feat: add DigiCert code-sign support#7059
Conversation
|
💬 Discussion in Slack: #pr-review-infisical-7059-feat-add-digicert-code-sign-support Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
| Filename | Overview |
|---|---|
| backend/src/services/certificate-authority/digicert/digicert-api-client.ts | Adds reissueOrder, getOrganizationValidations, and getOrdersByAlternativeId API methods; improves error classification (4xx terminal vs transient). productSlug is inserted into the POST URL without encodeURIComponent, inconsistent with alternativeOrderId which is encoded. |
| backend/src/services/certificate-authority/digicert/digicert-certificate-authority-fns.ts | Large addition implementing code-signing order placement, reissue (with org/product ownership validation), status polling, and certificate download. The fail-open catch in assertCsOrgValidatedOrContactProvided is the main design concern; otherwise the logic is thorough. |
| backend/src/services/signer/signer-issuance-service.ts | Adds DigiCert code-signing issuance step with renew/reissue lifecycle, idempotent order placement via alternative_order_id, and a fallback from renew-with-no-slot to reissue. Logic is well-structured with appropriate retry and error handling. |
| backend/src/services/signer/signer-service.ts | Adds reissueFromExternalOrderId handling with correct integer validation and CA-type guard. The create and reissue paths both convert the string to a number safely before forwarding as digicertLifecycle. |
| backend/src/services/app-connection/digicert/digicert-connection-fns.ts | Adds code-signing validation check and order listing endpoints; refactors getDigiCertApiBaseUrl to accept an object. Hardcoded limit: 1000 in listDigiCertCodeSigningOrders could return large payloads for heavy accounts. |
| backend/src/server/routes/v1/app-connection-routers/digicert-connection-router.ts | Registers two new GET routes for code-signing validation and order listing. Auth, rate-limiting, and schema validation look correct. |
| backend/src/services/certificate-authority/digicert/digicert-certificate-authority-schemas.ts | Adds DigiCertCaPurpose enum, purpose and verifiedContact fields to CA configuration schema. Validation looks complete. |
| backend/src/services/app-connection/digicert/digicert-connection-service.ts | Adds getCodeSigningValidation and listCodeSigningOrders service methods; errors are caught and logged, returning safe defaults. |
| backend/src/server/routes/v1/signer-routers/certificate-router.ts | Adds optional reissueFromExternalOrderId top-level field to the issue-certificate request body. Schema is correct. |
| backend/src/server/routes/v1/signer-routers/lifecycle-router.ts | Adds optional externalConfiguration.reissueFromExternalOrderId to the create-signer request body. Schema and forwarding look correct. |
| docs/documentation/platform/pki/ca/digicert-direct.mdx | New documentation for DigiCert code-signing CA setup with UI and API tabs; content is clear and accurate. |
Reviews (1): Last reviewed commit: "Add DigiCert code-sign support" | Re-trigger Greptile
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 772c34df83
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 5 · PR risk: 0/10 |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
# Conflicts: # frontend/src/pages/cert-manager/CodeSigningPage/components/CreateSignerWizard/CertificateStep.tsx
Context
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).