⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

Address feedback: fix IMAGE_REVISION handling and improve SSL certificate validation#53

Merged
TimHess merged 4 commits intohttpsfrom
copilot/sub-pr-52
Jan 28, 2026
Merged

Address feedback: fix IMAGE_REVISION handling and improve SSL certificate validation#53
TimHess merged 4 commits intohttpsfrom
copilot/sub-pr-52

Conversation

Copy link
Contributor

Copilot AI commented Jan 28, 2026
edited
Loading

Addresses feedback from PR #52 on build script robustness and SSL certificate validation security.

Changes

  • build.ps1: Trim and join IMAGE_REVISION content before checking. Prevents trailing dashes in image tags when metadata files contain only whitespace.

    $Revision = (Get-Content ... | ForEach-Object { $_.Trim() }) -join ""
if ($Revision -and $Revision -ne "") { ... }

  • SslTrustConfiguration.java: Replace string-based DN matching with cryptographic signature verification. Checks CA basic constraints before trusting signed certificates.

    boolean isCA = devCert.getBasicConstraints() != -1;
if (!isCA) continue;
cert.verify(devCert.getPublicKey());  // Cryptographic validation

  • Added error handling for missing ADDITIONAL_TAGS files

Security

CodeQL scan: 0 alerts

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Jan 28, 2026
Open
Copilot AI and others added 3 commits January 28, 2026 19:17
@TimHess
Update build.ps1 to trim/join IMAGE_REVISION and check for non-empty
bcae7f4 
Co-authored-by: TimHess <3947063+TimHess@users.noreply.github.com>
@TimHess
Use cryptographic signature verification in SslTrustConfiguration
8f883ed 
Co-authored-by: TimHess <3947063+TimHess@users.noreply.github.com>
@TimHess
Address code review feedback
4814cf7 
Co-authored-by: TimHess <3947063+TimHess@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 28, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • start.spring.io
    • Triggering command: /usr/bin/pwsh pwsh ./build.ps1 -Name eureka-server (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] WIP address feedback on support for trusting Aspire dev certs Address feedback: fix IMAGE_REVISION handling and improve SSL certificate validation Jan 28, 2026
Copilot AI requested a review from TimHess January 28, 2026 19:23
@TimHess TimHess marked this pull request as ready for review January 28, 2026 20:43
Copilot AI review requested due to automatic review settings January 28, 2026 20:43
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses feedback from PR #52 by improving the robustness of the build script and enhancing SSL certificate validation security. The changes fix edge cases in image tag generation and replace string-based certificate matching with cryptographic verification.

Changes:

  • Fixed IMAGE_REVISION handling to prevent malformed image tags when metadata files contain only whitespace
  • Added error handling for missing ADDITIONAL_TAGS and IMAGE_REVISION metadata files
  • Replaced insecure DN string-based certificate matching with cryptographic signature verification and CA basic constraints checking

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
build.ps1 Added trimming and error handling for IMAGE_REVISION and ADDITIONAL_TAGS metadata files to prevent build failures and malformed image tags
shared/ssl-config/SslTrustConfiguration.java Replaced string-based DN matching with cryptographic signature verification and added CA basic constraints checking to improve certificate validation security

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TimHess TimHess merged commit f41dc14 into https Jan 28, 2026
7 checks passed
@TimHess TimHess deleted the copilot/sub-pr-52 branch January 28, 2026 20:50
TimHess added a commit that referenced this pull request Jan 28, 2026
@TimHess
Apply suggestions from code review (#53)
3560bce 
* Update eureka-server/patches/application.properties.patch
* Fix line count in patch
* Update build.ps1 to trim/join IMAGE_REVISION and check for non-empty
* Use cryptographic signature verification in SslTrustConfiguration

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: TimHess <3947063+TimHess@users.noreply.github.com>
TimHess added a commit that referenced this pull request Jan 29, 2026
@TimHess
Apply suggestions from code review (#53)
5ce7172 
* Update eureka-server/patches/application.properties.patch
* Fix line count in patch
* Update build.ps1 to trim/join IMAGE_REVISION and check for non-empty
* Use cryptographic signature verification in SslTrustConfiguration

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: TimHess <3947063+TimHess@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@TimHess TimHess TimHess approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@TimHess TimHess

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TimHess