From edc1478f6b85dbf6f6797e19ce1d4b133ca2e5c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?=
 =?UTF-8?q?=C9=B4?= <jc@unknwon.io>
Date: Sat, 7 Feb 2026 14:23:33 -0500
Subject: [PATCH] cmd: remove cert subcommand (#8153)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md     |   4 ++
 cmd/gogs/cert.go | 171 -----------------------------------------------
 cmd/gogs/cmd.go  |  18 -----
 cmd/gogs/main.go |   1 -
 4 files changed, 4 insertions(+), 190 deletions(-)
 delete mode 100644 cmd/gogs/cert.go

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0df6fb1d6..c2352d344 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to Gogs are documented in this file.
 
 ## 0.15.0+dev (`main`)
 
+### Removed
+
+- The `gogs cert` subcommand. [#8153](https://github.com/gogs/gogs/pull/8153)
+
 ## 0.14.1
 
 ### Added
diff --git a/cmd/gogs/cert.go b/cmd/gogs/cert.go
deleted file mode 100644
index 01092dc46..000000000
--- a/cmd/gogs/cert.go
+++ /dev/null
@@ -1,171 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"log"
-	"math/big"
-	"net"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/urfave/cli"
-)
-
-var certCommand = cli.Command{
-	Name:  "cert",
-	Usage: "Generate self-signed certificate",
-	Description: `Generate a self-signed X.509 certificate for a TLS server.
-Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
-	Action: runCert,
-	Flags: []cli.Flag{
-		stringFlag("host", "", "Comma-separated hostnames and IPs to generate a certificate for"),
-		stringFlag("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521"),
-		intFlag("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set"),
-		stringFlag("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011"),
-		durationFlag("duration", 365*24*time.Hour, "Duration that certificate is valid for"),
-		boolFlag("ca", "whether this cert should be its own Certificate Authority"),
-	},
-}
-
-func publicKey(priv any) any {
-	switch k := priv.(type) {
-	case *rsa.PrivateKey:
-		return &k.PublicKey
-	case *ecdsa.PrivateKey:
-		return &k.PublicKey
-	default:
-		return nil
-	}
-}
-
-func pemBlockForKey(priv any) *pem.Block {
-	switch k := priv.(type) {
-	case *rsa.PrivateKey:
-		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
-	case *ecdsa.PrivateKey:
-		b, err := x509.MarshalECPrivateKey(k)
-		if err != nil {
-			log.Fatalf("Unable to marshal ECDSA private key: %v\n", err)
-		}
-		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
-	default:
-		return nil
-	}
-}
-
-func runCert(ctx *cli.Context) error {
-	if len(ctx.String("host")) == 0 {
-		log.Fatal("Missing required --host parameter")
-	}
-
-	var priv any
-	var err error
-	switch ctx.String("ecdsa-curve") {
-	case "":
-		priv, err = rsa.GenerateKey(rand.Reader, ctx.Int("rsa-bits"))
-	case "P224":
-		priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
-	case "P256":
-		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	case "P384":
-		priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
-	case "P521":
-		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
-	default:
-		log.Fatalf("Unrecognized elliptic curve: %q", ctx.String("ecdsa-curve"))
-	}
-	if err != nil {
-		log.Fatalf("Failed to generate private key: %s", err)
-	}
-
-	var notBefore time.Time
-	if len(ctx.String("start-date")) == 0 {
-		notBefore = time.Now()
-	} else {
-		notBefore, err = time.Parse("Jan 2 15:04:05 2006", ctx.String("start-date"))
-		if err != nil {
-			log.Fatalf("Failed to parse creation date: %s", err)
-		}
-	}
-
-	notAfter := notBefore.Add(ctx.Duration("duration"))
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		log.Fatalf("Failed to generate serial number: %s", err)
-	}
-
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"Acme Co"},
-			CommonName:   "Gogs",
-		},
-		NotBefore: notBefore,
-		NotAfter:  notAfter,
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	hosts := strings.SplitSeq(ctx.String("host"), ",")
-	for h := range hosts {
-		if ip := net.ParseIP(h); ip != nil {
-			template.IPAddresses = append(template.IPAddresses, ip)
-		} else {
-			template.DNSNames = append(template.DNSNames, h)
-		}
-	}
-
-	if ctx.Bool("ca") {
-		template.IsCA = true
-		template.KeyUsage |= x509.KeyUsageCertSign
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
-	if err != nil {
-		log.Fatalf("Failed to create certificate: %s", err)
-	}
-
-	certOut, err := os.Create("cert.pem")
-	if err != nil {
-		log.Fatalf("Failed to open cert.pem for writing: %s", err)
-	}
-	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-	if err != nil {
-		log.Fatalf("Failed to encode data to cert.pem: %s", err)
-	}
-	err = certOut.Close()
-	if err != nil {
-		log.Fatalf("Failed to close writing to cert.pem: %s", err)
-	}
-	log.Println("Written cert.pem")
-
-	keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
-	if err != nil {
-		log.Fatalf("Failed to open key.pem for writing: %v\n", err)
-	}
-	err = pem.Encode(keyOut, pemBlockForKey(priv))
-	if err != nil {
-		log.Fatalf("Failed to encode data to key.pem: %s", err)
-	}
-	err = keyOut.Close()
-	if err != nil {
-		log.Fatalf("Failed to close writing to key.pem: %s", err)
-	}
-	log.Println("Written key.pem")
-	return nil
-}
diff --git a/cmd/gogs/cmd.go b/cmd/gogs/cmd.go
index e17a1bd2c..857baefab 100644
--- a/cmd/gogs/cmd.go
+++ b/cmd/gogs/cmd.go
@@ -1,8 +1,6 @@
 package main
 
 import (
-	"time"
-
 	"github.com/urfave/cli"
 )
 
@@ -20,19 +18,3 @@ func boolFlag(name, usage string) cli.BoolFlag {
 		Usage: usage,
 	}
 }
-
-func intFlag(name string, value int, usage string) cli.IntFlag {
-	return cli.IntFlag{
-		Name:  name,
-		Value: value,
-		Usage: usage,
-	}
-}
-
-func durationFlag(name string, value time.Duration, usage string) cli.DurationFlag {
-	return cli.DurationFlag{
-		Name:  name,
-		Value: value,
-		Usage: usage,
-	}
-}
diff --git a/cmd/gogs/main.go b/cmd/gogs/main.go
index 0c6d8d05c..398186eb5 100644
--- a/cmd/gogs/main.go
+++ b/cmd/gogs/main.go
@@ -23,7 +23,6 @@ func main() {
 		webCommand,
 		servCommand,
 		hookCommand,
-		certCommand,
 		adminCommand,
 		importCommand,
 		backupCommand,