Skip to content

Regenerate testdata and adapt tests for golang 1.24+#1434

Open
elukey wants to merge 5 commits intocloudflare:masterfrom
elukey:master
Open

Regenerate testdata and adapt tests for golang 1.24+#1434
elukey wants to merge 5 commits intocloudflare:masterfrom
elukey:master

Conversation

@elukey
Copy link

@elukey elukey commented Mar 11, 2026
edited
Loading

In golang 1.24+ sha1 signing is not allowed anymore, and a lot of certs in various testdata directories are SHA1 signed. There are also expired certs, that all together make the test suite fails in a lot of way.

I used various AI tools to do the following:

  1. Create reliable build_certs.sh scripts able to regenerate the certs data, documenting how they are related to each other and what are the constraints that tests expect.
  2. Regenerate all the testdata dirs to make the test suite completely pass on golang 1.24+.

Given how old sha1 signing is, I would really vote to get rid of it as a special use case and focus on golang 1.24+ compatibility.

Fixes: #1413 1413

elukey added 5 commits March 11, 2026 14:33
@elukey
Add scripts to regenerate {api,bundler,ubiquity}'s testdata
5c9bfdf 
Add scripts to generate all the certs material under the various
testdata directories, together with comments about how they are related
with each other. The idea is to be able to programmatically control and
regenerate the data when needed (certs expired, shaXXX deprecation, ..).

The current issue is that most of the certs are expired or signed
with SHA1, that is not allowed anymore by golang 1.24+.

issue: cloudflare#1413
@elukey
Regenerate bundler's testdata
214a154 
issue: cloudflare#1413
@elukey
Regenerate api's testdata
62db351 
issue: cloudflare#1413
@elukey
Regenerate ubiquity's testdata
f8821d5 
issue: cloudflare#1413
@elukey
Update certstore_development and sqlit_test dbs after testdata update
2312d45 
issue: cloudflare#1413
@elukey
Copy link
Author

elukey commented Mar 20, 2026

@mitch292 Hi! Do you think that the PR is viable to be reviewed for the cfssl repo? It should be a good addition, restoring tests would be of a good benefit for the whole community. Lemme know :)

@mitch292
Copy link
Contributor

mitch292 commented Mar 20, 2026

Hi @elukey - Yes I agree, getting these tests back in order on 1.24 and later would be great! I am just hesitant to commit to being able to have time to review in the short term. I will flag for my team as well to see if someone can take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The x509sha1 GODEBUG setting has been removed with go1.24, tests relying on sha1 certificates will fail when running with >= go1.24

2 participants

@elukey @mitch292