x509sha1=1 go test -v -tags=integration ./...
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Run golangci-lint
+      uses: golangci/golangci-lint-action@v2
+
+      with:
+        # Exclude deprecated PEM functions from the linter until
+        # https://github.com/square/certstrap/issues/124 is resolved
+        args: --exclude '(De|En)cryptPEMBlock'
+
+  build-windows:
+    name: Build Windows
+    runs-on: windows-latest
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.17
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Get dependencies
+      run: go mod download
+
+    - name: Run tests
+      run: |
+        set GODEBUG=x509sha1=1
+        go test -v ./...
+
+    - name: Build binaries
+      run: go build -o . ./...
+
+    - name: Run integration tests
+      run: |
+        set GODEBUG=x509sha1=1
+        go test -v -tags=integration ./...
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,84 @@
+---
+name: Release
+
+on:
+  push:
+    tags: [ "*" ]
+
+jobs:
+  build:
+    name: Build
+    strategy:
+      matrix:
+        version: [1.18.x]
+        target:
+          - { os: 'darwin', platform: 'macos-latest', arch: 'amd64' }
+          - { os: 'darwin', platform: 'macos-latest', arch: 'arm64' }
+          - { os: 'linux', platform: 'ubuntu-latest', arch: 'amd64' }
+          - { os: 'linux', platform: 'ubuntu-latest', arch: 'arm64' }
+          - { os: 'windows', platform: 'windows-latest', arch: 'amd64' }
+    runs-on: ${{ matrix.target.platform }}
+    steps:
+      - name: Set up toolchain
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.version }}
+        id: go
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Build binary
+        run: go build -o certstrap .
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: certstrap-${{ matrix.target.os }}-${{ matrix.target.arch }}
+          path: certstrap
+
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+    needs: [ build ]
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Create release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: "Release Build (Draft)"
+          body: "Release Build (from ${{ github.ref }}/${{ github.sha }})"
+          draft: true
+          prerelease: true
+
+  add-assets:
+    name: Add assets
+    runs-on: ubuntu-latest
+    needs: [ build, release ]
+    strategy:
+      matrix:
+        target:
+          - { os: 'darwin', arch: 'amd64' }
+          - { os: 'darwin', arch: 'arm64' }
+          - { os: 'linux', arch: 'amd64' }
+          - { os: 'linux', arch: 'arm64' }
+          - { os: 'windows', arch: 'amd64' }
+    steps:
+      - uses: actions/checkout@v2
+      - name: Download artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: certstrap-${{ matrix.target.os }}-${{ matrix.target.arch }}
+          path: dist
+      - name: Upload artifact to release
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.release.outputs.upload_url }}
+          asset_path: ./dist/certstrap
+          asset_name: certstrap-${{ matrix.target.os }}-${{ matrix.target.arch }}
+          asset_content_type: application/octet-stream
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,8 @@ gopath
 bin
 out
 certstrap
+# Intellij Idea Generates following file
+# Nice to have in .gitignore
+.idea/
+# .DS_Store file sometimes generated by Mac computers
+.DS_Store
diff --git a/.travis.yml b/.travis.yml
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+* @square/cryptographic-identity
diff --git a/Dockerfile b/Dockerfile
@@ -6,19 +6,25 @@
 # To run certstrap from the image (for example):
 #     docker run --rm squareup/certstrap --version
 
-FROM golang:1.11.2-alpine as build
+FROM golang:1.18-alpine as build
 
-MAINTAINER Cedric Staub "[email protected]"
+WORKDIR /app
+
+COPY go.mod .
+COPY go.sum .
+
+# Download dependencies
+RUN go mod download
 
 # Copy source
-COPY . /go/src/github.com/square/certstrap
+COPY . .
 
 # Build
-RUN go build -o /usr/bin/certstrap github.com/square/certstrap
+RUN CGO_ENABLED=0 go build -buildvcs=false -o /usr/bin/certstrap github.com/square/certstrap
 
