Conversation
update_versions prints an alarming message if it finds the code-signing private key, based on the assumption that code-signing must be done on a separate, disconnected machine. However, this is so inconvenient that few (if any) projects do it. A more feasible approach is to keep the key encrypted (e.g. using gpg and a passphrase) except when running update_versions. Change the message (and the wiki doc) accordingly.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR softens and updates the security warning shown by update_versions when it auto-generates a code-signing signature using the project's private key. The old message was alarmist (treating the presence of the key on the server as an immediate critical vulnerability requiring project shutdown). The new message instead acknowledges the workflow and recommends encrypting the key when not in use, linking to the updated wiki page. A related comment in sample_dummy_assimilator.cpp is also clarified.
Changes:
- Updated security notice in
tools/update_versionsto recommend key encryption instead of demanding project shutdown, and updated the wiki link fromwiki/CodeSigningtowiki/Code-signing. - Clarified the file-level comment in
sched/sample_dummy_assimilator.cppfor readability.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
tools/update_versions |
Replaces the alarming security warning with a more practical recommendation to encrypt the private key when not in use; updates the wiki URL. |
sched/sample_dummy_assimilator.cpp |
Minor comment rewrite for improved clarity—no logic changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| NOTICE: files will be signed with your project's code-signing private key | ||
| (keys/code_sign_private). | ||
| We recommend that you encrypt it when done; see |
There was a problem hiding this comment.
The new notice hardcodes the key path as keys/code_sign_private, but the actual key directory is configurable via <key_dir> in config.xml (read into $key_dir at line 48). The real path could be anything, not necessarily keys/. The message should either omit the path, use a generic description, or dynamically include the actual $key_dir value so it accurately reflects the project's configuration.
| NOTICE: files will be signed with your project's code-signing private key | |
| (keys/code_sign_private). | |
| We recommend that you encrypt it when done; see | |
| NOTICE: files will be signed with your project's code-signing private key. | |
| We recommend that you encrypt this key when done; see |
update_versions prints an alarming message if it finds the code-signing private key,
based on the assumption that code-signing must be
done on a separate, disconnected machine.
However, this is so inconvenient that few (if any) projects do it.
A more feasible approach is to keep the key encrypted (e.g. using gpg and a passphrase) except when running update_versions. Change the message (and the wiki doc) accordingly.
Summary by cubic
Update the
tools/update_versionssecurity notice to recommend encrypting the code-signing key and only decrypting for signing, with a link to the updated Code-signing wiki. Also clarify the sample assimilator comment.Written for commit ae3133c. Summary will update on new commits.