gdmf TLS Process

Apple uses their 'private' CA (with .cer's published here: https://www.apple.com/certificateauthority/) for the cert chain that TLS connections would use when validating connections to gdmf.apple.com, which we fetch for things like ipsw's and other metadata. We only need the root CA cert to validate the chain, but requests/urllib expects .pem, not DER/.cer format, and must be a file path, so as of recent commits we make the necessary root cert available after having manually fetched it.

A key tenet (which will be more apparent soon when docs on CI/CD are published in this wiki) is the reproducibility of hosting SOFA, which requires trusting all of the design decisions made in the code and the metadata/materials used in reliably/securely contacting the endpoints it processes as part of running. Therefore we're publishing the sha256 of the root cert associated with gdmf here and explaining the process, including an openssl/awk one-liner command on the Mac, which we used to grab the cert before storing it in the repo:

/usr/bin/openssl s_client -showcerts -verify 5 -connect gdmf.apple.com:443 < /dev/null | /usr/bin/awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'

This command generates three files representing the leaf, intermediate CA, and root, cert1.pem, cert2.pem and cert3.pem. cat'ing the files to stdout would show them in their expected .pem representation, with -----BEGIN CERTIFICATE-----MII... -----END CERTIFICATE----- You can quicklook the .cer version from Apple's public site and see it matches the sha256 inside cert3.pem (which we've renamed AppleRoot.pem):

/usr/bin/openssl x509 -noout -fingerprint -sha256 -in ../root.pem 
SHA256 Fingerprint=B0:B1:73:0E:CB:C7:FF:45:05:14:2C:49:F1:29:5E:6E:DA:6B:CA:ED:7E:2C:68:C5:BE:91:B5:A1:10:01:F0:24