Contributing Guide
Contributing Guide
Section titled “Contributing Guide”This document covers contributing guidelines, development workflow, and code style for QPKI.
1. Getting Started
Section titled “1. Getting Started”1.1 Prerequisites
Section titled “1.1 Prerequisites”- Go 1.25 or later
- Git
- Make (optional, for convenience commands)
- Java 17+ (for BouncyCastle cross-tests)
- Maven 3.6+ (for BouncyCastle cross-tests)
1.2 Clone and Build
Section titled “1.2 Clone and Build”git clone https://github.com/remiblancher/qpki.gitcd qpki
go build -o qpki ./cmd/qpki
go test -v ./...
go test -v -race ./...2. Development Workflow
Section titled “2. Development Workflow”2.1 Branch Naming
Section titled “2.1 Branch Naming”| Type | Pattern | Example |
|---|---|---|
| Feature | feature/<description> | feature/add-ocsp-support |
| Bug fix | fix/<description> | fix/crl-parsing-error |
| Documentation | docs/<description> | docs/update-readme |
| Refactoring | refactor/<description> | refactor/crypto-package |
2.2 Commit Messages
Section titled “2.2 Commit Messages”Follow conventional commit format:
<type>(<scope>): <description>
[optional body]
[optional footer]Types:
feat: New featurefix: Bug fixdocs: Documentation onlytest: Adding testsrefactor: Code refactoringchore: Maintenance tasks
Examples:
feat(ca): add OCSP responder support
fix(crypto): handle nil public key in SubjectKeyID
docs(readme): update installation instructions2.3 Pull Request Process
Section titled “2.3 Pull Request Process”- Fork the repository
- Create a feature branch
- Make your changes
- Run tests:
go test -v -race ./... - Run linter:
golangci-lint run - Push to your fork
- Create a Pull Request
3. Code Style
Section titled “3. Code Style”3.1 Go Style
Section titled “3.1 Go Style”Follow standard Go conventions:
- Use
gofmtfor formatting - Follow Effective Go
- Follow Go Code Review Comments
3.2 Linting
Section titled “3.2 Linting”We use golangci-lint:
golangci-lint runEnabled linters:
- errcheck, gosimple, govet, ineffassign, staticcheck, unused, gofmt, goimports
3.3 Documentation
Section titled “3.3 Documentation”- All exported functions must have doc comments
- Doc comments should start with the function name
- Include examples for complex functions
// GenerateKey creates a new cryptographic key pair.//// Supported algorithms: ecdsa-p256, ecdsa-p384, ed25519, rsa-2048,// ml-dsa-44, ml-dsa-65, ml-dsa-87.func GenerateKey(alg AlgorithmID) (Signer, error) { // ...}4. Project Extension
Section titled “4. Project Extension”4.1 Adding New Algorithms
Section titled “4.1 Adding New Algorithms”- Add algorithm constant to
internal/crypto/algorithms.go - Add OID to
internal/x509util/oids.go - Implement key generation in
internal/crypto/keygen.go - Add signing support in
internal/crypto/software.go - Add tests for all operations
- Update documentation
4.2 Adding New Certificate Profiles
Section titled “4.2 Adding New Certificate Profiles”- Create new file in
internal/profile/ - Implement
Profileinterface - Register in profile registry
- Add CLI support in
cmd/qpki/issue.go - Add tests
- Update relevant documentation (CA.md, CREDENTIALS.md, CLI.md)
4.3 Adding CLI Commands
Section titled “4.3 Adding CLI Commands”- Create new file in
cmd/qpki/ - Define cobra command with flags
- Register in
init()function - Add tests
- Update relevant documentation (CLI.md)
5. Security
Section titled “5. Security”5.1 Security Considerations
Section titled “5.1 Security Considerations”- Never log sensitive data (private keys, passphrases)
- Use constant-time comparisons for secrets
- Validate all inputs
- Handle errors properly (don’t ignore them)
5.2 Reporting Vulnerabilities
Section titled “5.2 Reporting Vulnerabilities”If you discover a security vulnerability:
- Do not open a public issue
- Email the maintainers directly
- Include detailed reproduction steps
- Allow time for a fix before disclosure
6. Release Process
Section titled “6. Release Process”6.1 Versioning
Section titled “6.1 Versioning”We use Semantic Versioning:
- MAJOR: Breaking changes
- MINOR: New features (backward compatible)
- PATCH: Bug fixes (backward compatible)
6.2 Release Checklist
Section titled “6.2 Release Checklist”- Update version in code
- Update CHANGELOG.md
- Run full test suite
- Create annotated tag:
git tag -a v1.0.0 -m "Release v1.0.0" - Push tag:
git push origin v1.0.0 - GitHub Actions builds and releases
7. Dependency Management
Section titled “7. Dependency Management”7.1 Dependabot
Section titled “7.1 Dependabot”Dependabot keeps dependencies up to date automatically.
- Go modules: Weekly scan of
go.mod - GitHub Actions: Weekly scan of workflows
- PRs labeled
dependencies+goorci
7.2 Manual Updates
Section titled “7.2 Manual Updates”go get -u ./...go mod tidy8. Code of Conduct
Section titled “8. Code of Conduct”Expected Behavior
Section titled “Expected Behavior”- Be respectful and inclusive
- Accept constructive criticism
- Focus on what is best for the community
- Show empathy towards others
Unacceptable Behavior
Section titled “Unacceptable Behavior”- Harassment or discrimination
- Trolling or personal attacks
- Publishing others’ private information
- Other unprofessional conduct
9. Contributing
Section titled “9. Contributing”Contributions are welcome.
By contributing to this project, you agree to the Contributor License Agreement (CLA). See CLA.md.
10. License
Section titled “10. License”By contributing, you agree that your contributions will be licensed under the Apache License 2.0.
11. References
Section titled “11. References”12. AI-Assisted Development
Section titled “12. AI-Assisted Development”This project uses AI-assisted development. See AI_USAGE.md for details on how AI tools are used in this project.
13. See Also
Section titled “13. See Also”- Testing - Testing strategy
- Interoperability - Cross-validation matrix
- CA - CA operations
- Credentials - Credential management
- CLI Reference - Command reference
- Architecture - System design