feat: make code signing mandatory

Profile signing is now a required part of the pint deployment rather than
an opt-in feature. PINT_IPA_CODE_SIGNING_CA_NAME is now required at startup,
the Helm chart requires codeSigningCAName, all conditional guards are removed,
the IPA stub always initializes the code-signing CA, and the dev example
config has the vars uncommented.

Author: mbillow

.env.dev.example

@@ -19,12 +19,10 @@ PINT_IPA_SKIP_TLS_VERIFY=true
 #PINT_IPA_CERT_PROFILE=pint_wifi
 #PINT_IPA_RADSEC_CLIENT_CERT_PROFILE=pint_radsec_client
 #PINT_IPA_RADSEC_SERVER_CERT_PROFILE=pint_radsec_server
-# iOS mobileconfig signing — optional. Uncomment all three lines to enable.
-# Requires the code_signing CA to exist in the FreeIPA stub data dir; it is
-# created automatically on first run when this var is set.
-#PINT_IPA_CODE_SIGNING_CA_NAME=code_signing
+# iOS mobileconfig signing
+PINT_IPA_CODE_SIGNING_CA_NAME=code_signing
 #PINT_IPA_CODE_SIGNING_CERT_PROFILE=pint_profile_signing
-#PINT_PROFILE_SIGNING_CERT_SECRET=pint-profile-signing-cert
+PINT_PROFILE_SIGNING_CERT_SECRET=pint-profile-signing-cert
 PINT_WIFI_SSID=CSH
 PINT_NAMESPACE=pint
 PINT_CONFIG_SECRET=pint-config

chart/templates/deployment.yaml

@@ -78,7 +78,6 @@ spec:
             - name: PINT_RADIUS_STATUS_ADDR
               value: {{ .Values.config.radSecStatusAddr | quote }}
             {{- end }}
-            {{- if .Values.config.codeSigningCAName }}
             - name: PINT_IPA_CODE_SIGNING_CA_NAME
               value: {{ .Values.config.codeSigningCAName | quote }}
             - name: PINT_PROFILE_SIGNING_CERT_SECRET
@@ -87,7 +86,6 @@ spec:
             - name: PINT_IPA_CODE_SIGNING_CERT_PROFILE
               value: {{ .Values.config.codeSigningCertProfile | quote }}
             {{- end }}
-            {{- end }}
             - name: PINT_NAMESPACE
               valueFrom:
                 fieldRef:

chart/templates/role.yaml

@@ -15,9 +15,7 @@ rules:
       - {{ include "pint.secretName.config" . | quote }}
       - {{ include "pint.secretName.radSecCert" . | quote }}
       - {{ include "pint.secretName.scepRACert" . | quote }}
-      {{- if .Values.config.codeSigningCAName }}
       - {{ include "pint.secretName.profileSigningCert" . | quote }}
-      {{- end }}
     verbs: ["get", "patch", "update"]
   - apiGroups: ["apps"]
     resources: ["deployments"]

chart/values.schema.json

@@ -101,7 +101,7 @@
         },
         "codeSigningCAName": {
           "type": "string",
-          "description": "FreeIPA CA name for the iOS mobileconfig code signing certificate. Leave empty to disable profile signing."
+          "description": "FreeIPA CA name for the iOS mobileconfig code signing certificate."
         },
         "codeSigningCertProfile": {
           "type": "string",
@@ -118,7 +118,7 @@
           "description": "RadSec server address shown to users (e.g. radius.csh.rit.edu:2083)."
         }
       },
-      "required": ["clientID", "serverURL", "ipaHost", "ipaServiceAccount", "ipaWirelessCAName", "ipaRadSecCAName", "wifiSSID", "radiusServer"]
+      "required": ["clientID", "serverURL", "ipaHost", "ipaServiceAccount", "ipaWirelessCAName", "ipaRadSecCAName", "codeSigningCAName", "wifiSSID", "radiusServer"]
     },
     "secrets": {
       "type": "object",
@@ -134,7 +134,7 @@
         },
         "profileSigningCert": {
           "type": "string",
-          "description": "Secret storing the iOS mobileconfig signing certificate and key. Defaults to '<fullname>-profile-signing-cert'. Only created when codeSigningCAName is set."
+          "description": "Secret storing the iOS mobileconfig signing certificate and key. Defaults to '<fullname>-profile-signing-cert'."
         }
       }
     },

chart/values.yaml

@@ -38,8 +38,8 @@ config:
   radSecStatusPort: ""          # overrides the FreeRADIUS status server port (default: 18121)
   radSecStatusAddr: ""          # overrides the status server address (host:port); useful in dev when pod IPs are unreachable
 
-  # iOS mobileconfig signing (optional — leave codeSigningCAName empty to disable)
-  codeSigningCAName: ""
+  # iOS mobileconfig signing
+  codeSigningCAName: "code_signing"
   codeSigningCertProfile: ""    # default: pint_profile_signing
 
