From c83f80f44c741113a5bd63dc4d7680a50ae2bda4 Mon Sep 17 00:00:00 2001 From: John Klug Date: Wed, 3 Mar 2021 07:35:47 -0600 Subject: 19-JAN-2021 certificates --- ...ertificates-don-t-use-Debianisms-in-run-p.patch | 34 ++++++++ .../0002-update-ca-certificates-use-SYSROOT.patch | 46 +++++++++++ ...ertificates-use-relative-symlinks-from-ET.patch | 71 +++++++++++++++++ .../ca-certificates/default-sysroot.patch | 50 ++++++++++++ .../ca-certificates/ca-certificates/sbindir.patch | 26 +++++++ .../update-ca-certificates-support-Toybox.patch | 33 ++++++++ .../ca-certificates/ca-certificates_20210119.bb | 90 ++++++++++++++++++++++ 7 files changed, 350 insertions(+) create mode 100644 recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch create mode 100644 recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch create mode 100644 recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch create mode 100644 recipes-support/ca-certificates/ca-certificates/default-sysroot.patch create mode 100644 recipes-support/ca-certificates/ca-certificates/sbindir.patch create mode 100644 recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch create mode 100644 recipes-support/ca-certificates/ca-certificates_20210119.bb diff --git a/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch new file mode 100644 index 0000000..4a8ae5f --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch @@ -0,0 +1,34 @@ +ca-certificates is a package from Debian, but some host distros such as Fedora +have a leaner run-parts provided by cron which doesn't support --verbose or the + -- separator between arguments and paths. + +This solves errors such as + +| Running hooks in [...]/rootfs/etc/ca-certificates/update.d... +| [...]/usr/sbin/update-ca-certificates: line 194: Not: command not found +| [...]/usr/sbin/update-ca-certificates: line 230: Not a directory: --: command not found +| E: Not a directory: -- exited with code 127. + + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton +Signed-off-by: Maciej Borzecki +--- + sbin/update-ca-certificates | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +Index: git/sbin/update-ca-certificates +=================================================================== +--- git.orig/sbin/update-ca-certificates ++++ git/sbin/update-ca-certificates +@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ] + then + + echo "Running hooks in $HOOKSDIR..." +- VERBOSE_ARG= +- [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose" +- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook ++ eval run-parts --test "$HOOKSDIR" | while read hook + do + ( cat "$ADDED" + cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?." diff --git a/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch b/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch new file mode 100644 index 0000000..792b403 --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch @@ -0,0 +1,46 @@ +Upstream-Status: Pending + +From 724cb153ca0f607fb38b3a8db3ebb2742601cd81 Mon Sep 17 00:00:00 2001 +From: Andreas Oberritter +Date: Tue, 19 Mar 2013 17:14:33 +0100 +Subject: [PATCH 2/2] update-ca-certificates: use $SYSROOT + +Signed-off-by: Andreas Oberritter +--- + sbin/update-ca-certificates | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +Index: git/sbin/update-ca-certificates +=================================================================== +--- git.orig/sbin/update-ca-certificates ++++ git/sbin/update-ca-certificates +@@ -24,12 +24,12 @@ + verbose=0 + fresh=0 + default=0 +-CERTSCONF=/etc/ca-certificates.conf +-CERTSDIR=/usr/share/ca-certificates +-LOCALCERTSDIR=/usr/local/share/ca-certificates ++CERTSCONF=$SYSROOT/etc/ca-certificates.conf ++CERTSDIR=$SYSROOT/usr/share/ca-certificates ++LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates + CERTBUNDLE=ca-certificates.crt +-ETCCERTSDIR=/etc/ssl/certs +-HOOKSDIR=/etc/ca-certificates/update.d ++ETCCERTSDIR=$SYSROOT/etc/ssl/certs ++HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d + + while [ $# -gt 0 ]; + do +@@ -92,9 +92,9 @@ add() { + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \ + -e 's/[()]/=/g' \ + -e 's/,/_/g').pem" +- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ] ++ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ] + then +- ln -sf "$CERT" "$PEM" ++ ln -sf "${CERT##$SYSROOT}" "$PEM" + echo "+$PEM" >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) diff --git a/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch new file mode 100644 index 0000000..4bd967f --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch @@ -0,0 +1,71 @@ +From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= +Date: Wed, 28 Mar 2018 16:45:05 +0100 +Subject: [PATCH] update-ca-certificates: use relative symlinks from + $ETCCERTSDIR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +update-ca-certificates symlinks (trusted) certificates +from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR. +update-ca-certificates can call hook scripts installed +into /etc/ca-certificates/update.d. Those scripts are +passed the pem file in /etc/ssl/certs/ that was added or +removed in this run and those pem files are absolute +symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment. + +When running update-ca-certificates during image build +time, they thusly all point into the host's file system, +not into the $SYSROOT. This means: +* the host's file system layout must match the one + produced by OE, and +* it also means that the host must have installed the same + (or more) certificates as the target in $CERTSDIR and + $LOCALCERTSDIR + +This is a problem when wanting to execute hook scripts, +because they all need to be taught about $SYSROOT, and +behave differently depending on whether they're called +at image build time, or on the target, as otherwise they +will be trying to actually read the host's certificates +from $CERTSDIR or $LOCALCERTSDIR. + +This also is a problem when running anything else during +image build time that depends on the trusted CA +certificates. + +Changing the symlink to be relative solves all of these +problems. Do so. + +Upstream-Status: Inappropriate [OE-specific] +Signed-off-by: André Draszik +--- + sbin/update-ca-certificates | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates +index 00f80c7..7e911a9 100755 +--- a/sbin/update-ca-certificates ++++ b/sbin/update-ca-certificates +@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates + LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates + CERTBUNDLE=ca-certificates.crt + ETCCERTSDIR=$SYSROOT/etc/ssl/certs ++FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system + HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d + + while [ $# -gt 0 ]; +@@ -125,9 +126,10 @@ add() { + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \ + -e 's/[()]/=/g' \ + -e 's/,/_/g').pem" +- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ] ++ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )" ++ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ] + then +- ln -sf "${CERT##$SYSROOT}" "$PEM" ++ ln -sf "${DST}" "$PEM" + echo "+$PEM" >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) diff --git a/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch b/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch new file mode 100644 index 0000000..f8b0791 --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch @@ -0,0 +1,50 @@ +Upstream-Status: Pending + +update-ca-certificates: find SYSROOT relative to its own location + +This makes the script relocatable. + +Index: git/sbin/update-ca-certificates +=================================================================== +--- git.orig/sbin/update-ca-certificates ++++ git/sbin/update-ca-certificates +@@ -66,6 +66,39 @@ do + shift + done + ++if [ -z "$SYSROOT" ]; then ++ local_which () { ++ if [ $# -lt 1 ]; then ++ return 1 ++ fi ++ ++ ( ++ IFS=: ++ for entry in $PATH; do ++ if [ -x "$entry/$1" ]; then ++ echo "$entry/$1" ++ exit 0 ++ fi ++ done ++ exit 1 ++ ) ++ } ++ ++ case "$0" in ++ */*) ++ sbindir=$(cd ${0%/*} && pwd) ++ ;; ++ *) ++ sbindir=$(cd $(dirname $(local_which $0)) && pwd) ++ ;; ++ esac ++ prefix=${sbindir%/*} ++ SYSROOT=${prefix%/*} ++ if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then ++ SYSROOT= ++ fi ++fi ++ + if [ ! -s "$CERTSCONF" ] + then + fresh=1 diff --git a/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/recipes-support/ca-certificates/ca-certificates/sbindir.patch new file mode 100644 index 0000000..f343ebf --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/sbindir.patch @@ -0,0 +1,26 @@ +sbin/Makefile: Allow the sbin path to be configurable + +Some project sharing ca-certificates from Debian allow configuration +of the installation location. Make the sbin location configurable. + +Also ensure the target directory exists + +Signed-off-by: Richard Purdie +Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] + +--- ca-certificates-20130119.orig/sbin/Makefile ++++ ca-certificates-20130119/sbin/Makefile +@@ -3,9 +3,12 @@ + # + # + ++SBINDIR = /usr/sbin ++ + all: + + clean: + + install: +- install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/ ++ install -d $(DESTDIR)$(SBINDIR) ++ install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/ diff --git a/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch new file mode 100644 index 0000000..f787909 --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch @@ -0,0 +1,33 @@ +update-ca-certificates: Replace deprecated mktemp -t with mktemp --tmpdir + +According to coreutils docs, mktemp -t is deprecated, switch to the +--tmpdir option instead. + +Signed-off-by: Richard Purdie +Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] + +[This was originally for compatibility with toybox but toybox now +supports -t] +--- + sbin/update-ca-certificates | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates +index 79c41bb..ae9e3f1 100755 +--- a/sbin/update-ca-certificates ++++ b/sbin/update-ca-certificates +@@ -113,9 +113,9 @@ trap cleanup 0 + + # Helper files. (Some of them are not simple arrays because we spawn + # subshells later on.) +-TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" +-ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" +-REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" ++TEMPBUNDLE="$(mktemp --tmpdir "${CERTBUNDLE}.tmp.XXXXXX")" ++ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" ++REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" + + # Adds a certificate to the list of trusted ones. This includes a symlink + # in /etc/ssl/certs to the certificate file and its inclusion into the +-- +2.1.4 diff --git a/recipes-support/ca-certificates/ca-certificates_20210119.bb b/recipes-support/ca-certificates/ca-certificates_20210119.bb new file mode 100644 index 0000000..888a235 --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates_20210119.bb @@ -0,0 +1,90 @@ +SUMMARY = "Common CA certificates" +DESCRIPTION = "This package includes PEM files of CA certificates to allow \ +SSL-based applications to check for the authenticity of SSL connections. \ +This derived from Debian's CA Certificates." +HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" +SECTION = "misc" +LICENSE = "GPL-2.0+ & MPL-2.0" +LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e" + +# This is needed to ensure we can run the postinst at image creation time +DEPENDS = "" +DEPENDS_class-native = "openssl-native" +DEPENDS_class-nativesdk = "openssl-native" +# Need rehash from openssl and run-parts from debianutils +PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" + +SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" + +SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ + file://0002-update-ca-certificates-use-SYSROOT.patch \ + file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ + file://update-ca-certificates-support-Toybox.patch \ + file://default-sysroot.patch \ + file://sbindir.patch \ + file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ + " +UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+)" + +S = "${WORKDIR}/git" + +inherit allarch + +EXTRA_OEMAKE = "\ + 'CERTSDIR=${datadir}/ca-certificates' \ + 'SBINDIR=${sbindir}' \ +" + +do_compile_prepend() { + oe_runmake clean +} + +do_install () { + install -d ${D}${datadir}/ca-certificates \ + ${D}${sysconfdir}/ssl/certs \ + ${D}${sysconfdir}/ca-certificates/update.d + oe_runmake 'DESTDIR=${D}' install + + install -d ${D}${mandir}/man8 + install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/ + + install -d ${D}${sysconfdir} + { + echo "# Lines starting with # will be ignored" + echo "# Lines starting with ! will remove certificate on next update" + echo "#" + find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \ + sed 's,^${D}${datadir}/ca-certificates/,,' | sort + } >${D}${sysconfdir}/ca-certificates.conf +} + +do_install_append_class-target () { + sed -i -e 's,/etc/,${sysconfdir}/,' \ + -e 's,/usr/share/,${datadir}/,' \ + -e 's,/usr/local,${prefix}/local,' \ + ${D}${sbindir}/update-ca-certificates \ + ${D}${mandir}/man8/update-ca-certificates.8 +} + +pkg_postinst_${PN}_class-target () { + SYSROOT="$D" $D${sbindir}/update-ca-certificates +} + +CONFFILES_${PN} += "${sysconfdir}/ca-certificates.conf" + +# Rather than make a postinst script that works for both target and nativesdk, +# we just run update-ca-certificate from do_install() for nativesdk. +CONFFILES_${PN}_append_class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt" +do_install_append_class-nativesdk () { + SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates +} + +do_install_append_class-native () { + SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates +} + +RDEPENDS_${PN}_class-target = "openssl-bin" +RDEPENDS_${PN}_class-native = "openssl-native" +RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3