Skip to content

serve-org-keys: run under cmd (Windows) without bash or openssl#3839

Merged
icanhasmath merged 6 commits into
masterfrom
windows-compatibilty
Jul 14, 2026
Merged

serve-org-keys: run under cmd (Windows) without bash or openssl#3839
icanhasmath merged 6 commits into
masterfrom
windows-compatibilty

Conversation

@icanhasmath

Copy link
Copy Markdown
Contributor

What

Makes the serve-org-keys run script work in a Windows cmd shell, not just bash.

Why

serve-org-keys was a single language: bash script. On a cmd shell it either wouldn't run or relied on tools (openssl, python3) that on Windows only come from git-bash. This lets the script run in a pure cmd environment.

Changes

  • activestate.yaml
    • Constrained the existing bash serve-org-keys to if: ne .Shell "cmd".
    • Added a language: batch twin constrained to if: eq .Shell "cmd". The State Tool filters by shell constraint (FilterUnconstrained), so the right one resolves automatically per shell — same mechanism install-deps-dev uses.
    • The batch variant detects the interpreter (pythonpy -3python3) and drops the openssl dependency.
  • scripts/orgkeyserver.py
    • Added --gen-cert, which generates the self-signed cert/key itself via the cryptography package (SAN DNS:localhost, IP:127.0.0.1), so no openssl binary is needed. Falls back to a clear error if cryptography isn't installed.

Verification

  • Cert generation: valid X.509, correct SAN (deduped), cert/key modulus match.
  • Server starts and serves /v1/org-key with the generated cert.
  • ast.parse clean; --help and required-arg enforcement work.

Notes

  • The bash variant is unchanged and still uses openssl (always present where bash is).
  • The cmd path trades the openssl dependency for cryptography; since Python is already required, pip install cryptography is the trivial follow-up if absent.

🤖 Generated with Claude Code

icanhasmath and others added 2 commits July 13, 2026 14:10
Add a batch twin of serve-org-keys constrained to cmd, and constrain
the existing bash version to non-cmd shells, so the script resolves per
shell the same way install-deps-dev does.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add --gen-cert to orgkeyserver.py so it generates its own self-signed
cert/key via the cryptography package, removing the openssl dependency
that on Windows only comes from git-bash. Update the cmd/batch variant
to detect the Python interpreter (python, py -3, python3) and pass
--gen-cert instead of shelling out to openssl.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables the serve-org-keys dev script to run from a native Windows cmd shell (without relying on git-bash tools like openssl) by adding a cmd-specific runner and teaching scripts/orgkeyserver.py to generate its own self-signed TLS materials.

Changes:

  • Added shell constraints and a cmd/batch implementation of serve-org-keys in activestate.yaml.
  • Added --gen-cert to scripts/orgkeyserver.py to generate a self-signed cert/key via cryptography (no external openssl binary).
  • Updated inline usage docs in scripts/orgkeyserver.py to document the new certificate generation path.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
activestate.yaml Split serve-org-keys into bash vs cmd/batch variants using .Shell constraints, and added interpreter autodetection for cmd.
scripts/orgkeyserver.py Added --gen-cert and a cryptography-based self-signed cert/key generator to remove the openssl dependency for cmd usage.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread activestate.yaml
Comment thread activestate.yaml
Comment thread scripts/orgkeyserver.py
- Quote --org in the no-key branches (bash and batch) so org names with
  spaces or shell metacharacters are passed as data, matching the
  --key branches.
- chmod the generated TLS private key to 0600 so it isn't world-readable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@icanhasmath icanhasmath requested a review from mitchell-as July 14, 2026 16:23
Comment thread scripts/orgkeyserver.py Outdated
Comment thread scripts/orgkeyserver.py Outdated
Comment thread scripts/orgkeyserver.py Outdated
Comment thread scripts/orgkeyserver.py Outdated
Comment thread activestate.yaml Outdated
Comment thread activestate.yaml Outdated
Comment thread activestate.yaml Outdated
Comment thread activestate.yaml Outdated
Comment thread activestate.yaml Outdated
Per review: drop openssl entirely and have orgkeyserver.py always
generate its self-signed cert.

- Add CERT_DIR="test/ssl" constant; generate_self_signed(host) writes
  cert.pem/key.pem there and returns their paths.
- Remove --tls-cert/--tls-key/--gen-cert; cert generation is now the
  default on every run.
- Assume cryptography is present (bundled in the runtime); drop the
  ImportError guard.
- Simplify both activestate.yaml variants to just run the script with
  --org (and optional --key); remove the openssl/mkdir prep.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@icanhasmath

Copy link
Copy Markdown
Contributor Author

Addressed the review in dcc45c2 — the script now always generates its cert in Python, so openssl is gone entirely:

  • Added a CERT_DIR = "test/ssl" constant; generate_self_signed(host) writes cert.pem/key.pem there and returns the paths.
  • Cert generation is now the default on every run — removed --gen-cert, --tls-cert, and --tls-key.
  • Removed the ImportError guard; cryptography is assumed present (bundled in the runtime).
  • Both activestate.yaml variants now just run the script with --org (and optional --key); the openssl/mkdir prep is gone.

Verified: default python3 scripts/orgkeyserver.py --org <org> auto-creates test/ssl/{cert,key}.pem (key 0600, SAN localhost+127.0.0.1) and serves /v1/org-key.

Config note: the CA path is now fixed, so state config set privateingredient.key_service_ca test/ssl/cert.pem.

@icanhasmath icanhasmath requested a review from mitchell-as July 14, 2026 16:44
Comment thread scripts/orgkeyserver.py Outdated

state config set privateingredient.key_service_url https://127.0.0.1:8443
state config set privateingredient.key_service_ca /path/to/cert.pem
state config set privateingredient.key_service_ca test/ssl/cert.pem

@mitchell-as mitchell-as Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe try /path/to/test/ssl/cert.pem to be more explicit. We should use absolute paths.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — generate_self_signed() now resolves the cert dir via os.path.abspath(), so it always returns absolute paths, and the server prints key_service_ca <absolute path> on startup for copy-paste into the config. Updated the docstring example to /path/to/test/ssl/cert.pem.

@mitchell-as

Copy link
Copy Markdown
Collaborator

@icanhasmath If you want you can update the top line of activestate.yaml to use bac333be-be69-4334-bfeb-f326f49af681 (top commit at https://platform.activestate.com/ActiveState/cli/releases). My brief testing is showing that state run serve-org-keys <org> works with the new runtime.

@icanhasmath icanhasmath requested a review from mitchell-as July 14, 2026 19:54

@mitchell-as mitchell-as left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see previous requested documentation change. Also, see previous comment about maybe using the new ActiveState/cli commit that uses a new runtime.

icanhasmath and others added 2 commits July 14, 2026 15:36
Per review: resolve the cert dir to an absolute path in
generate_self_signed(), and print the absolute key_service_ca path on
startup so the value is copy-pasteable regardless of cwd. Docstring
example updated to an absolute /path/to/test/ssl/cert.pem placeholder.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update to a runtime that bundles cryptography, which serve-org-keys'
orgkeyserver.py relies on for cert generation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@icanhasmath icanhasmath merged commit 072c745 into master Jul 14, 2026
11 of 12 checks passed
@icanhasmath icanhasmath deleted the windows-compatibilty branch July 14, 2026 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants