Skip to content

Commit

Permalink
ca-certificates: populate runtime configuration for pmcertificatemgr
Browse files Browse the repository at this point in the history 
To be able to use certificate storage with the pmcertificatemgr library there has to be a
specific configuration for it available below /var/ssl. With this a special upstart job
takes care about creating the needed configuration bits.

Open-webOS-DCO-1.0-Signed-off-by: Simon Busch <morphis@gravedo.de>
  • Loading branch information
@morphis
morphis authored and Keith Derrick committed Feb 3, 2013
1 parent 1f68996 commit 96726cd
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
25 changes: 25 additions & 0 deletions recipes-support/ca-certificates/ca-certificates/certstoreinit
View file
@@ -0,0 +1,25 @@
description "Check for missing SSL configuration bits and create them if needed"

start on stopped finish

console output

script
if [ ! -d /var/ssl/trustedcerts ] ; then
mkdir -p /var/ssl/
# We're creating a symlink here to the real certificate storage as it's correctly
# updated on every package upgrade by the update-ca-certificates script.
ln -sf /etc/ssl/certs /var/ssl/trustedcerts
fi

if [ ! -f /var/ssl/serial ] ; then
mkdir -p /var/ssl/public
echo '01' > /var/ssl/serial
fi

if [ ! -f /var/ssl/index.txt ] ; then
mkdir -p /var/ssl/certs
mkdir -p /var/ssl/private
touch /var/ssl/index.txt
fi
end script
19 changes: 19 additions & 0 deletions recipes-support/ca-certificates/ca-certificates_20120623.bbappend
View file
@@ -0,0 +1,19 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
PRINC := "${@int(PRINC) + 1}"

# NOTE: we have to rewrite the SRC_URI here as we don't want the
# 0001-update-ca-certificates-remove-c-rehash.patch patch
SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/ca-certificates_${PV}.tar.gz \

This comment has been minimized.

Sign in to view

Copy link
@lloydchang

lloydchang Feb 10, 2013

Hello @morphis @kdopen @susan-montooth @juhakurki-owo @kuta42

Regarding this line failing as of 2013-Feb-08, my recommendations are to:

  1. Short-term: Please change this line to use ca-certificate 20120623 from Ubuntu quantal release at
    ftp://archive.ubuntu.com/ubuntu/pool/main/c/ca-certificates/ca-certificates_20120623.tar.gz
    and described at http://packages.ubuntu.com/quantal/ca-certificates
  2. Long-term: Please consider migrating this package to ca-certificate 20130119 from Debian testing release at
    ftp://ftp.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20130119.tar.gz
    and described at http://packages.debian.org/source/testing/ca-certificates

Why: ca-certificates 20120623 is now obsolete in Debian testing release http://www.debian.org/releases/ and superseded by ca-certificates 20130119. Hence ftp://ftp.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20120623.tar.gz no longer exists as of 2013-Feb-08.

Here's my analysis: On 2013-Feb-04, Debian ca-certificates 20130119 migrated to testing per news at http://packages.qa.debian.org/c/ca-certificates.html Meanwhile, Debian ftp-master team runs a tool periodically searching for packages to remove, and Debian ca-certificates 20120623 and 20130119 would fall into the case of "Source packages which have had all their binary packages taken over by another source packages ('obsolete source packages')." Subsequently as of 2013-Feb-08, ftp://ftp.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20120623.tar.gz no longer exists.

This comment has been minimized.

Sign in to view

Copy link
@lloydchang

lloydchang Feb 10, 2013

Response from @morphis (copied from #51 (comment))

@lloydchang I am fine with changing this but it has to be done as change to meta-oe as the base recipe is already pointing to the relevant source package in the debian archive. I am just overriding the SRC_URI with the same content than the base recipe to skip a patch part of the SRC_URI."

This comment has been minimized.

Sign in to view

Copy link
@lloydchang

lloydchang Feb 10, 2013

Hello @hrw @koenkooi @shr-project

@hrw authored and @koenkooi committed ca-certificates_20120623.bb in https://github.com/openembedded/meta-oe/commit/f2136b93ef102be38f9b5ab8c79ecd8f44ff35b3, and @shr-project committed SRC_URI line earlier in https://github.com/openembedded/meta-oe/commit/89500c583e0f1dc1b4ffdf72914e08e505e427e0 during an import from meta-shr.

What are your thoughts about my recommendations for meta-webos and @morphis' response? Would you kindly to modify meta-oe to help resolve the issue of ca-certificates 20120623 becoming an obsolete source package in Debian testing?

I started a thread titled ca-certificates 20120623 and DEBIAN_MIRROR on openembedded-devel mailing list at http://lists.linuxtogo.org/pipermail/openembedded-devel/2013-February/043920.html with a link to this inline discussion.

Thank you,
Lloyd

This comment has been minimized.

Sign in to view

Copy link
@shr-project

shr-project via email Feb 10, 2013

Contributor
file://certstoreinit"

do_install_append() {
install -d ${D}${webos_upstartconfdir}
install -m 0644 ${WORKDIR}/certstoreinit ${D}${webos_upstartconfdir}/certstoreinit
}

FILES_${PN} += " ${webos_upstartconfdir}/certstoreinit"

pkg_postrm_${PN}() {
# Remove possible installed certificates by the update-ca-certificates script
rm -rf ${sysconfdir}/ssl/certs
}

0 comments on commit 96726cd

Please sign in to comment.