From 6751326e804fff2f01f49f128456c7a8a5a184a5 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 12 Jun 2015 18:59:10 -0700 Subject: [PATCH 1/2] ca-certificates: match /usr/share/ca-certificates to /etc/ssl/certs It is a common pattern to bind mount /etc/ssl/certs from the host system into a container. This doesn't work on CoreOS because /etc/ssl/certs is just a pile of symlinks to /usr. If the applications in the container use Go then binding /usr/share/ca-certificates to /etc/ssl/certs does happen to work because Go only needs ca-certificates.crt which is in that top level directory. This however does not work for OpenSSL applications because it needs a whole directory of hashed certificates. To fix this change two things: - Remove the `mozilla` directory left over from when certs came from multiple sources. Install certs in ca-certificates directory instead. - Include the OpenSSL hash symlinks in ca-certificates. --- ....ebuild => ca-certificates-3.16-r3.ebuild} | 60 +++++++++++++------ 1 file changed, 43 insertions(+), 17 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.16-r2.ebuild => ca-certificates-3.16-r3.ebuild} (55%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild similarity index 55% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild index 064bac08a7..0f70a006f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild @@ -26,40 +26,62 @@ RDEPEND="dev-libs/openssl DEPEND="${RDEPEND} ${PYTHON_DEPS}" -sym_to_usr() { - local l="/etc/ssl/certs/${1##*/}" - local p="../../../usr/share/${PN}/${1}" - echo "L ${l} - - - - ${p}" +pkg_setup() { + python-any-r1_pkg_setup + + # Deal with the case where older ca-certificates installed a + # dir here, but newer one installs symlinks. Portage will + # barf when you try to transition file types. + # This trick is stolen from sys-libs/timezone-data + if cd "${EROOT}"/usr/share/${PN} 2>/dev/null ; then + # In case of a failed upgrade, clean up the symlinks #506570 + if [ -L .gentoo-upgrade ] ; then + rm -rf mozilla .gentoo-upgrade + fi + if [ -d mozilla ] ; then + rm -rf .gentoo-upgrade #487192 + mv mozilla .gentoo-upgrade || die + ln -s .gentoo-upgrade mozilla || die + fi + fi +} + +gen_hash_links() { + local certfile certhash + for certfile in "$@"; do + certhash=$(openssl x509 -hash -noout -in "${certfile}") || die + # This assumes the hashes have no collisions + ln -s "${certfile}" "${certhash}.0" || die + done } gen_tmpfiles() { local certfile echo "d /etc/ssl - - - - -" echo "d /etc/ssl/certs - - - - -" - sym_to_usr ca-certificates.crt for certfile in "$@"; do - sym_to_usr "${certfile}" - done - for certfile in "$@"; do - local certhash=$(openssl x509 -hash -noout -in "${certfile}") - # This assumes the hashes have no collisions - local l="/etc/ssl/certs/${certhash}.0" - local p="${certfile##*/}" + local l="/etc/ssl/certs/${certfile}" + local p="../../../usr/share/${PN}/${certfile}" echo "L ${l} - - - - ${p}" done } src_compile() { local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" - ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die - cat mozilla/*.pem > ca-certificates.crt || die - gen_tmpfiles mozilla/*.pem > ${PN}.conf || die + ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die + + cd certs || die + gen_hash_links *.pem + cat *.pem > ca-certificates.crt || die + gen_tmpfiles * > "${S}/${PN}.conf" || die } src_install() { insinto /usr/share/${PN} - doins ca-certificates.crt - doins -r mozilla + doins certs/* + + # for compatibility with older directory structure + dosym . /usr/share/${PN}/mozilla dosbin "${FILESDIR}/update-ca-certificates" systemd_dounit "${FILESDIR}/clean-ca-certificates.service" @@ -72,3 +94,7 @@ src_install() { dodir /etc/ssl/certs systemd-tmpfiles --root="${D}" --create } + +pkg_postinst() { + rm -rf "${EROOT}"/usr/share/${PN}/.gentoo-upgrade +} From b1823db1455f0884ca535702b0a7558e39ba6140 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 12 Jun 2015 19:33:38 -0700 Subject: [PATCH 2/2] ca-certificates: update to NSS 3.19.1 The following have been removed: - America_Online_Root_Certification_Authority_1.pem - America_Online_Root_Certification_Authority_2.pem - E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem - Entrust.net_Secure_Server_CA.pem - GTE_CyberTrust_Global_Root.pem - RSA_Root_Certificate_1.pem - TDC_Internet_Root_CA.pem - Thawte_Premium_Server_CA.pem - Thawte_Server_CA.pem - ValiCert_Class_1_VA.pem - ValiCert_Class_2_VA.pem The following have been added: - CFCA_EV_ROOT.pem - COMODO_RSA_Certification_Authority.pem - DigiCert_Assured_ID_Root_G2.pem - DigiCert_Assured_ID_Root_G3.pem - DigiCert_Global_Root_G2.pem - DigiCert_Global_Root_G3.pem - DigiCert_Trusted_Root_G4.pem - Entrust_Root_Certification_Authority_-_EC1.pem - Entrust_Root_Certification_Authority_-_G2.pem - GlobalSign_ECC_Root_CA_-_R4.pem - GlobalSign_ECC_Root_CA_-_R5.pem - IdenTrust_Commercial_Root_CA_1.pem - IdenTrust_Public_Sector_Root_CA_1.pem - QuoVadis_Root_CA_1_G3.pem - QuoVadis_Root_CA_2_G3.pem - QuoVadis_Root_CA_3_G3.pem - Staat_der_Nederlanden_EV_Root_CA.pem - Staat_der_Nederlanden_Root_CA_-_G3.pem - S-TRUST_Universal_Root_CA.pem - USERTrust_ECC_Certification_Authority.pem - USERTrust_RSA_Certification_Authority.pem - WoSign_China.pem - WoSign.pem For the upstream change log since the previous version (3.16) see: http://hg.mozilla.org/projects/nss/log/NSS_3_19_1_RTM/lib/ckfw/builtins/certdata.txt?revcount=9 --- .../coreos-overlay/app-misc/ca-certificates/Manifest | 2 +- ...ertificates-3.16-r3.ebuild => ca-certificates-3.19.1.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.16-r3.ebuild => ca-certificates-3.19.1.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest index ab6b2d0876..be3aa68ad2 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -1 +1 @@ -DIST nss-3.16.tar.gz 6378110 SHA256 2bb4faa200962caacf0454f1e870e74aa9a543809e5c440f7978bcce58e0bfe8 SHA512 e3dcde8213f7f131fe2f714ff2f45c6d7b9b2167e51dbf0e1a750cc4f83d9fa35e69408850de6600f55fbc9e26b29dc344548cb64849d6e3252476eadd7ee57f WHIRLPOOL d30b53ec36cacff9756b43780d904e32760cd5d0b75f1888b6fb80e0a87ce828f4e6189de63880ddce90bdf5d90123ff7e9fdf600f4df02ce59702898f08c11e +DIST nss-3.19.1.tar.gz 6953537 SHA256 b7be709551ec13206d8e3e8c065b894fa981c11573115e9478fa051029c52fff SHA512 8938fff8d819f5a223f99b3ee55734b624609dd87d9035c3bb4ca22db707da709f43d6e56610860ff99e4d2271405ad0efb762ba3f6d9e6cd586415e31412107 WHIRLPOOL d5ba4abaa29c28c19f18314427c581b1356ab4edaeb818433000dd63281340de7db5cf98700c80d781cb26e6989b222113e927eb2e890592ae8691fe8dcb4eb9 diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.19.1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.19.1.ebuild