fix(root_cert) use a more reliable source for the latest cert (#15262)

oven-sh · Nov 20, 2024 · 3681aa9 · 3681aa9
1 parent c9d0fd5
commit 3681aa9
Showing 1 changed file with 27 additions and 19 deletions.
diff --git a/packages/bun-usockets/generate-root-certs.mjs b/packages/bun-usockets/generate-root-certs.mjs
@@ -18,8 +18,7 @@ const __filename = fileURLToPath(import.meta.url);
 const now = new Date();
 
 const formatDate = d => {
-  const iso = d.toISOString();
-  return iso.substring(0, iso.indexOf("T"));
+  return d;
 };
 
 const getCertdataURL = version => {
@@ -146,26 +145,35 @@ if (values.help) {
   process.exit(0);
 }
 
-const scheduleURL = "https://wiki.mozilla.org/NSS:Release_Versions";
+const versions = await fetch("https://nucleus.mozilla.org/rna/all-releases.json").then(res => res.json());
+
+const today = new Date().toISOString().split("T")[0].trim();
+const releases = versions
+  .filter(
+    version =>
+      version.channel == "Release" &&
+      version.product === "Firefox" &&
+      version.is_public &&
+      version.release_date <= today,
+  )
+  .sort((a, b) => (a > b ? (a == b ? 0 : -1) : 1));
+const latest = releases[0];
+const release_tag = `FIREFOX_${latest.version.replaceAll(".", "_")}_RELEASE`;
 if (values.verbose) {
-  console.log(`Fetching NSS release schedule from ${scheduleURL}`);
-}
-const schedule = await fetch(scheduleURL);
-if (!schedule.ok) {
-  console.error(`Failed to fetch ${scheduleURL}: ${schedule.status}: ${schedule.statusText}`);
-  process.exit(-1);
+  console.log(`Fetching NSS release from ${release_tag}`);
 }
-const scheduleText = await schedule.text();
-const nssReleases = getReleases(scheduleText);
+const version = await fetch(
+  `https://hg.mozilla.org/releases/mozilla-release/raw-file/${release_tag}/security/nss/TAG-INFO`,
+)
+  .then(res => res.text())
+  .then(txt => txt.trim().split("NSS_")[1].split("_RTM").join("").split("_").join(".").trim());
 
-// Retrieve metadata for the NSS release being updated to.
-const version = positionals[0] ?? (await getLatestVersion(nssReleases));
-const release = nssReleases.find(r => {
-  return new RegExp(`^${version.replace(".", "\\.")}\\b`).test(r[kNSSVersion]);
-});
-if (!pastRelease(release)) {
-  console.warn(`Warning: NSS ${version} is not due to be released until ${formatDate(release[kNSSDate])}`);
-}
+const release = {
+  version: version,
+  firefoxVersion: latest.version,
+  firefoxDate: latest.release_date,
+  date: latest.release_date,
+};
 if (values.verbose) {
   console.log("Found NSS version:");
   console.log(release);