From dbe8d4b62e1e65d903e11fdc6c99e299a27071c7 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Tue, 12 Oct 2021 21:13:03 +0200 Subject: [PATCH 1/2] ca-certificates: Migrate from DST_X3 to ISRG_X1 Related: OS#5259 Change-Id: I8112e5ba3651ab537a87df5e92cfbc4214d54ab3 --- .../ca-certificates/ca-cacert-rootcert.bb | 8 ++--- .../ca-certificates/files/DST_Root_CA_X3.pem | 20 ------------ .../ca-certificates/files/ISRG_Root_X1.pem | 31 +++++++++++++++++++ 3 files changed, 35 insertions(+), 24 deletions(-) delete mode 100644 recipes-extra/ca-certificates/files/DST_Root_CA_X3.pem create mode 100644 recipes-extra/ca-certificates/files/ISRG_Root_X1.pem diff --git a/recipes-extra/ca-certificates/ca-cacert-rootcert.bb b/recipes-extra/ca-certificates/ca-cacert-rootcert.bb index 9ddf95c..8ef59f0 100644 --- a/recipes-extra/ca-certificates/ca-cacert-rootcert.bb +++ b/recipes-extra/ca-certificates/ca-cacert-rootcert.bb @@ -3,15 +3,15 @@ HOMEPAGE = "http://www.cacert.org/index.php?id=3" SECTION = "misc" LICENSE = "RDL-COD14" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -PR = "r6" +PR = "r7" -SRC_URI = "file://root.crt file://class3.crt file://DST_Root_CA_X3.pem" +SRC_URI = "file://root.crt file://class3.crt file://ISRG_Root_X1.pem" do_install() { install -d ${D}${libdir}/ssl/certs install -m 0644 ${WORKDIR}/root.crt ${D}${libdir}/ssl/certs/cacert.org.pem cat ${WORKDIR}/class3.crt >> ${D}${libdir}/ssl/certs/cacert.org.pem - install -m 0644 ${WORKDIR}/DST_Root_CA_X3.pem ${D}${libdir}/ssl/certs/ + install -m 0644 ${WORKDIR}/ISRG_Root_X1.pem ${D}${libdir}/ssl/certs/ # Create hash symlinks cd ${D}${libdir}/ssl/certs @@ -19,7 +19,7 @@ do_install() { ln -s cacert.org.pem 5ed36f99.0 ln -s cacert.org.pem 99d0fa06.0 - ln -s DST_Root_CA_X3.pem 2e5ac55d.0 + ln -s ISRG_Root_X1.pem 4042bcee.0 } FILES_${PN} = "${libdir}/ssl/certs/*" diff --git a/recipes-extra/ca-certificates/files/DST_Root_CA_X3.pem b/recipes-extra/ca-certificates/files/DST_Root_CA_X3.pem deleted file mode 100644 index b2e43c9..0000000 --- a/recipes-extra/ca-certificates/files/DST_Root_CA_X3.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- diff --git a/recipes-extra/ca-certificates/files/ISRG_Root_X1.pem b/recipes-extra/ca-certificates/files/ISRG_Root_X1.pem new file mode 100644 index 0000000..b85c803 --- /dev/null +++ b/recipes-extra/ca-certificates/files/ISRG_Root_X1.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- -- 2.40.1 From cbc0de86f401cbc9c65450f20a9c5f122525c095 Mon Sep 17 00:00:00 2001 From: Oliver Smith Date: Fri, 5 Nov 2021 12:38:39 +0100 Subject: [PATCH 2/2] ca-certificates: upgrade to 20211016 Import latest version from openembedded-core.git, which has the expired "DST Root CA X3" removed. Fixes: OS#5259 Related: https://salsa.debian.org/debian/ca-certificates/-/commit/5b83fd984706ea03101dbb011846e60364c3a149 Related: https://github.com/openembedded/openembedded-core/commit/9c351e7a0b6e4e1cc58e3855d8b711d64764a7e3 Related: https://github.com/openembedded/openembedded-core/tree/hardknott/meta/recipes-support/ca-certificates/ca-certificates --- ...ertdata2pem.py-print-a-warning-for-e.patch | 80 +++++++++++++++++ ...icates-don-t-use-Debianisms-in-run-p.patch | 34 +++++++ ...date-ca-certificates-remove-c-rehash.patch | 45 ---------- ...2-update-ca-certificates-use-SYSROOT.patch | 46 ++++++++++ ...icates-use-relative-symlinks-from-ET.patch | 71 +++++++++++++++ .../ca-certificates/default-sysroot.patch | 50 +++++++++++ .../ca-certificates_20120623.bb | 46 ---------- .../ca-certificates_20211016.bb | 89 +++++++++++++++++++ 8 files changed, 370 insertions(+), 91 deletions(-) create mode 100644 recipes-extra/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch create mode 100644 recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch delete mode 100644 recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch create mode 100644 recipes-extra/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch create mode 100644 recipes-extra/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch create mode 100644 