Bundle certificates script

[desrosj]

Adds exact copies of Mozilla certificates, splits out the legacy 1024-bit certificates included for backwards compatibility, and introduces a Grunt task that combines the two for shipping.

Trac ticket: https://core.trac.wordpress.org/ticket/62812

---

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props desrosj, johnbillion, swissspidy.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• The Plugin and Theme Directories cannot be accessed within Playground.
• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[johnbillion]

This is generally a good idea and perhaps once this is in we should add a workflow which updates the certs periodically and opens a PR when there's an update. This is what Requests does.

I think the legacy certs should remain prepended rather than appended. Related discussion in:

• https://core.trac.wordpress.org/ticket/30434
• https://core.trac.wordpress.org/ticket/34935
• https://core.trac.wordpress.org/ticket/35637

[johnbillion]

Ooh we could add https://github.com/composer/ca-bundle as a dev dependency, extract the cert bundle from that, and keep it updated via Dependabot. No need to roll our own solution.

[desrosj]

Thanks @johnbillion, hadn't thought of checking Composer. Updated the PR to utilize that package as a dependency.

[johnbillion]

Neat!

[johnbillion]

I think composer/ca-bundle will need to be pinned to protect us against a theoretical future problem. My understanding is that the build server on dotorg doesn't use Composer, but if a change was made so that it does then there's a chance that a newer version of composer/ca-bundle would get pulled in and deployed during the build.

0. Latest version of composer/ca-bundle is currently 1.5.5
1. Build server runs composer install and pulls in a theoretical version 1.5.6 because there's no lock file in use
2. Build server runs npm run build which calls grunt build which calls grunt build:certificates which calls grunt concat:certificates which concatenates version 1.5.6 of vendor/composer/ca-bundle/res/cacert.pem into wp-includes/certificates/cacert.pem
3. Build server deploys WordPress with version 1.5.6 of the cert despite 1.5.5 being present in the source

Does that make sense?

[desrosj]

It does. I have set up the script to only copy the cert files from vendor when running grunt update-certificates, though.

If I have done it correctly, then when build is run it should not have any impact if the version of the Composer package is changed some how. It should only use the versioned revision of the file in the src/wp-includes/certificates folder.

This was mainly to ensure someone could still run npm build without also having to run composer (install|update). But this shoudl also cover the scenario you are describing, if I understand correctly.

[johnbillion]

Ah yes you are correct. copy:certificates is what copies the cert from the vendor directory, and that doesn't get run during the build. All good.

[swissspidy]

I like the composer approach! 👍

[github-actions]

A commit was made that fixes the Trac ticket referenced in the description of this pull request.

SVN changeset: 59740
GitHub commit: 6db1a33

This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.