| Message ID | 20180506161944.7451-1-martin@barkynet.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [1/2] package/ca-certificates: don't hash certificates.crt | expand |
>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes: > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to > prevent it getting hashed by mistake. What is the effect of running c_rehash on it? Just an extra symlink or any functional difference? > Signed-off-by: Martin Bark <martin@barkynet.com> > --- > package/ca-certificates/ca-certificates.mk | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk > index cb0e961465..b99e6f47ca 100644 > --- a/package/ca-certificates/ca-certificates.mk > +++ b/package/ca-certificates/ca-certificates.mk > @@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS > # Create symlinks to certificates under /etc/ssl/certs > # and generate the bundle > + rm -f $(@D)/ca-certificates.crt > cd $(TARGET_DIR) ;\ > for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ > ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ > - cat $$i >>etc/ssl/certs/ca-certificates.crt ;\ > + cat $$i >>$(@D)/ca-certificates.crt ;\ > done Alternatively we could redirect the entire for loop to the bundle, E.G. done > $(@D)/ca-certificates.crt While this seems like an improvement for when ca-certificates-reinstall is run, I'm not sure what the relation is to $SUBJECT? > # Create symlinks to the certificates by their hash values > $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > + > + # Install the certificates bundle we just created > + $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ > + $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt > + > endef > $(eval $(generic-package)) > -- > 2.17.0 > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
Peter, On 29 May 2018 at 07:50, Peter Korsgaard <peter@korsgaard.com> wrote: > >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes: > > > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to > > prevent it getting hashed by mistake. > > What is the effect of running c_rehash on it? Just an extra symlink or > any functional difference? > c_rehash hashes certificates.crt by mistake and that symlink clashes with one of the CA certificates. The end result is one of the hashes incorrectly points to certificates.crt instead of the CA certificate. I noticed this during testing because i checked /etc/ssl/certs was the same as under ubuntu. Thanks Martin > > > Signed-off-by: Martin Bark <martin@barkynet.com> > > --- > > package/ca-certificates/ca-certificates.mk | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > diff --git a/package/ca-certificates/ca-certificates.mk > b/package/ca-certificates/ca-certificates.mk > > index cb0e961465..b99e6f47ca 100644 > > --- a/package/ca-certificates/ca-certificates.mk > > +++ b/package/ca-certificates/ca-certificates.mk > > @@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS > > > # Create symlinks to certificates under /etc/ssl/certs > > # and generate the bundle > > + rm -f $(@D)/ca-certificates.crt > > cd $(TARGET_DIR) ;\ > > for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ > > ln -sf ../../../$$i etc/ssl/certs/`basename $${i} > .crt`.pem ;\ > > - cat $$i >>etc/ssl/certs/ca-certificates.crt ;\ > > + cat $$i >>$(@D)/ca-certificates.crt ;\ > > done > > Alternatively we could redirect the entire for loop to the bundle, E.G. > > done > $(@D)/ca-certificates.crt > > While this seems like an improvement for when ca-certificates-reinstall > is run, I'm not sure what the relation is to $SUBJECT? > > > # Create symlinks to the certificates by their hash values > > $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > > + > > + # Install the certificates bundle we just created > > + $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ > > + $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt > > + > > endef > > > $(eval $(generic-package)) > > -- > > 2.17.0 > > > _______________________________________________ > > buildroot mailing list > > buildroot@busybox.net > > http://lists.busybox.net/mailman/listinfo/buildroot > > -- > Bye, Peter Korsgaard > <div dir="ltr">Peter,<div class="gmail_extra"><br><div class="gmail_quote">On 29 May 2018 at 07:50, Peter Korsgaard <span dir="ltr"><<a href="mailto:peter@korsgaard.com" target="_blank">peter@korsgaard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>>>>>> "Martin" == Martin Bark <<a href="mailto:martin@barkynet.com" target="_blank">martin@barkynet.com</a>> writes:<br> <br> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to<br> > prevent it getting hashed by mistake.<br> <br> </span>What is the effect of running c_rehash on it? Just an extra symlink or<br> any functional difference?<br></blockquote><div><br></div><div>c_rehash hashes certificates.crt by mistake and that symlink clashes with one of the CA certificates. The end result is one of the hashes incorrectly points to certificates.crt instead of the CA certificate. I noticed this during testing because i checked /etc/ssl/certs was the same as under ubuntu.</div><div><br></div><div>Thanks Martin</div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <span><br> > Signed-off-by: Martin Bark <<a href="mailto:martin@barkynet.com" target="_blank">martin@barkynet.com</a>><br> > ---<br> > package/ca-certificates/<a href="http://ca-certificates.mk" rel="noreferrer" target="_blank">ca-cer<wbr>tificates.mk</a> | 8 +++++++-<br> > 1 file changed, 7 insertions(+), 1 deletion(-)<br> <br> > diff --git a/package/ca-certificates/<a href="http://ca-certificates.mk" rel="noreferrer" target="_blank">ca-c<wbr>ertificates.mk</a> b/package/ca-certificates/<a href="http://ca-certificates.mk" rel="noreferrer" target="_blank">ca-c<wbr>ertificates.mk</a><br> > index cb0e961465..b99e6f47ca 100644<br> > --- a/package/ca-certificates/<a href="http://ca-certificates.mk" rel="noreferrer" target="_blank">ca-c<wbr>ertificates.mk</a><br> > +++ b/package/ca-certificates/<a href="http://ca-certificates.mk" rel="noreferrer" target="_blank">ca-c<wbr>ertificates.mk</a><br> > @@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET<wbr>_CMDS<br> <br> > # Create symlinks to certificates under /etc/ssl/certs<br> > # and generate the bundle<br> > + rm -f $(@D)/ca-certificates.crt<br> > cd $(TARGET_DIR) ;\<br> > for i in `find usr/share/ca-certificates -name "*.crt"` ; do \<br> > ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\<br> > - cat $$i >>etc/ssl/certs/ca-certificate<wbr>s.crt ;\<br> > + cat $$i >>$(@D)/ca-certificates.crt ;\<br> > done<br> <br> </span>Alternatively we could redirect the entire for loop to the bundle, E.G.