72 lines
2.8 KiB
Diff
72 lines
2.8 KiB
Diff
From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
|
|
Date: Wed, 28 Mar 2018 16:45:05 +0100
|
|
Subject: [PATCH] update-ca-certificates: use relative symlinks from
|
|
$ETCCERTSDIR
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
update-ca-certificates symlinks (trusted) certificates
|
|
from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
|
|
update-ca-certificates can call hook scripts installed
|
|
into /etc/ca-certificates/update.d. Those scripts are
|
|
passed the pem file in /etc/ssl/certs/ that was added or
|
|
removed in this run and those pem files are absolute
|
|
symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
|
|
|
|
When running update-ca-certificates during image build
|
|
time, they thusly all point into the host's file system,
|
|
not into the $SYSROOT. This means:
|
|
* the host's file system layout must match the one
|
|
produced by OE, and
|
|
* it also means that the host must have installed the same
|
|
(or more) certificates as the target in $CERTSDIR and
|
|
$LOCALCERTSDIR
|
|
|
|
This is a problem when wanting to execute hook scripts,
|
|
because they all need to be taught about $SYSROOT, and
|
|
behave differently depending on whether they're called
|
|
at image build time, or on the target, as otherwise they
|
|
will be trying to actually read the host's certificates
|
|
from $CERTSDIR or $LOCALCERTSDIR.
|
|
|
|
This also is a problem when running anything else during
|
|
image build time that depends on the trusted CA
|
|
certificates.
|
|
|
|
Changing the symlink to be relative solves all of these
|
|
problems. Do so.
|
|
|
|
Upstream-Status: Inappropriate [OE-specific]
|
|
Signed-off-by: André Draszik <andre.draszik@jci.com>
|
|
---
|
|
sbin/update-ca-certificates | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
|
|
index 00f80c7..7e911a9 100755
|
|
--- a/sbin/update-ca-certificates
|
|
+++ b/sbin/update-ca-certificates
|
|
@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
|
|
LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
|
|
CERTBUNDLE=ca-certificates.crt
|
|
ETCCERTSDIR=$SYSROOT/etc/ssl/certs
|
|
+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
|
|
HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
|
|
|
|
while [ $# -gt 0 ];
|
|
@@ -125,9 +126,10 @@ add() {
|
|
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
|
|
-e 's/[()]/=/g' \
|
|
-e 's/,/_/g').pem"
|
|
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
|
|
+ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
|
|
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
|
|
then
|
|
- ln -sf "${CERT##$SYSROOT}" "$PEM"
|
|
+ ln -sf "${DST}" "$PEM"
|
|
echo "+$PEM" >> "$ADDED"
|
|
fi
|
|
# Add trailing newline to certificate, if it is missing (#635570)
|