recipes-extra/ca-certificates/ca-certificates/default-sysroot.patch delete mode 100644 recipes-extra/ca-certificates/ca-certificates_20120623.bb create mode 100644 recipes-extra/ca-certificates/ca-certificates_20211016.bb diff --git a/recipes-extra/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/recipes-extra/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000..5c4a32f --- /dev/null +++ b/recipes-extra/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch @@ -0,0 +1,80 @@ +From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Mon, 18 Oct 2021 12:05:49 +0200 +Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired + certificates." + +This avoids a dependency on python3-cryptography, and only checks +for expired certs (which is upstream concern, but not ours). + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin +--- + debian/changelog | 1 - + debian/control | 2 +- + mozilla/certdata2pem.py | 11 ----------- + 3 files changed, 1 insertion(+), 13 deletions(-) + +diff --git a/debian/changelog b/debian/changelog +index 531e4d0..4006509 100644 +--- a/debian/changelog ++++ b/debian/changelog +@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low + - "Trustis FPS Root CA" + - "Staat der Nederlanden Root CA - G3" + * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) +- * mozilla/certdata2pem.py: print a warning for expired certificates. + + -- Julien Cristau Thu, 07 Oct 2021 17:12:47 +0200 + +diff --git a/debian/control b/debian/control +index 4434b7a..5c6ba24 100644 +--- a/debian/control ++++ b/debian/control +@@ -3,7 +3,7 @@ Section: misc + Priority: optional + Maintainer: Julien Cristau + Build-Depends: debhelper-compat (= 13), po-debconf +-Build-Depends-Indep: python3, openssl, python3-cryptography ++Build-Depends-Indep: python3, openssl + Standards-Version: 4.5.0.2 + Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git + Vcs-Browser: https://salsa.debian.org/debian/ca-certificates +diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py +index ede23d4..7d796f1 100644 +--- a/mozilla/certdata2pem.py ++++ b/mozilla/certdata2pem.py +@@ -21,16 +21,12 @@ + # USA. + + import base64 +-import datetime + import os.path + import re + import sys + import textwrap + import io + +-from cryptography import x509 +- +- + objects = [] + + # Dirty file parser. +@@ -121,13 +117,6 @@ for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue +- +- cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) +- if cert.not_valid_after < datetime.datetime.now(): +- print('!'*74) +- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) +- print('!'*74) +- + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ +-- +2.20.1 + diff --git a/recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch new file mode 100644 index 0000000..4a8ae5f --- /dev/null +++ b/recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch @@ -0,0 +1,34 @@ +ca-certificates is a package from Debian, but some host distros such as Fedora +have a leaner run-parts provided by cron which doesn't support --verbose or the + -- separator between arguments and paths. + +This solves errors such as + +| Running hooks in [...]/rootfs/etc/ca-certificates/update.d... +| [...]/usr/sbin/update-ca-certificates: line 194: Not: command not found +| [...]/usr/sbin/update-ca-certificates: line 230: Not a directory: --: command not found +| E: Not a directory: -- exited with code 127. + + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton +Signed-off-by: Maciej Borzecki +--- + sbin/update-ca-certificates | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +Index: git/sbin/update-ca-certificates +=================================================================== +--- git.orig/sbin/update-ca-certificates ++++ git/sbin/update-ca-certificates +@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ] + then + + echo "Running hooks in $HOOKSDIR..." +- VERBOSE_ARG= +- [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose" +- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook ++ eval run-parts --test "$HOOKSDIR" | while read hook + do + ( cat "$ADDED" + cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?." diff --git a/recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch b/recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch deleted file mode 100644 index ccb0efc..0000000 --- a/recipes-extra/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 111e905fe931da1a3800accfc675cc01c8ee080c Mon Sep 17 00:00:00 2001 -From: Ulf Samuelsson -Date: Tue, 28 Feb 2012 06:42:58 +0100 -Subject: [PATCH] update-ca-certificates: remove c rehash - -Updated earlier patch to apply clean on 2012-02-12 -Signed-off-by: Ulf Samuelsson ---- - sbin/update-ca-certificates | 20 ++++++++++---------- - 1 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates -index 5375950..c567e3d 100755 ---- a/sbin/update-ca-certificates -+++ b/sbin/update-ca-certificates -@@ -132,16 +132,16 @@ rm -f "$CERTBUNDLE" - ADDED_CNT=$(wc -l < "$ADDED") - REMOVED_CNT=$(wc -l < "$REMOVED") - --if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] --then -- # only run if set of files has changed -- if [ "$verbose" = 0 ] -- then -- c_rehash . > /dev/null -- else -- c_rehash . -- fi --fi -+#if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] -+#then -+# # only run if set of files has changed -+# if [ "$verbose" = 0 ] -+# then -+# c_rehash . > /dev/null -+# else -+# c_rehash . -+# fi -+#fi - - chmod 0644 "$TEMPBUNDLE" - mv -f "$TEMPBUNDLE" "$CERTBUNDLE" --- -1.7.4.1 - diff --git a/recipes-extra/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch b/recipes-extra/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch new file mode 100644 index 0000000..792b403 --- /dev/null +++ b/recipes-extra/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch @@ -0,0 +1,46 @@ +Upstream-Status: Pending + +From 724cb153ca0f607fb38b3a8db3ebb2742601cd81 Mon Sep 17 00:00:00 2001 +From: Andreas Oberritter +Date: Tue, 19 Mar 2013 17:14:33 +0100 +Subject: [PATCH 2/2] update-ca-certificates: use $SYSROOT + +Signed-off-by: Andreas Oberritter +--- + sbin/update-ca-certificates | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +Index: git/sbin/update-ca-certificates +=================================================================== +--- git.orig/sbin/update-ca-certificates ++++ git/sbin/update-ca-certificates +@@ -24,12 +24,12 @@ + verbose=0 + fresh=0 + default=0 +-CERTSCONF=/etc/ca-certificates.conf +-CERTSDIR=/usr/share/ca-certificates +-LOCALCERTSDIR=/usr/local/share/ca-certificates ++CERTSCONF=$SYSROOT/etc/ca-certificates.conf ++CERTSDIR=$SYSROOT/usr/share/ca-certificates ++LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates + CERTBUNDLE=ca-certificates.crt +-ETCCERTSDIR=/etc/ssl/certs +-HOOKSDIR=/etc/ca-certificates/update.d ++ETCCERTSDIR=$SYSROOT/etc/ssl/certs ++HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d + + while [ $# -gt 0 ]; + do +@@ -92,9 +92,9 @@ add() { + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \ + -e 's/[()]/=/g' \ + -e 's/,/_/g').pem" +- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ] ++ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ] + then +- ln -sf "$CERT" "$PEM" ++ ln -sf "${CERT##$SYSROOT}" "$PEM" + echo "+$PEM" >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) diff --git a/recipes-extra/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/recipes-extra/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch new file mode 100644 index 0000000..4bd967f --- /dev/null +++ b/recipes-extra/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch @@ -0,0 +1,71 @@ +From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= +Date: Wed, 28 Mar 2018 16:45:05 +0100 +Subject: [PATCH] update-ca-certificates: use relative symlinks from + $ETCCERTSDIR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +update-ca-certificates symlinks (trusted) certificates +from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR. +update-ca-certificates can call hook scripts installed +into /etc/ca-certificates/update.d. Those scripts are +passed the pem file in /etc/ssl/certs/ that was added or +removed in this run and those