Skip to content

Add java truststore support to additional certificates #1996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
markusthoemmes wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add java truststore support to additional certificates #1996

markusthoemmes wants to merge 2 commits into from
+234 −55

Conversation

@markusthoemmes
Copy link
Contributor

@markusthoemmes markusthoemmes commented Jan 5, 2026

Much like appending to ca-certificates.crt, this adds support for adding additional certificates to JKS files so that Java can use the additional certificates as well. The behavior is the same in that only existing truststore files will be appended to and the process is otherwise skipped entirely.

@markusthoemmes
Add java truststore support to additional certificates
be45c5a 
Much like appending to ca-certificates.crt, this adds support for adding additional certificates to JKS files so that Java can use the additional certificates as well. The behavior is the same in that only existing truststore files will be appended to and the process is otherwise skipped entirely.
@markusthoemmes markusthoemmes requested a review from xnox January 8, 2026 09:32
konradzapalowicz
konradzapalowicz reviewed Jan 8, 2026
View reviewed changes
Copy link

@konradzapalowicz konradzapalowicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the code, it plugs nicely into the existing implementation. I've left feedback related to understanding how the corner cases are expected to be handled where I felt I needed additional clarity. Thanks for coding it ⭐

pkg/build/certificates.go
}

// Default password for Java cacerts truststore.
javaTruststorePassword = []byte("changeit")
Copy link

@konradzapalowicz konradzapalowicz Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should it be changed now and if not then could you expand the docs and write when

Copy link
Contributor Author

@markusthoemmes markusthoemmes Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the default truststore password, it's not a prompt to change it in the future.

pkg/build/certificates.go
}

// Write all modified Java truststores back to disk.
for _, ts := range existingTruststores {
Copy link

@konradzapalowicz konradzapalowicz Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it feels that this could be a private func, wouldn't testing benefit from that?

Copy link
Contributor Author

@markusthoemmes markusthoemmes Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see testing benefiting from that tbh. I've only externalized loadJavaTruststores for scoping reasons.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@konradzapalowicz konradzapalowicz konradzapalowicz left review comments

@xnox xnox Awaiting requested review from xnox

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@markusthoemmes @konradzapalowicz