serve-org-keys: run under cmd (Windows) without bash or openssl#3839
Conversation
Add a batch twin of serve-org-keys constrained to cmd, and constrain the existing bash version to non-cmd shells, so the script resolves per shell the same way install-deps-dev does. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add --gen-cert to orgkeyserver.py so it generates its own self-signed cert/key via the cryptography package, removing the openssl dependency that on Windows only comes from git-bash. Update the cmd/batch variant to detect the Python interpreter (python, py -3, python3) and pass --gen-cert instead of shelling out to openssl. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Enables the serve-org-keys dev script to run from a native Windows cmd shell (without relying on git-bash tools like openssl) by adding a cmd-specific runner and teaching scripts/orgkeyserver.py to generate its own self-signed TLS materials.
Changes:
- Added shell constraints and a cmd/batch implementation of
serve-org-keysinactivestate.yaml. - Added
--gen-certtoscripts/orgkeyserver.pyto generate a self-signed cert/key viacryptography(no externalopensslbinary). - Updated inline usage docs in
scripts/orgkeyserver.pyto document the new certificate generation path.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| activestate.yaml | Split serve-org-keys into bash vs cmd/batch variants using .Shell constraints, and added interpreter autodetection for cmd. |
| scripts/orgkeyserver.py | Added --gen-cert and a cryptography-based self-signed cert/key generator to remove the openssl dependency for cmd usage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Quote --org in the no-key branches (bash and batch) so org names with spaces or shell metacharacters are passed as data, matching the --key branches. - chmod the generated TLS private key to 0600 so it isn't world-readable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Per review: drop openssl entirely and have orgkeyserver.py always generate its self-signed cert. - Add CERT_DIR="test/ssl" constant; generate_self_signed(host) writes cert.pem/key.pem there and returns their paths. - Remove --tls-cert/--tls-key/--gen-cert; cert generation is now the default on every run. - Assume cryptography is present (bundled in the runtime); drop the ImportError guard. - Simplify both activestate.yaml variants to just run the script with --org (and optional --key); remove the openssl/mkdir prep. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Addressed the review in dcc45c2 — the script now always generates its cert in Python, so openssl is gone entirely:
Verified: default Config note: the CA path is now fixed, so |
|
|
||
| state config set privateingredient.key_service_url https://127.0.0.1:8443 | ||
| state config set privateingredient.key_service_ca /path/to/cert.pem | ||
| state config set privateingredient.key_service_ca test/ssl/cert.pem |
There was a problem hiding this comment.
Maybe try /path/to/test/ssl/cert.pem to be more explicit. We should use absolute paths.
There was a problem hiding this comment.
Done — generate_self_signed() now resolves the cert dir via os.path.abspath(), so it always returns absolute paths, and the server prints key_service_ca <absolute path> on startup for copy-paste into the config. Updated the docstring example to /path/to/test/ssl/cert.pem.
|
@icanhasmath If you want you can update the top line of activestate.yaml to use bac333be-be69-4334-bfeb-f326f49af681 (top commit at https://platform.activestate.com/ActiveState/cli/releases). My brief testing is showing that |
mitchell-as
left a comment
There was a problem hiding this comment.
Please see previous requested documentation change. Also, see previous comment about maybe using the new ActiveState/cli commit that uses a new runtime.
Per review: resolve the cert dir to an absolute path in generate_self_signed(), and print the absolute key_service_ca path on startup so the value is copy-pasteable regardless of cwd. Docstring example updated to an absolute /path/to/test/ssl/cert.pem placeholder. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update to a runtime that bundles cryptography, which serve-org-keys' orgkeyserver.py relies on for cert generation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
What
Makes the
serve-org-keysrun script work in a Windows cmd shell, not just bash.Why
serve-org-keyswas a singlelanguage: bashscript. On a cmd shell it either wouldn't run or relied on tools (openssl,python3) that on Windows only come from git-bash. This lets the script run in a pure cmd environment.Changes
activestate.yamlserve-org-keystoif: ne .Shell "cmd".language: batchtwin constrained toif: eq .Shell "cmd". The State Tool filters by shell constraint (FilterUnconstrained), so the right one resolves automatically per shell — same mechanisminstall-deps-devuses.python→py -3→python3) and drops theopenssldependency.scripts/orgkeyserver.py--gen-cert, which generates the self-signed cert/key itself via thecryptographypackage (SANDNS:localhost, IP:127.0.0.1), so noopensslbinary is needed. Falls back to a clear error ifcryptographyisn't installed.Verification
/v1/org-keywith the generated cert.ast.parseclean;--helpand required-arg enforcement work.Notes
openssl(always present where bash is).openssldependency forcryptography; since Python is already required,pip install cryptographyis the trivial follow-up if absent.🤖 Generated with Claude Code