pem files are absolute +symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment. + +When running update-ca-certificates during image build +time, they thusly all point into the host's file system, +not into the $SYSROOT. This means: +* the host's file system layout must match the one + produced by OE, and +* it also means that the host must have installed the same + (or more) certificates as the target in $CERTSDIR and + $LOCALCERTSDIR + +This is a problem when wanting to execute hook scripts, +because they all need to be taught about $SYSROOT, and +behave differently depending on whether they're called +at image build time, or on the target, as otherwise they +will be trying to actually read the host's certificates +from $CERTSDIR or $LOCALCERTSDIR. + +This also is a problem when running anything else during +image build time that depends on the trusted CA +certificates. + +Changing the symlink to be relative solves all of these +problems. Do so. + +Upstream-Status: Inappropriate [OE-specific] +Signed-off-by: André Draszik +--- + sbin/update-ca-certificates | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates +index 00f80c7..7e911a9 100755 +--- a/sbin/update-ca-certificates ++++ b/sbin/update-ca-certificates +@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates + LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates + CERTBUNDLE=ca-certificates.crt + ETCCERTSDIR=$SYSROOT/etc/ssl/certs ++FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system + HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d + + while [ $# -gt 0 ]; +@@ -125,9 +126,10 @@ add() { + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \ + -e 's/[()]/=/g' \ + -e 's/,/_/g').pem" +- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ] ++ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )" ++ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ] + then +- ln -sf "${CERT##$SYSROOT}" "$PEM" ++ ln -sf "${DST}" "$PEM" + echo "+$PEM" >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) diff --git a/recipes-extra/ca-certificates/ca-certificates/default-sysroot.patch b/recipes-extra/ca-certificates/ca-certificates/default-sysroot.patch new file mode 100644 index 0000000..f8b0791 --- /dev/null +++ b/recipes-extra/ca-certificates/ca-certificates/default-sysroot.patch @@ -0,0 +1,50 @@ +Upstream-Status: Pending + +update-ca-certificates: find SYSROOT relative to its own location + +This makes the script relocatable. + +Index: git/sbin/update-ca-certificates +=================================================================== +--- git.orig/sbin/update-ca-certificates ++++ git/sbin/update-ca-certificates +@@ -66,6 +66,39 @@ do + shift + done + ++if [ -z "$SYSROOT" ]; then ++ local_which () { ++ if [ $# -lt 1 ]; then ++ return 1 ++ fi ++ ++ ( ++ IFS=: ++ for entry in $PATH; do ++ if [ -x "$entry/$1" ]; then ++ echo "$entry/$1" ++ exit 0 ++ fi ++ done ++ exit 1 ++ ) ++ } ++ ++ case "$0" in ++ */*) ++ sbindir=$(cd ${0%/*} && pwd) ++ ;; ++ *) ++ sbindir=$(cd $(dirname $(local_which $0)) && pwd) ++ ;; ++ esac ++ prefix=${sbindir%/*} ++ SYSROOT=${prefix%/*} ++ if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then ++ SYSROOT= ++ fi ++fi ++ + if [ ! -s "$CERTSCONF" ] + then + fresh=1 diff --git a/recipes-extra/ca-certificates/ca-certificates_20120623.bb b/recipes-extra/ca-certificates/ca-certificates_20120623.bb deleted file mode 100644 index 9c585f1..0000000 --- a/recipes-extra/ca-certificates/ca-certificates_20120623.bb +++ /dev/null @@ -1,46 +0,0 @@ -DESCRIPTION = "Common CA certificates" -HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" -SECTION = "misc" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://debian/copyright;md5=6135800ff6d893c7904d7aad90972eb5" - -SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates_${PV}.tar.gz \ - file://0001-update-ca-certificates-remove-c-rehash.patch" - -SRC_URI[md5sum] = "5105d4cc086f0d4ecf7bf2e4c4667289" -SRC_URI[sha256sum] = "878cd1130ba056fe5f96decde7e5fc1b71d35eb8565a1515744912e100731ee9" - -inherit allarch - -do_install_prepend() { - mkdir -p ${D}/usr/share/ca-certificates - mkdir -p ${D}/usr/sbin - mkdir -p ${D}/etc/ssl/certs - mkdir -p ${D}/etc/ca-certificates/update.d - - oe_runmake 'DESTDIR=${D}' install -} - -do_install_append() { - cd ${D}/usr/share/ca-certificates - echo "# Lines starting with # will be ignored" > ${D}/etc/ca-certificates.conf - echo "# Lines starting with ! will remove certificate on next update" >> ${D}/etc/ca-certificates.conf - echo "#" >> ${D}/etc/ca-certificates.conf - for crt in $(find . -type f -name '*.crt' -print) - do - crt=$(echo $crt | sed -e 's/\.