diff --git a/deploy/gen-certs.sh b/deploy/gen-certs.sh index 0f9ad0d..7a15636 100755 --- a/deploy/gen-certs.sh +++ b/deploy/gen-certs.sh @@ -57,5 +57,12 @@ openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n") rm -f gateway.csr bot.csr ca.srl -chmod 600 ./*.key +# The gateway and bot run on distroless **nonroot** (UID 65532) and bind-mount this +# dir read-only; a key owned by the deploy user must still be readable by that UID, so +# the leaves are world-readable (0644, like the .crt files). These are ephemeral +# TEST certificates regenerated every deploy on the trusted runner host; production +# keys come from PROD_ secrets, not this script. The CA key never enters a container — +# keep it owner-only. +chmod 644 ./ca.crt ./gateway.crt ./gateway.key ./bot.crt ./bot.key +chmod 600 ./ca.key echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"