From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: [PATCHES] profiles: Produce a single-file CA certificate bundle Date: Tue, 03 Mar 2015 02:29:48 -0500 Message-ID: <87fv9medxv.fsf_-_@netris.org> References: <87r3u7di49.fsf@netris.org> <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> <87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian> <87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org> <87sidvhx0t.fsf@netris.org> <87zj7v2gmf.fsf_-_@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47252) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YShH6-0008Rc-AK for guix-devel@gnu.org; Tue, 03 Mar 2015 02:29:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YShH2-0000UH-5n for guix-devel@gnu.org; Tue, 03 Mar 2015 02:29:52 -0500 In-Reply-To: <87zj7v2gmf.fsf_-_@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\?\= \=\?utf-8\?Q\?\=22's\?\= message of "Mon, 02 Mar 2015 23:12:40 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Mark H Weaver skribis: > >> In order to support multiple packages containing CA certs, it would be >> good to handle creation of the single-file cert bundle in the profile >> generation code, analogous to our handling of info "dir" files. This >> would allow us to create additional cert packages (e.g. one for >> CAcert.org). >> >> I think it belongs in the profile generation code for the benefit of >> users running Guix packages on top of another distro, where they might >> not have root access. They can simply set GIT_SSL_CAINFO and >> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt >> >> What do you think? > > It=E2=80=99s a good but as of yet unimplemented idea. > > Although I now realize we could perhaps simple move the > =E2=80=98certificate-bundle=E2=80=99 procedure to (guix profile), add the= certificate > package to the system profile, and make /etc/ssl a symlink to > /run/current-system/profile/etc/ssl. I've attached patches that implement this. They assume that 993300f and e979e6d are first reverted. Comments and suggestions welcome. It would also be good to add search-path-specifications for SSL_CERT_FILE to 'openssl' and GIT_SSL_CAINFO to 'git' in core-updates, but I'm not sure how best to do that. Would you be willing to do it, Ludovic? Mark --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-profiles-Produce-a-single-file-CA-certificate-bundle.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH 1/2] profiles: Produce a single-file CA certificate bundle >From 0229c6c51a9341484a84f4cec112494b4fe67757 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 3 Mar 2015 02:09:30 -0500 Subject: [PATCH 1/2] profiles: Produce a single-file CA certificate bundle. MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit * guix/profiles.scm (ca-certificate-bundle): New procedure. (profile-derivation): Add 'ca-certificate-bundle?' keyword argument. If true (the default), add the result of 'ca-certificate-bundle' to 'inputs'. Co-Authored-By: Ludovic Court=C3=A8s --- guix/profiles.scm | 91 +++++++++++++++++++++++++++++++++++++++++++++++----= ---- 1 file changed, 78 insertions(+), 13 deletions(-) diff --git a/guix/profiles.scm b/guix/profiles.scm index a0a259b..5ceba25 100644 --- a/guix/profiles.scm +++ b/guix/profiles.scm @@ -2,6 +2,7 @@ ;;; Copyright =C2=A9 2013, 2014, 2015 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2013 Nikita Karetnikov ;;; Copyright =C2=A9 2014 Alex Kost +;;; Copyright =C2=A9 2015 Mark H Weaver ;;; ;;; This file is part of GNU Guix. ;;; @@ -413,23 +414,87 @@ MANIFEST." (gexp->derivation "info-dir" build #:modules '((guix build utils))))) =20 -(define* (profile-derivation manifest #:key (info-dir? #t)) +(define (ca-certificate-bundle manifest) + "Return a derivation that builds a single-file bundle containing the CA +certificates in the /etc/ssl/certs sub-directories of the packages in +MANIFEST. Single-file bundles are required by programs such as Git and Ly= nx." + ;; See + ;; for a discussion. + + (define glibc-utf8-locales ;lazy reference + (module-ref (resolve-interface '(gnu packages base)) 'glibc-utf8-local= es)) + + (define build + #~(begin + (use-modules (guix build utils) + (rnrs io ports) + (srfi srfi-1) + (srfi srfi-26) + (ice-9 ftw)) + + (define (pem-file? file) + (string-suffix? ".pem" file)) + + (define (ca-files top) + (let ((cert-dir (string-append top "/etc/ssl/certs"))) + (map (cut string-append cert-dir "/" <>) + (or (scandir cert-dir pem-file?) '())))) + + (define (concatenate-files files result) + "Make RESULT the concatenation of all of FILES." + (define (dump file port) + (display (call-with-input-file file