diff --git a/acme/challenge.go b/acme/challenge.go index 17ca0ab81..f85cfac54 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -231,7 +231,7 @@ func tlsAlert(err error) uint8 { if errors.As(err, &opErr) { v := reflect.ValueOf(opErr.Err) if v.Kind() == reflect.Uint8 { - return uint8(v.Uint()) //nolint:gosec // handled by checking its type + return uint8(v.Uint()) } } return 0 diff --git a/acme/linker.go b/acme/linker.go index df8819b86..18997c5c2 100644 --- a/acme/linker.go +++ b/acme/linker.go @@ -84,13 +84,13 @@ func GetUnescapedPathSuffix(typ LinkType, provisionerName string, inputs ...stri case NewNonceLinkType, NewAccountLinkType, NewOrderLinkType, NewAuthzLinkType, DirectoryLinkType, KeyChangeLinkType, RevokeCertLinkType: return fmt.Sprintf("/%s/%s", provisionerName, typ) case AccountLinkType, OrderLinkType, AuthzLinkType, CertificateLinkType: - return fmt.Sprintf("/%s/%s/%s", provisionerName, typ, inputs[0]) //nolint:gosec // operating on internally defined inputs + return fmt.Sprintf("/%s/%s/%s", provisionerName, typ, inputs[0]) case ChallengeLinkType: - return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1]) //nolint:gosec // operating on internally defined inputs + return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1]) case OrdersByAccountLinkType: - return fmt.Sprintf("/%s/%s/%s/orders", provisionerName, AccountLinkType, inputs[0]) //nolint:gosec // operating on internally defined inputs + return fmt.Sprintf("/%s/%s/%s/orders", provisionerName, AccountLinkType, inputs[0]) case FinalizeLinkType: - return fmt.Sprintf("/%s/%s/%s/finalize", provisionerName, OrderLinkType, inputs[0]) //nolint:gosec // operating on internally defined inputs + return fmt.Sprintf("/%s/%s/%s/finalize", provisionerName, OrderLinkType, inputs[0]) default: return "" } diff --git a/docker/Dockerfile b/docker/Dockerfile index 553d831f2..2c525cb29 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -26,4 +26,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null COPY docker/entrypoint.sh /entrypoint.sh ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] -CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH +CMD ["/usr/local/bin/step-ca", "--password-file", "/home/step/secrets/password", "/home/step/config/ca.json"] diff --git a/docker/Dockerfile.hsm b/docker/Dockerfile.hsm index d643e147f..066a09d9e 100644 --- a/docker/Dockerfile.hsm +++ b/docker/Dockerfile.hsm @@ -1,4 +1,4 @@ -FROM golang:bookworm AS builder +FROM golang:trixie AS builder WORKDIR /src COPY . . @@ -9,16 +9,16 @@ RUN apt-get install -y --no-install-recommends \ RUN make V=1 GO_ENVS="CGO_ENABLED=1" bin/step-ca RUN setcap CAP_NET_BIND_SERVICE=+eip bin/step-ca -FROM smallstep/step-kms-plugin:bookworm AS kms +FROM smallstep/step-kms-plugin:trixie AS kms -FROM smallstep/step-cli:bookworm +FROM smallstep/step-cli:trixie COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca COPY --from=kms /usr/local/bin/step-kms-plugin /usr/local/bin/step-kms-plugin USER root RUN apt-get update -RUN apt-get install -y --no-install-recommends opensc opensc-pkcs11 pcscd gnutls-bin libpcsclite1 p11-kit +RUN apt-get install -y --no-install-recommends opensc opensc-pkcs11 pcscd gnutls-bin libpcsclite1 p11-kit yubihsm-pkcs11 RUN mkdir -p /run/pcscd RUN chown step:step /run/pcscd USER step @@ -33,4 +33,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null COPY docker/entrypoint.sh /entrypoint.sh ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] -CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH +CMD ["/usr/local/bin/step-ca", "--password-file", "/home/step/secrets/password", "/home/step/config/ca.json"]