[build] cmd/genbotcert: add detail to hostname mismatch error

2 views
Skip to first unread message

Dmitri Shuralyov (Gerrit)

unread,
Feb 24, 2026, 3:02:23 PM (3 days ago) Feb 24
to Dmitri Shuralyov, goph...@pubsubhelper.golang.org, Carlos Amedee, Roland Shoemaker, Dmitri Shuralyov, Go LUCI, golang-co...@googlegroups.com
Attention needed from Carlos Amedee

New activity on the change

Open in Gerrit

Related details

Attention is currently required from:
  • Carlos Amedee
Submit Requirements:
  • requirement is not satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
  • requirement is not satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: build
Gerrit-Branch: master
Gerrit-Change-Id: Id281fd19ad8fedae284b344df6f61bca280d59d1
Gerrit-Change-Number: 748560
Gerrit-PatchSet: 2
Gerrit-Owner: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@google.com>
Gerrit-CC: Roland Shoemaker <rol...@golang.org>
Gerrit-Attention: Carlos Amedee <car...@golang.org>
Gerrit-Comment-Date: Tue, 24 Feb 2026 20:02:19 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: No
unsatisfied_requirement
satisfied_requirement
open
diffy

Carlos Amedee (Gerrit)

unread,
Feb 25, 2026, 3:42:45 PM (2 days ago) Feb 25
to Dmitri Shuralyov, goph...@pubsubhelper.golang.org, Go LUCI, Roland Shoemaker, Dmitri Shuralyov, golang-co...@googlegroups.com
Attention needed from Dmitri Shuralyov

Carlos Amedee voted and added 3 comments

Votes added by Carlos Amedee

Code-Review+2

3 comments

Patchset-level comments
File-level comment, Patchset 2 (Latest):
Carlos Amedee . resolved

Thanks.

File cmd/genbotcert/genbotcert.go
Line 102, Patchset 2 (Latest):func generateCert(ctx context.Context, csrPath, hostname string) error {
Carlos Amedee . resolved

Just out of curiosity, why did you invert these two values? Was it to sort them alphabetically?

Line 157, Patchset 2 (Latest): if err := cr.CheckSignature(); err != nil {
Carlos Amedee . resolved

Good explicit check.

Open in Gerrit

Related details

Attention is currently required from:
  • Dmitri Shuralyov
Submit Requirements:
  • requirement satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement satisfiedReview-Enforcement
  • requirement satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: build
Gerrit-Branch: master
Gerrit-Change-Id: Id281fd19ad8fedae284b344df6f61bca280d59d1
Gerrit-Change-Number: 748560
Gerrit-PatchSet: 2
Gerrit-Owner: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@google.com>
Gerrit-CC: Roland Shoemaker <rol...@golang.org>
Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Comment-Date: Wed, 25 Feb 2026 20:42:42 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
satisfied_requirement
open
diffy

Dmitri Shuralyov (Gerrit)

unread,
4:02 PM (2 hours ago) 4:02 PM
to Dmitri Shuralyov, goph...@pubsubhelper.golang.org, Carlos Amedee, Go LUCI, Roland Shoemaker, Dmitri Shuralyov, golang-co...@googlegroups.com

Dmitri Shuralyov voted and added 3 comments

Votes added by Dmitri Shuralyov

Auto-Submit+1

3 comments

Patchset-level comments
Dmitri Shuralyov . resolved

Thanks.

File cmd/genbotcert/genbotcert.go
Line 102, Patchset 2 (Latest):func generateCert(ctx context.Context, csrPath, hostname string) error {
Carlos Amedee . resolved

Just out of curiosity, why did you invert these two values? Was it to sort them alphabetically?

Dmitri Shuralyov

It wasn't about alphabetical order; my intent was to leave the parameters in what seemed like a descending order, placing the core parameter towards the front, secondary parameter later. That is, I thought for purposes of `readAndCheckCSR` the csrPath is the main input. Hostname is only being passed in to double-check that the CSR was generated for the intended hostname.

I try to refrain from reordering parameters of the same time type, since it's more risky and not always an improvement to readability for other people, but here it seemed worth doing alongside the refactoring for tests.

Line 157, Patchset 2 (Latest): if err := cr.CheckSignature(); err != nil {
Carlos Amedee . resolved

Good explicit check.

Dmitri Shuralyov

For posterity, I'll add a note here that I don't expect it to be neccessary because if it fails here, it shouldn't succeed in the future step of creating the certificate remotely.

But it seemed consistent to add a local check here since we're already checking other things that should always match when a sufficiently new version of genbotcert was used to create the CSR.

Open in Gerrit

Related details

Attention set is empty
Submit Requirements:
  • requirement satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement satisfiedReview-Enforcement
  • requirement satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: build
Gerrit-Branch: master
Gerrit-Change-Id: Id281fd19ad8fedae284b344df6f61bca280d59d1
Gerrit-Change-Number: 748560
Gerrit-PatchSet: 2
Gerrit-Owner: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@google.com>
Gerrit-CC: Roland Shoemaker <rol...@golang.org>
Gerrit-Comment-Date: Fri, 27 Feb 2026 21:02:16 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: Carlos Amedee <car...@golang.org>
satisfied_requirement
open
diffy

Gopher Robot (Gerrit)

unread,
4:03 PM (2 hours ago) 4:03 PM
to Dmitri Shuralyov, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, Roland Shoemaker, Dmitri Shuralyov, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
cmd/genbotcert: add detail to hostname mismatch error

Previously, if the CSR was somehow generated without a .bots.golang.org
suffix, the hostname check would catch that it didn't match but print a
message that's not very clear. Make it more detailed.

Also check some other fields that should match provided that genbotcert,
an appropriately-new version thereof, was used to create the CSR rather
than something else.
Change-Id: Id281fd19ad8fedae284b344df6f61bca280d59d1
Reviewed-by: Dmitri Shuralyov <dmit...@google.com>
Auto-Submit: Dmitri Shuralyov <dmit...@golang.org>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
  • M cmd/genbotcert/genbotcert.go
  • A cmd/genbotcert/genbotcert_test.go
Change size: M
Delta: 2 files changed, 102 insertions(+), 25 deletions(-)
Branch: refs/heads/master
Submit Requirements:
  • requirement satisfiedCode-Review: +1 by Dmitri Shuralyov, +2 by Carlos Amedee
  • requirement satisfiedTryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: build
Gerrit-Branch: master
Gerrit-Change-Id: Id281fd19ad8fedae284b344df6f61bca280d59d1
Gerrit-Change-Number: 748560
Gerrit-PatchSet: 3
Gerrit-Owner: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@golang.org>
Gerrit-Reviewer: Dmitri Shuralyov <dmit...@google.com>
Gerrit-Reviewer: Gopher Robot <go...@golang.org>
Gerrit-CC: Roland Shoemaker <rol...@golang.org>
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages