Merge branch 'master' into carl/install-goreleaser-pro

Author: dopey

.github/workflows/actionlint.yml

@@ -0,0 +1,17 @@
+name: Lint GitHub Actions workflows
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  actionlint:
+    uses: smallstep/workflows/.github/workflows/actionlint.yml@main
+    secrets: inherit

.github/workflows/release.yml

@@ -57,8 +57,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.ref }}
-          name: Release ${{ github.ref }}
+          tag_name: ${{ github.ref_name }}
+          name: Release ${{ github.ref_name }}
           draft: false
           prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
 
@@ -100,45 +100,6 @@ jobs:
 
 # All jobs below this are for full releases (non release candidates e.g. *-rc.*)
 
-  build_upload_aws_s3_binaries:
-    name: Build & Upload AWS S3 Binaries
-    runs-on: ubuntu-latest
-    needs: create_release
-    if: needs.create_release.outputs.is_prerelease == 'false'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
-        with:
-          go-version: 'stable'
-          check-latest: true
-      - name: Build
-        id: build
-        run: |
-          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
-          make -j1 binary-linux-amd64 binary-linux-arm64 binary-darwin-amd64 binary-windows-amd64
-          mkdir -p ./.releases
-          cp ./output/binary/linux-amd64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_linux_amd64
-          cp ./output/binary/linux-amd64/bin/step ./.releases/step_latest_linux_amd64
-          cp ./output/binary/linux-arm64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_linux_arm64
-          cp ./output/binary/linux-arm64/bin/step ./.releases/step_latest_linux_arm64
-          cp ./output/binary/darwin-amd64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_darwin_amd64
-          cp ./output/binary/darwin-amd64/bin/step ./.releases/step_latest_darwin_amd64
-          cp ./output/binary/windows-amd64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_windows.exe
-          cp ./output/binary/windows-amd64/bin/step ./.releases/step_latest_windows.exe
-      - name: Upload s3
-        id: upload-s3
-        uses: jakejarvis/s3-sync-action@be0c4ab89158cac4278689ebedd8407dd5f35a83 # v0.5.1
-        with:
-          args: --acl public-read --follow-symlinks
-        env:
-          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: us-east-1
-          SOURCE_DIR: ./.releases
-
   update_reference_docs:
     name: Update Reference Docs
     runs-on: ubuntu-latest
@@ -148,7 +109,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: 'stable'
           check-latest: true

.goreleaser.yml

@@ -9,10 +9,17 @@ before:
     # - go generate ./...
 
 builds:
-  -
-    id: default
+  - &COMMON
     env:
       - CGO_ENABLED=0
+    main: ./cmd/step/main.go
+    flags:
+      - -trimpath
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    << : *COMMON
+    id: default
     targets:
       - darwin_amd64
       - darwin_arm64
@@ -28,31 +35,46 @@ builds:
       - linux_ppc64le
       - windows_amd64
       - windows_arm64
-    flags:
-      - -trimpath
-    main: ./cmd/step/main.go
     binary: bin/step
     ldflags:
       - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    # This build is for S3 binaries that follow our naming convention there.
+    << : *COMMON
+    id: s3-versioned
+    targets:
+      - darwin_amd64
+      - darwin_arm64
+      - linux_amd64
+      - linux_arm64
+      - windows_amd64
+      - freebsd_amd64
+    binary: 'step_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+  -
+    # This build is for S3 unversioned binaries that follow our naming convention there.
+    << : *COMMON
+    id: s3-unversioned
+    targets:
+      - darwin_amd64
+      - darwin_arm64
+      - linux_amd64
+      - linux_arm64
+      - windows_amd64
+      - freebsd_amd64
+    binary: 'step_latest_{{ .Os }}_{{ .Arch }}'
   -
     # This build is specifically for nFPM targets (.deb and .rpm files).
     # It's exactly the same as the default build above, except:
     # - it only builds the archs we want to produce .deb and .rpm files for
     # - the name of the output binary is step-cli
+    << : *COMMON
     id: nfpm
-    env:
-      - CGO_ENABLED=0
     goos:
       - linux
     goarch:
       - amd64
       - arm64
-    flags:
-      - -trimpath
-    main: ./cmd/step/main.go
     binary: step-cli
-    ldflags:
-      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
 
 archives:
   - &ARCHIVE
@@ -239,6 +261,18 @@ release:
   #  - glob: ./glob/**/to/**/file/**/*
   #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
 
+blobs:
+  -
+    provider: s3
+    region: us-east-1
+    bucket: '{{ .Env.AWS_S3_BUCKET }}'
+    ids:
+      - s3-versioned
+      - s3-unversioned
+    acl: public-read
+    disable: '{{ ne .Prerelease "" }}'
+
+
 winget:
   -
     # IDs of the archives to use.