\///') - echo $crt >> ${D}/etc/ca-certificates.conf - done -} - -pkg_postinst_${PN} () { -if [ -n "$D" ] ; then - exit 1 -fi - -${sbindir}/update-ca-certificates -} - -CONFFILES_${PN} = "/etc/ca-certificates.conf" - -DEFAULT_PREFERENCE = "-1" diff --git a/recipes-extra/ca-certificates/ca-certificates_20211016.bb b/recipes-extra/ca-certificates/ca-certificates_20211016.bb new file mode 100644 index 0000000..214bad4 --- /dev/null +++ b/recipes-extra/ca-certificates/ca-certificates_20211016.bb @@ -0,0 +1,89 @@ +SUMMARY = "Common CA certificates" +DESCRIPTION = "This package includes PEM files of CA certificates to allow \ +SSL-based applications to check for the authenticity of SSL connections. \ +This derived from Debian's CA Certificates." +HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" +SECTION = "misc" +LICENSE = "GPL-2.0+ & MPL-2.0" +LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e" + +# This is needed to ensure we can run the postinst at image creation time +DEPENDS = "" +DEPENDS_class-native = "openssl-native" +DEPENDS_class-nativesdk = "openssl-native" +# Need rehash from openssl and run-parts from debianutils +PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" + +SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" + +SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ + file://0002-update-ca-certificates-use-SYSROOT.patch \ + file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ + file://default-sysroot.patch \ + file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ + file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ + " +UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+)" + +S = "${WORKDIR}/git" + +inherit allarch + +EXTRA_OEMAKE = "\ + 'CERTSDIR=${datadir}/ca-certificates' \ + 'SBINDIR=${sbindir}' \ +" + +do_compile_prepend() { + oe_runmake clean +} + +do_install () { + install -d ${D}${datadir}/ca-certificates \ + ${D}${sysconfdir}/ssl/certs \ + ${D}${sysconfdir}/ca-certificates/update.d + oe_runmake 'DESTDIR=${D}' install + + install -d ${D}${mandir}/man8 + install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/ + + install -d ${D}${sysconfdir} + { + echo "# Lines starting with # will be ignored" + echo "# Lines starting with ! will remove certificate on next update" + echo "#" + find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \ + sed 's,^${D}${datadir}/ca-certificates/,,' | sort + } >${D}${sysconfdir}/ca-certificates.conf +} + +do_install_append_class-target () { + sed -i -e 's,/etc/,${sysconfdir}/,' \ + -e 's,/usr/share/,${datadir}/,' \ + -e 's,/usr/local,${prefix}/local,' \ + ${D}${sbindir}/update-ca-certificates \ + ${D}${mandir}/man8/update-ca-certificates.8 +} + +pkg_postinst_${PN}_class-target () { + SYSROOT="$D" $D${sbindir}/update-ca-certificates +} + +CONFFILES_${PN} += "${sysconfdir}/ca-certificates.conf" + +# Rather than make a postinst script that works for both target and nativesdk, +# we just run update-ca-certificate from do_install() for nativesdk. +CONFFILES_${PN}_append_class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt" +do_install_append_class-nativesdk () { + SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates +} + +do_install_append_class-native () { + SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates +} + +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" +RDEPENDS_${PN}_append_class-native = " openssl-native" +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" + +BBCLASSEXTEND = "native nativesdk" -- 2.40.1