<br> <br> done > $(@D)/ca-certificates.crt<br> <br> While this seems like an improvement for when ca-certificates-reinstall<br> is run, I'm not sure what the relation is to $SUBJECT?<br><span><br> > # Create symlinks to the certificates by their hash values<br> > $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs<br> > +<br> > + # Install the certificates bundle we just created<br> > + $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \<br> > + $(TARGET_DIR)/etc/ssl/certs/ca<wbr>-certificates.crt<br> > +<br> > endef<br> <br> > $(eval $(generic-package))<br> > -- <br> > 2.17.0<br> <br> </span> > ______________________________<wbr>_________________<br> > buildroot mailing list<br> > <a href="mailto:buildroot@busybox.net" target="_blank">buildroot@busybox.net</a><br> > <a href="http://lists.busybox.net/mailman/listinfo/buildroot" rel="noreferrer" target="_blank">http://lists.busybox.net/mailm<wbr>an/listinfo/buildroot</a><br> <span class="m_-8341048113607729486HOEnZb"><font color="#888888"><br> -- <br> Bye, Peter Korsgaard<br> </font></span></blockquote></div><br></div></div>
>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes: > Peter, > On 29 May 2018 at 07:50, Peter Korsgaard <peter@korsgaard.com> wrote: >> >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes: >> >> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to >> > prevent it getting hashed by mistake. >> >> What is the effect of running c_rehash on it? Just an extra symlink or >> any functional difference? >> > c_rehash hashes certificates.crt by mistake and that symlink clashes with > one of the CA certificates. The end result is one of the hashes > incorrectly points to certificates.crt instead of the CA certificate. I > noticed this during testing because i checked /etc/ssl/certs was the same > as under ubuntu. Ok, can you rework the commit message with these details (and perhaps the for loop change) and resubmit? Thanks!
Peter, On 29 May 2018 at 11:08, Peter Korsgaard <peter@korsgaard.com> wrote: > >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes: > > > Peter, > > On 29 May 2018 at 07:50, Peter Korsgaard <peter@korsgaard.com> wrote: > > >> >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes: > >> > >> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to > >> > prevent it getting hashed by mistake. > >> > >> What is the effect of running c_rehash on it? Just an extra symlink or > >> any functional difference? > >> > > > c_rehash hashes certificates.crt by mistake and that symlink clashes > with > > one of the CA certificates. The end result is one of the hashes > > incorrectly points to certificates.crt instead of the CA certificate. I > > noticed this during testing because i checked /etc/ssl/certs was the > same > > as under ubuntu. > > Ok, can you rework the commit message with these details (and perhaps > the for loop change) and resubmit? Thanks! > Will do Thanks Martin > > -- > Bye, Peter Korsgaard > <div dir="ltr">Peter,<div class="gmail_extra"><br><div class="gmail_quote">On 29 May 2018 at 11:08, Peter Korsgaard <span dir="ltr"><<a href="mailto:peter@korsgaard.com" target="_blank">peter@korsgaard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">>>>>> "Martin" == Martin Bark <<a href="mailto:martin@barkynet.com">martin@barkynet.com</a>> writes:<br> <br> > Peter,<br> > On 29 May 2018 at 07:50, Peter Korsgaard <<a href="mailto:peter@korsgaard.com">peter@korsgaard.com</a>> wrote:<br> <br> >> >>>>> "Martin" == Martin Bark <<a href="mailto:martin@barkynet.com">martin@barkynet.com</a>> writes:<br> >> <br> >> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to<br> >> > prevent it getting hashed by mistake.<br> >> <br> >> What is the effect of running c_rehash on it? Just an extra symlink or<br> >> any functional difference?<br> >> <br> <br> > c_rehash hashes certificates.crt by mistake and that symlink clashes with<br> > one of the CA certificates. The end result is one of the hashes<br> > incorrectly points to certificates.crt instead of the CA certificate. I<br> > noticed this during testing because i checked /etc/ssl/certs was the same<br> > as under ubuntu.<br> <br> </span>Ok, can you rework the commit message with these details (and perhaps<br> the for loop change) and resubmit? Thanks!<br></blockquote><div><br></div><div>Will do</div><div><br></div><div>Thanks</div><div><br></div><div>Martin</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <span class="HOEnZb"><font color="#888888"><br> -- <br> Bye, Peter Korsgaard<br> </font></span></blockquote></div><br></div></div>
diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk index cb0e961465..b99e6f47ca 100644 --- a/package/ca-certificates/ca-certificates.mk +++ b/package/ca-certificates/ca-certificates.mk @@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS # Create symlinks to certificates under /etc/ssl/certs # and generate the bundle + rm -f $(@D)/ca-certificates.crt cd $(TARGET_DIR) ;\ for i in `find usr/share/ca-certificates -name "*.crt"` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ - cat $$i >>etc/ssl/certs/ca-certificates.crt ;\ + cat $$i >>$(@D)/ca-certificates.crt ;\ done # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs + + # Install the certificates bundle we just created + $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ + $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt + endef $(eval $(generic-package))
Copy certificates.crt to /etc/ssl/certs after we run c_rehash to prevent it getting hashed by mistake. Signed-off-by: Martin Bark <martin@barkynet.com> --- package/ca-certificates/ca-certificates.mk | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)