[go-nuts] package containing standard CA roots?
Does anyone know of a golang package that embeds (go-bindata or similar) a reasonable standard set of CA roots? Ideally such a package would provide a ready-to-use http.Client. For context, I'm building minimal docker images containing go binaries that need to make https connections to some third party APIs. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] package containing standard CA roots?
On Thu, 15 Dec 2016 16:35:09 + Alex Flint wrote: > Does anyone know of a golang package that embeds (go-bindata or > similar) a reasonable standard set of CA roots? Ideally such a > package would provide a ready-to-use http.Client. > > For context, I'm building minimal docker images containing go > binaries that need to make https connections to some third party APIs. In such context, why would you need that? Every sensible GNU/Linux-based OS ships a package containing such list of CA certificates, and Go built for GOOS=linux knows how to find those certs in a set of standard places. Sure, one problem with this is that the list is opinionated; on the other hand, the list of your imaginary package would be opinionated as well. On the other hand, whatever list is shipped with your base OS gets security updates and also updates which merely bring the list up-to-date (just like the time-zone information package(s)). So I'd just rely on the underlying OS. In Debian and it's derivatives it's named "ca-certificates". -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] package containing standard CA roots?
I'm working with busybox, which does not ship with CA roots. On Sat, Dec 17, 2016 at 12:26 AM Konstantin Khomoutov < flatw...@users.sourceforge.net> wrote: > On Thu, 15 Dec 2016 16:35:09 + > Alex Flint wrote: > > > Does anyone know of a golang package that embeds (go-bindata or > > similar) a reasonable standard set of CA roots? Ideally such a > > package would provide a ready-to-use http.Client. > > > > For context, I'm building minimal docker images containing go > > binaries that need to make https connections to some third party APIs. > > In such context, why would you need that? Every sensible > GNU/Linux-based OS ships a package containing such list of CA > certificates, and Go built for GOOS=linux knows how to find those certs > in a set of standard places. > > Sure, one problem with this is that the list is opinionated; on the > other hand, the list of your imaginary package would be opinionated as > well. On the other hand, whatever list is shipped with your base OS > gets security updates and also updates which merely bring the list > up-to-date (just like the time-zone information package(s)). > > So I'd just rely on the underlying OS. > In Debian and it's derivatives it's named "ca-certificates". > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] package containing standard CA roots?
Alpine is a lightweight option with official Docker images. You can install the CERTS using the Alpine package manager: # apk --no-cache add ca-certificates && update-ca-certificates On Saturday, 17 December 2016 07:32:32 UTC-8, Alex Flint wrote: > > I'm working with busybox, which does not ship with CA roots. > On Sat, Dec 17, 2016 at 12:26 AM Konstantin Khomoutov < > flat...@users.sourceforge.net > wrote: > >> On Thu, 15 Dec 2016 16:35:09 + >> Alex Flint > wrote: >> >> > Does anyone know of a golang package that embeds (go-bindata or >> > similar) a reasonable standard set of CA roots? Ideally such a >> > package would provide a ready-to-use http.Client. >> > >> > For context, I'm building minimal docker images containing go >> > binaries that need to make https connections to some third party APIs. >> >> In such context, why would you need that? Every sensible >> GNU/Linux-based OS ships a package containing such list of CA >> certificates, and Go built for GOOS=linux knows how to find those certs >> in a set of standard places. >> >> Sure, one problem with this is that the list is opinionated; on the >> other hand, the list of your imaginary package would be opinionated as >> well. On the other hand, whatever list is shipped with your base OS >> gets security updates and also updates which merely bring the list >> up-to-date (just like the time-zone information package(s)). >> >> So I'd just rely on the underlying OS. >> In Debian and it's derivatives it's named "ca-certificates". >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] package containing standard CA roots?
On Thu, Dec 15, 2016 at 04:35:09PM +, Alex Flint wrote: > Does anyone know of a golang package that embeds (go-bindata or similar) a > reasonable standard set of CA roots? No, but the common approach is to rely on the root CA set maintained by Mozilla. This should correspond to the latest Firefox release: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt You might want to check with your trusted distribution packager for some scripts to convert this into a format that's nicer to work with. See e.g. certdata2pem.py from Fedora or MAca-bundle.pl.in from FreeBSD ports. https://src.fedoraproject.org/cgit/rpms/ca-certificates.git/tree/ https://svnweb.freebsd.org/ports/head/security/ca_root_nss/files/ Or just use the ones from the binary packages and put them in the appropriate places within the file system so that the standard library will pick them up. Of course, the usual things apply, like that you if you ship it you're responsible for maintaining it, too. Regularly syncing with Mozilla upstream should be enough in this case. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] package containing standard CA roots?
On Sat, 17 Dec 2016 10:41:33 -0800 (PST) Rick wrote: > Alpine is a lightweight option with official Docker images. You can > install the CERTS using the Alpine package manager: > > # apk --no-cache add ca-certificates && update-ca-certificates All-in-all, Alex appears to had created the package he wanted [1] :-) It was announced over there on Reddit [2]. 1. https://github.com/alexflint/stdroots 2. https://www.reddit.com/r/golang/comments/5j4go8/stdroots_standard_ca_roots_embedded_in_a_go/ -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
