apple-codesign: don't use aws_config::defaults for S3 client during notarization#291
Open
a7g4 wants to merge 1 commit intoindygreg:mainfrom
Open
apple-codesign: don't use aws_config::defaults for S3 client during notarization#291a7g4 wants to merge 1 commit intoindygreg:mainfrom
a7g4 wants to merge 1 commit intoindygreg:mainfrom
Conversation
a7g4
changed the title
…otarization This changes the S3 client construction to not use `aws_config::defaults`. It will still load the latest behaviour version though. `aws_config::defaults` will load configuration from the environment and `~/.aws` (and probably other places?). We explicitly don't want to load them and any credential providers/service overrides they provide because Apple's workflow explicitly specifies everything with their STS. Tested with an without config overrides in `~/.aws` and ENV variables. Simplest breaking test is to add this to `~/.aws/config`: ``` [default] endpoint_url = http://localhost ``` Prior to this change, notarization will fail by trying to upload the payload to `localhost` when `aws_config::defaults` loads that endpoint_url override. After this change, notarization will correctly ignore the `~/.aws/config` and overrides in the `[default]` section and succeed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This changes the S3 client construction to not use
aws_config::defaults. It will still load the latest behaviour version though.aws_config::defaultswill load configuration from the environment and~/.aws(and probably other places?). We explicitly don't want to load them and any credential providers/service overrides they provide because Apple's workflow explicitly specifies everything with their STS.Testing
Tested with an without config overrides in
~/.awsand ENV variables.Simplest breaking test is to add this to
~/.aws/config:Prior to this change, notarization will fail by trying to upload the payload to
localhostwhenaws_config::defaultsloads that endpoint_url override.After this change, notarization will correctly ignore the
~/.aws/configand overrides in the[default]section and succeed.