 # Create a multi-stage build with the binary
-FROM alpine
+FROM gcr.io/distroless/static
 
 COPY --from=build /usr/bin/certstrap /usr/bin/certstrap
 
-ENTRYPOINT ["/usr/bin/certstrap"]
+ENTRYPOINT ["/usr/bin/certstrap"]
diff --git a/README.md b/README.md
@@ -1,6 +1,7 @@
 # certstrap
 [![godoc](http://img.shields.io/badge/godoc-certstrap-blue.svg?style=flat)](https://godoc.org/github.com/square/certstrap)
-[![build](https://img.shields.io/travis/square/certstrap.svg?style=flat)](https://travis-ci.org/square/certstrap) [![license](http://img.shields.io/badge/license-apache_2.0-red.svg?style=flat)](https://raw.githubusercontent.com/square/certstrap/master/LICENSE)
+[![CI](https://github.com/square/certstrap/actions/workflows/go.yml/badge.svg)](https://github.com/square/certstrap/actions/workflows/go.yml)
+[![license](http://img.shields.io/badge/license-apache_2.0-red.svg?style=flat)](https://raw.githubusercontent.com/square/certstrap/master/LICENSE)
 
 A simple certificate manager written in Go, to bootstrap your own certificate authority and public key infrastructure.  Adapted from etcd-ca.
 
@@ -24,20 +25,20 @@ certstrap can init multiple certificate authorities to sign certificates with.
 
 ### Building
 
-certstrap must be built with Go 1.13+. You can build certstrap from source:
+certstrap must be built with Go 1.18+. You can build certstrap from source:
 
 ```
 $ git clone https://github.com/square/certstrap
 $ cd certstrap
-$ ./build
+$ go build
 ```
 
-This will generate a binary called `./bin/certstrap`
+This will generate a binary called `certstrap` under project root folder.
 
 ### Initialize a new certificate authority:
 
 ```
-$ ./bin/certstrap init --common-name "CertAuth"
+$ ./certstrap init --common-name "CertAuth"
 Created out/CertAuth.key
 Created out/CertAuth.crt
 Created out/CertAuth.crl
@@ -51,7 +52,7 @@ though you can use a pre-existing private PEM key with the `-key` flag.
 If the CN contains spaces, certstrap will change them to underscores in the filename for easier use.  The spaces will be preserved inside the fields of the generated files:
 
 ```
-$ ./bin/certstrap init --common-name "Cert Auth"
+$ ./certstrap init --common-name "Cert Auth"
 Created out/Cert_Auth.key
 Created out/Cert_Auth.crt
 Created out/Cert_Auth.crl
@@ -60,7 +61,7 @@ Created out/Cert_Auth.crl
 ### Request a certificate, including keypair:
 
 ```
-$ ./bin/certstrap request-cert --common-name Alice
+$ ./certstrap request-cert --common-name Alice
 Created out/Alice.key
 Created out/Alice.csr
 ```
@@ -75,7 +76,7 @@ PEM key with the `-key` flag
 ### Sign certificate request of host and generate the certificate:
 
 ```
-$ ./bin/certstrap sign Alice --CA CertAuth
+$ ./certstrap sign Alice --CA CertAuth
 Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key
 ```
 
@@ -86,6 +87,19 @@ $ openssl pkcs12 -export -out outputCert.p12 -inkey inputKey.key -in inputCert.c
 ```
 `inputKey.key` and `inputCert.crt` make up the leaf private key and certificate pair of your choosing (generated by a `sign` command), with `CA.crt` being the certificate authority certificate that was used to sign it.  The output PKCS12 file is `outputCert.p12`
 
+### Key Algorithms:
+Certstrap supports curves P-224, P-256, P-384, P-521, and Ed25519. Curve names can be specified by name as part of the `init` and `request_cert` commands:
+
+```
+$ ./certstrap init --common-name CertAuth --curve P-256
+Created out/CertAuth.key
+Created out/CertAuth.crt
+Created out/CertAuth.crl
+
+$ ./certstrap request-cert --common-name Alice --curve P-256
+Created out/Alice.key
+Created out/Alice.csr
+```
 
 ### Retrieving Files
 

diff --git a/build b/build
diff --git a/certstrap.go b/certstrap.go
@@ -25,8 +25,7 @@ import (
 	"github.com/urfave/cli"
 )
 
-// release is overriden by the build script using -X argument that is passed to the Go linker.
-var release = "(version not set)"
+var release = "1.3.0"
 
 func main() {
 	app := cli.NewApp()
@@ -50,8 +49,7 @@ func main() {
 		cmd.NewRevokeCommand(),
 	}
 	app.Before = func(c *cli.Context) error {
-		cmd.InitDepot(c.String("depot-path"))
-		return nil
+		return cmd.InitDepot(c.String("depot-path"))
 	}
 
 	if err := app.Run(os.Args); err != nil {