get-string-all) + port) + (newline port)) ;required, see + + (call-with-output-file result + (lambda (port) + (for-each (cut dump <> port) files)))) + + ;; Some file names in the NSS certificates are UTF-8 encoded so + ;; install a UTF-8 locale. + (setenv "LOCPATH" (string-append #+glibc-utf8-locales "/lib/locale= ")) + (setlocale LC_ALL "en_US.UTF-8") + + (let ((ca-files (append-map ca-files + '#$(manifest-inputs manifest))) + (result (string-append #$output "/etc/ssl/certs"))) + (mkdir-p result) + (concatenate-files ca-files + (string-append result + "/ca-certificates.crt"))))) + + (gexp->derivation "ca-certificate-bundle" build + #:modules '((guix build utils)) + #:local-build? #t)) + +(define* (profile-derivation manifest + #:key + (info-dir? #t) + (ca-certificate-bundle? #t)) "Return a derivation that builds a profile (aka. 'user environment') with -the given MANIFEST. The profile includes a top-level Info 'dir' file, unl= ess -INFO-DIR? is #f." +the given MANIFEST. The profile includes a top-level Info 'dir' file unle= ss +INFO-DIR? is #f, and a single-file CA certificate bundle unless +CA-CERTIFICATE-BUNDLE? is #f." (mlet %store-monad ((info-dir (if info-dir? (info-dir-file manifest) - (return #f)))) + (return #f))) + (ca-cert-bundle (if ca-certificate-bundle? + (ca-certificate-bundle manifest) + (return #f)))) (define inputs - (if info-dir - ;; XXX: Here we use the tuple (INFO-DIR "out") just so that the = list - ;; is unambiguous for the gexp code when MANIFEST has a single i= nput - ;; denoted as a string (the pattern (DRV STRING) is normally - ;; interpreted in a gexp as "the STRING output of DRV".). See - ;; . - (cons (list info-dir "out") - (manifest-inputs manifest)) - (manifest-inputs manifest))) + ;; XXX: Here we use tuples of the form (DIR "out") just so that the = list + ;; is unambiguous for the gexp code when MANIFEST has a single input + ;; denoted as a string (the pattern (DRV STRING) is normally + ;; interpreted in a gexp as "the STRING output of DRV".). See + ;; . + (append (if info-dir + `((,info-dir "out")) + '()) + (if ca-cert-bundle + `((,ca-cert-bundle "out")) + '()) + (manifest-inputs manifest))) =20 (define builder #~(begin --=20 2.2.1 --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0002-system-Add-etc-ssl-symlink-set-needed-variables-in-e.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH 2/2] system: Add /etc/ssl symlink; set needed variables in /etc/profile >From ff4bbad277c43cf17e8a90d9e26daa4ad631ba86 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 3 Mar 2015 02:14:14 -0500 Subject: [PATCH 2/2] system: Add /etc/ssl symlink; set needed variables in /etc/profile. MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit * gnu/build/activation.scm (activate-etc): Create /etc/ssl symlink. * gnu/system.scm (etc-directory): Set SSL_CERT_DIR, SSL_CERT_FILE, and GIT_SSL_CAINFO in /etc/profile. Co-Authored-By: Ludovic Court=C3=A8s --- gnu/build/activation.scm | 10 ++++++++++ gnu/system.scm | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index dfadde3..909e971 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2013, 2014 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2015 Mark H Weaver ;;; ;;; This file is part of GNU Guix. ;;; @@ -200,6 +201,15 @@ numeric gid or #f." =20 (format #t "populating /etc from ~a...~%" etc) =20 + ;; Create the /etc/ssl -> /run/current-system/profile/etc/ssl symlink. = This + ;; symlink, to a target outside of the store, probably doesn't belong in= the + ;; static 'etc' store directory. However, if it were to be put there, + ;; beware that if /run/current-system/profile/etc/ssl doesn't exist at t= he + ;; time of activation (e.g. when installing a fresh system), the call to + ;; 'file-is-directory?' below will fail because it uses 'stat', not 'lst= at'. + (rm-f "/etc/ssl") + (symlink "/run/current-system/profile/etc/ssl" "/etc/ssl") + (rm-f "/etc/static") (symlink etc "/etc/static") (for-each (lambda (file) diff --git a/gnu/system.scm b/gnu/system.scm index 8060f74..8075910 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -454,6 +454,11 @@ export EMACSLOADPATH=3D:/etc/emacs # when /etc/machine-id is missing. Make sure these warnings are non-fatal. export DBUS_FATAL_WARNINGS=3D0 =20 +# These variables are honored by OpenSSL (libssl) and Git. +export SSL_CERT_DIR=3D/etc/ssl/certs +export SSL_CERT_FILE=3D\"$SSL_CERT_DIR/ca-certificates.crt\" +export GIT_SSL_CAINFO=3D\"$SSL_CERT_FILE\" + # Allow Aspell to find dictionaries installed in the user profile. export ASPELL_CONF=3D\"dict-dir $HOME/.guix-profile/lib/aspell\" ")) --=20 2.2.1 --=-=-=--