docs(ssl): add Google Trust Services (pki.goog) root CAs to certificate pinning list#18479
Open
BojanOro wants to merge 1 commit into
Open
docs(ssl): add Google Trust Services (pki.goog) root CAs to certificate pinning list#18479BojanOro wants to merge 1 commit into
BojanOro wants to merge 1 commit into
Conversation
…te pinning list Co-Authored-By: sentry-junior[bot] <264270552+sentry-junior[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds Google Trust Services (pki.goog) root CAs to the certificate pinning documentation.
Why
Sentry is deploying the US2 region using GCP-managed TLS certificates. GCP can issue certs from either
letsencrypt.orgorpki.goog. The GTS roots were missing from our pinning docs, which could break customers who pin certificates and end up being served a pki.goog cert.All four GTS root CAs (R1–R4, covering both RSA and EC) are included. Fingerprints verified directly from the live
https://pki.goog/roots.pembundle via openssl.Also updates the introductory sentence in the Certificate Pinning section to mention Google Trust Services alongside Digicert and Let's Encrypt.
GlobalSign ECC Root CA - R4 is not included.
GlobalSign ECC Root CA - R4 shows up in pki.goog/roots.pem because that bundle contains every root GTS has a trust relationship with — 20 certs total, including GlobalSign, DigiCert, GoDaddy, COMODO, USERTrust, etc. It's not a root GTS issues from.
GCP-managed certificates chain to GTS Root R1–R4 only (R1/R2 for RSA, R3/R4 for EC). GlobalSign R4 was historically used for cross-signing GTS intermediates for broader device compatibility, but modern GTS-issued certs go straight to their own roots.
Context
https://sentry.slack.com/archives/C1G612XHC/p1779718624966249
View Session in Sentry