Allow signing EIFs with KMS while building #650
Conversation
|
License check fails due to changes in Security check fails due to rustsec/rustsec#1318 |
src/common/commands_parser.rs
Outdated
|
|
||
| match (&signing_certificate, &private_key) { | ||
| (Some(_), None) => { | ||
| match (&signing_certificate, &private_key, &kms_key_id) { |
There was a problem hiding this comment.
a bit redundant after we setup clap to verify all the rules with group and require
There was a problem hiding this comment.
So shall I just panic then?
There was a problem hiding this comment.
otherwise if we ignore clap rules, this misses (Some(_), None, None) case, also kms_key_region is not involved here
There was a problem hiding this comment.
I'd prefer to have a more robust error handling in case this function is called from somewhere else in the future.
There was a problem hiding this comment.
Since this function is meant to be called on the clap::ArgMatches and the options are just check (without unpacking them), we are just validating a precondition and an assert should be enough. But I don't have a strong opinion on this.
There was a problem hiding this comment.
I will remove this check completely because later on we still have another check (when creating a SignKeyInfo.
src/common/commands_parser.rs
Outdated
|
|
||
| match (&signing_certificate, &private_key) { | ||
| (Some(_), None) => { | ||
| match (&signing_certificate, &private_key, &kms_key_id) { |
There was a problem hiding this comment.
Since this function is meant to be called on the clap::ArgMatches and the options are just check (without unpacking them), we are just validating a precondition and an assert should be enough. But I don't have a strong opinion on this.
This commit updates `nitro-cli` to use `aws-nitro-enclaves-image-format` v0.4 which allows to sign EIF during build using a key from KMS. In order to do so, user needs to specify KMS key ARN and region instead of the local private key file. Signed-off-by: Mark Kirichenko <[email protected]>
This commit removes version pinning for `cargo-audit` tool.
This commit enables a specific workaround for the `ring` crate, so `cargo-about` could properly extract the license information. Signed-off-by: Mark Kirichenko <[email protected]>
Signed-off-by: Mark Kirichenko <[email protected]>
This commit extends CLI test suite to validate new CLI arguments. Signed-off-by: Mark Kirichenko <[email protected]>
atanzu
force-pushed
the
feature/sign-eif-with-kms-on-build
branch
from
476040b to
c66f65a
Compare
This commit updates
nitro-clito useaws-nitro-enclaves-image-formatv0.4 which allows to sign EIF during build using a key from KMS. In order to do so, user needs to specify KMS key ARN and region instead of the local private key file.Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.