CHANGELOG.md

@@ -26,6 +26,38 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
+## [0.27.2] - 2024-07-18
+
+### Added
+
+- `console` flag to SSH commands (smallstep/cli#1238)
+- Upload FreeBSD build to S3 (smallstep/cli#1239)
+
+
+## [0.27.1] - 2024-07-11
+
+### Fixed
+
+- Broken release process
+
+
+## [0.27.0] - 2024-07-11
+
+### Changed
+
+- Makefile: install to /usr/local/bin, not /usr/bin (smallstep/cli#1214)
+
+### Fixed
+
+- Set proper JOSE algorithm for Ed25519 keys (smallstep/cli#1208)
+- Makefile: usage of install command line flags on MacOS (smallstep/cli#1212)
+- Restore operation of '--bundle' flag in certificate inspect (smallstep/cli#1215)
+- Fish completion (smallstep/cli#1222)
+- Restore operation of inspect CSR from STDIN (smallstep/cli#1232)
+
+### Security
+
+
 ## [0.26.2] - 2024-06-13
 
 ### Added

command/ca/ca.go

@@ -137,11 +137,6 @@ location being served by an existing fileserver in order to respond to ACME
 challenge validation requests.`,
 	}
 
-	consoleFlag = cli.BoolFlag{
-		Name:  "console",
-		Usage: "Complete the flow while remaining inside the terminal",
-	}
-
 	fingerprintFlag = cli.StringFlag{
 		Name:  "fingerprint",
 		Usage: "The <fingerprint> of the targeted root certificate.",

command/ca/certificate.go

@@ -191,7 +191,7 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 			flags.Force,
 			flags.Offline,
 			flags.PasswordFile,
-			consoleFlag,
+			flags.Console,
 			flags.KMSUri,
 			flags.X5cCert,
 			flags.X5cKey,

command/ca/sign.go

@@ -124,7 +124,7 @@ $ step ca sign foo.csr foo.crt \
 			flags.Force,
 			flags.Offline,
 			flags.PasswordFile,
-			consoleFlag,
+			flags.Console,
 			flags.KMSUri,
 			flags.X5cCert,
 			flags.X5cKey,

command/certificate/inspect.go

@@ -11,6 +11,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certinfo"
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/utils"
 	zx509 "github.com/smallstep/zcrypto/x509"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -218,17 +219,22 @@ func inspectAction(ctx *cli.Context) error {
 		}
 		return inspectCertificates(ctx, peerCertificates[:1], os.Stdout)
 	default: // is not URL
+		b, err := utils.ReadFile(crtFile)
+		if err != nil {
+			return errors.Wrapf(err, "error reading file %s", crtFile)
+		}
+
 		var pemError *pemutil.InvalidPEMError
-		crts, err := pemutil.ReadCertificateBundle(crtFile)
+		crts, err := pemutil.ParseCertificateBundle(b)
 		switch {
 		case errors.As(err, &pemError) && pemError.Type == pemutil.PEMTypeCertificate:
-			csr, err := pemutil.ReadCertificateRequest(crtFile)
+			csr, err := pemutil.ParseCertificateRequest(b)
 			if err != nil {
 				return errors.Errorf("file %s does not contain any valid CERTIFICATE or CERTIFICATE REQUEST blocks", crtFile)
 			}
 			return inspectCertificateRequest(ctx, csr, os.Stdout)
 		case err != nil:
-			return err
+			return fmt.Errorf("error parsing %s: %w", crtFile, err)
 		default:
 			if bundle {
 				return inspectCertificates(ctx, crts, os.Stdout)

command/certificate/sign.go

@@ -31,6 +31,17 @@ const customIntermediateTemplate = `{
 	}
 }`
 
+const customLeafTemplate = `{
+	"rawSubject": {{ toJson .Insecure.CR.RawSubject }},
+	"sans": {{ toJson .SANs }},
+{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
+	"keyUsage": ["keyEncipherment", "digitalSignature"],
+{{- else }}
+	"keyUsage": ["digitalSignature"],
+{{- end }}
+	"extKeyUsage": ["serverAuth", "clientAuth"]
+}`
+
 func signCommand() cli.Command {
 	return cli.Command{
 		Name:   "sign",
@@ -294,7 +305,7 @@ func signAction(ctx *cli.Context) error {
 	} else {
 		switch profile {
 		case profileLeaf:
-			template = x509util.DefaultLeafTemplate
+			template = customLeafTemplate
 		case profileIntermediateCA:
 			template = customIntermediateTemplate
 		case profileCSR:
@@ -465,6 +476,7 @@ func createTemplateData(cr *x509.CertificateRequest, maxPathLen int, omitCNSAN b
 		PostalCode:         cr.Subject.PostalCode,
 		SerialNumber:       cr.Subject.SerialNumber,
 		CommonName:         cr.Subject.CommonName,
+		ExtraNames:         x509util.NewExtraNames(cr.Subject.ExtraNames),
 	})
 	data.SetSANs(sans)
 	return data

command/oauth/cmd.go

@@ -1,7 +1,6 @@
 package oauth
 
 import (
-	"bufio"
 	"bytes"
 	"crypto/sha256"
 	"crypto/x509"
@@ -901,11 +900,9 @@ func (o *oauth) DoDeviceAuthorization() (*token, error) {
 		idr.Interval = defaultDeviceAuthzInterval
 	}
 
-	fmt.Fprintf(os.Stderr, "Visit %s and enter the code: (press 'ENTER' to open default browser)\n", idr.VerificationURI)
+	fmt.Fprintf(os.Stderr, "Visit %s and enter the code:\n", idr.VerificationURI)
 	fmt.Fprintln(os.Stderr, idr.UserCode)
 
-	go openBrowserIfAsked(o, idr.VerificationURI)
-
 	// Poll the Token endpoint until the user completes the flow.
 	data = url.Values{}
 	data.Set("client_id", o.clientID)
@@ -939,13 +936,6 @@ func (o *oauth) DoDeviceAuthorization() (*token, error) {
 	}
 }
 
-func openBrowserIfAsked(o *oauth, u string) {
-	reader := bufio.NewReader(os.Stdin)
-	reader.ReadString('\n')
-
-	exec.OpenInBrowser(u, o.browser)
-}
-
 var errHTTPToken = errors.New("bad request; token not returned")
 
 func (o *oauth) deviceAuthzTokenPoll(data url.Values) (*token, error) {