[OE-core] [PATCH] ca-certificates: Fix symlinks to the certificates in nativesdk
Serhii Popovych
spopovyc at cisco.com
Thu Apr 6 13:34:17 UTC 2017
Ping.
Any further comments on this change?
I covered at least one additional use case not covered by
generic symlink-relative.py call at post stage:
It is buildtools-tarball, where may add ca-certificates to use with
curl.
Change is simple: we create relative symlinks in update-ca-certificates
to ensure we always point to right data in SDK/buildtools-tarball.
Thanks,
Serhii
> Symlinks to certificates in buildtools-tarball at /etc/ssl/certs
> installed with absolute pathes making these sumlinks pointing
> outside of toolchain to the host system locations.
>
> These locations may not contain some certificates (thus link to
> the certificate in toolchain is broken) or host system
> certificate may be revoked by CRL or outdated.
>
> Since this change seems non intrusive for target package apply
> patch for all builds.
>
> Cc: XE-Linux <xe-linux-external at cisco.com>
> Signed-off-by: Serhii Popovych <spopovyc at cisco.com>
> ---
> ...ertificates-Use-relative-paths-when-linki.patch | 38 ++++++++++++++++++++++
> .../ca-certificates/ca-certificates_20161130.bb | 1 +
> 2 files changed, 39 insertions(+)
> create mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
>
> diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
> new file mode 100644
> index 0000000..8666e30
> --- /dev/null
> +++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
> @@ -0,0 +1,38 @@
> +From 912e7be8e7151bd4a2feed6d34f927d42b12bb7e Mon Sep 17 00:00:00 2001
> +From: Serhii Popovych <spopovyc at cisco.com>
> +Date: Wed, 16 Dec 2015 16:48:03 +0200
> +Subject: [PATCH] update-ca-certificates: Use relative paths when linking certs
> +
> +Creating links in $ETCCERTSDIR (/etc/ssl/certs) with absolute
> +path could broke paths to the certificates in toolchains by
> +pointing to the outside of toolchain root directory. These
> +absolute paths may not exist in the host system or contain
> +certificates older than provided within toolchain.
> +
> +Use absolute pathes when creating symbolic links to the
> +certificates to ensure we always pointing to the toolchain
> +provied certificates.
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Serhii Popovych <spopovyc at cisco.com>
> +---
> + sbin/update-ca-certificates | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
> +index 3a5ffd3..cb3c1f1 100755
> +--- a/sbin/update-ca-certificates
> ++++ b/sbin/update-ca-certificates
> +@@ -94,7 +94,7 @@ add() {
> + -e 's/,/_/g').pem"
> + if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
> + then
> +- ln -sf "${CERT##$SYSROOT}" "$PEM"
> ++ ln -sf "$(echo "${ETCCERTSDIR##$SYSROOT}" | sed -e 's/\/[^/]\+/..\//g')${CERT##$SYSROOT/}" "$PEM"
> + echo "+$PEM" >> "$ADDED"
> + fi
> + # Add trailing newline to certificate, if it is missing (#635570)
> +--
> +2.3.0
> +
> diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb b/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
> index 42088b9..e6e17de 100644
> --- a/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
> +++ b/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
> @@ -17,6 +17,7 @@ SRCREV = "61b70a1007dc269d56881a0d480fc841daacc77c"
>
> SRC_URI = "git://anonscm.debian.org/collab-maint/ca-certificates.git \
> file://0002-update-ca-certificates-use-SYSROOT.patch \
> + file://0003-update-ca-certificates-Use-relative-paths-when-linki.patch \
> file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
> file://update-ca-certificates-support-Toybox.patch \
> file://default-sysroot.patch \
>
More information about the Openembedded-core
mailing list