   # WiFi
@@ -64,7 +64,7 @@ envSecret: ""
 secrets:
   config:              ""  # default: <fullname>-config  (clients.json, clients.conf, status-secret, status)
   radSecCert:          ""  # default: <fullname>-radsec-server-certificates  (tls.crt, tls.key, ca.pem, wifi-ca.pem)
-  profileSigningCert:  ""  # default: <fullname>-profile-signing-cert  (tls.crt, tls.key); only created when codeSigningCAName is set
+  profileSigningCert:  ""  # default: <fullname>-profile-signing-cert  (tls.crt, tls.key)
   scepRACert:          ""  # default: <fullname>-scep-ra-cert  (tls.crt, tls.key); auto-generated on first startup
 
 service:

dev/freeipa-stub/main.go

@@ -43,7 +43,7 @@ func main() {
 	wifiCAName := flag.String("wifi-ca", getEnv("PINT_IPA_WIRELESS_CA_NAME", "wireless"), "FreeIPA CA name for WiFi certs (PINT_IPA_WIRELESS_CA_NAME)")
 	radSecCAName := flag.String("radsec-ca", getEnv("PINT_IPA_RADSEC_CA_NAME", "radsec"), "FreeIPA CA name for RadSec certs (PINT_IPA_RADSEC_CA_NAME)")
 	rootCAName := flag.String("root-ca", getEnv("PINT_IPA_ROOT_CA_NAME", "ipa"), "FreeIPA root CA name (PINT_IPA_ROOT_CA_NAME)")
-	codeSigningCAName := flag.String("code-signing-ca", getEnv("PINT_IPA_CODE_SIGNING_CA_NAME", ""), "FreeIPA CA name for profile signing certs; leave empty to disable (PINT_IPA_CODE_SIGNING_CA_NAME)")
+	codeSigningCAName := flag.String("code-signing-ca", getEnv("PINT_IPA_CODE_SIGNING_CA_NAME", "code_signing"), "FreeIPA CA name for profile signing certs (PINT_IPA_CODE_SIGNING_CA_NAME)")
 	flag.Parse()
 
 	serialCounter.Store(time.Now().UnixNano())
@@ -81,7 +81,6 @@ func main() {
 // loadOrInitCAs loads persisted CA state from dir, or generates a fresh root +
 // intermediates and persists them. The CA names are the FreeIPA names PINT will
 // use and must match the corresponding env vars in .env.dev.
-// codeSigningCAName is optional: pass an empty string to skip that CA.
 func loadOrInitCAs(dir, wifiCAName, radSecCAName, rootCAName, codeSigningCAName string) (map[string]*caEntry, error) {
 	root, err := loadOrCreateCA(dir, "root", "PINT Dev Root CA", nil)
 	if err != nil {
@@ -95,23 +94,19 @@ func loadOrInitCAs(dir, wifiCAName, radSecCAName, rootCAName, codeSigningCAName
 	if err != nil {
 		return nil, fmt.Errorf("radsec CA: %w", err)
 	}
+	codeSigning, err := loadOrCreateCA(dir, "code_signing", "PINT Dev Code Signing CA", root)
+	if err != nil {
+		return nil, fmt.Errorf("code signing CA: %w", err)
+	}
 
 	store := map[string]*caEntry{
-		wifiCAName:   wifi,
-		radSecCAName: radsec,
-		rootCAName:   root,
+		wifiCAName:        wifi,
+		radSecCAName:      radsec,
+		rootCAName:        root,
+		codeSigningCAName: codeSigning,
 	}
 
-	if codeSigningCAName != "" {
-		codeSigning, err := loadOrCreateCA(dir, "code_signing", "PINT Dev Code Signing CA", root)
-		if err != nil {
-			return nil, fmt.Errorf("code signing CA: %w", err)
-		}
-		store[codeSigningCAName] = codeSigning
-		log.Printf("CA names: wifi=%q radsec=%q root=%q code_signing=%q", wifiCAName, radSecCAName, rootCAName, codeSigningCAName)
-	} else {
-		log.Printf("CA names: wifi=%q radsec=%q root=%q (code_signing disabled)", wifiCAName, radSecCAName, rootCAName)
-	}
+	log.Printf("CA names: wifi=%q radsec=%q root=%q code_signing=%q", wifiCAName, radSecCAName, rootCAName, codeSigningCAName)
 
 	return store, nil
 }

internal/config/config.go

@@ -44,7 +44,7 @@ type Config struct {
 	RadSecProxyProtocol bool  // PINT_RADIUS_RADSEC_PROXY_PROTOCOL: expect HAProxy PROXY protocol header on RadSec connections (default false)
 
 
-	// Apple profile signing (optional — enabled when CodeSigningCAName is set)
+	// Apple profile signing
 	CodeSigningCAName        string // PINT_IPA_CODE_SIGNING_CA_NAME: FreeIPA intermediate CA for profile signing certs
 	CodeSigningCertProfile   string // PINT_IPA_CODE_SIGNING_CERT_PROFILE: FreeIPA profile for profile signing certs (default: pint_profile_signing)
 	ProfileSigningCertSecret string // PINT_PROFILE_SIGNING_CERT_SECRET: K8s Secret storing the profile signing cert+key
@@ -113,7 +113,7 @@ func Load() (*Config, error) {
 	cfg.IPACertProfile = optional("PINT_IPA_CERT_PROFILE", "pint_wifi")
 	cfg.RadSecClientCertProfile = optional("PINT_IPA_RADSEC_CLIENT_CERT_PROFILE", "pint_radsec_client")
 	cfg.RadSecServerCertProfile = optional("PINT_IPA_RADSEC_SERVER_CERT_PROFILE", "pint_radsec_server")
-	cfg.CodeSigningCAName = os.Getenv("PINT_IPA_CODE_SIGNING_CA_NAME")
+	cfg.CodeSigningCAName = require("PINT_IPA_CODE_SIGNING_CA_NAME")
 	cfg.CodeSigningCertProfile = optional("PINT_IPA_CODE_SIGNING_CERT_PROFILE", "pint_profile_signing")
 	cfg.ProfileSigningCertSecret = optional("PINT_PROFILE_SIGNING_CERT_SECRET", "pint-profile-signing-cert")
 	cfg.SCEPRACertSecret = optional("PINT_SCEP_RA_CERT_SECRET", "pint-scep-ra-cert")