(tooling-trusted-releases) branch main updated: Add a warning about the risks of using mkcert (from @sebbASF)

Tue, 20 Jan 2026 07:27:26 -0800 

This is an automated email from the ASF dual-hosted git repository.

sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git


The following commit(s) were added to refs/heads/main by this push:
     new 9a67a6d  Add a warning about the risks of using mkcert (from @sebbASF)
9a67a6d is described below

commit 9a67a6d6618e33e4bb6f1f8e677254663ed4c29b
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Jan 20 15:25:53 2026 +0000

    Add a warning about the risks of using mkcert (from @sebbASF)
---
 atr/docs/running-the-server.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/atr/docs/running-the-server.md b/atr/docs/running-the-server.md
index aef3687..4cefa90 100644
--- a/atr/docs/running-the-server.md
+++ b/atr/docs/running-the-server.md
@@ -66,7 +66,7 @@ curl -LsSf https://astral.sh/uv/install.sh | env 
UV_INSTALL_DIR="/usr/local/bin"
 uv python install 3.13
 ```
 
-For macOS these instructions become:
+For Homebrew on macOS these instructions become:
 
 ```shell
 brew install cmark mkcert
@@ -88,6 +88,8 @@ make serve-local
 
 The `certs-local` step runs `mkcert localhost.apache.org 127.0.0.1 ::1` to 
generate a locally trusted TLS certificate. To avoid potential DNS resolution 
issues such as [those alluded to in RFC 
8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3), we do not 
include `localhost`. If the certificate is not trusted, you may have to follow 
the [mkcert guide](https://github.com/FiloSottile/mkcert/blob/master/README.md) 
to resolve the issue.
 
+**Note**: Using ```mkcert --install``` carries a risk, as by default it 
installs a new CA for the system, Java, and Firefox. The CA is valid for 10 
years, and it is not possible to change the expiry date when creating the CA 
cert. If the private key ```rootCA-key.pem``` (which is created in the 
directory shown by ```mkcert -CAROOT``) should ever be leaked, anyone could 
create SSL certificates that are trusted by your system. See [mkcert usaage 
caveat](https://github.com/FiloSottile/mkcer [...]
+
 ATR requires TLS even for development because login is performed through the 
actual ASF OAuth server. This way, the development behavior aligns closely with 
the production behavior. We try to minimize differences between development and 
production environments.
 
 Do not run ATR directly if also running it in an OCI container.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to