From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: CA certificates Date: Thu, 12 Feb 2015 12:26:52 -0500 Message-ID: <87h9urt50j.fsf@netris.org> References: <20150210201452.GA15529@debian> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52180) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLxXU-0005T5-4Y for guix-devel@gnu.org; Thu, 12 Feb 2015 12:27:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YLxXL-0007M4-Us for guix-devel@gnu.org; Thu, 12 Feb 2015 12:26:56 -0500 Received: from world.peace.net ([50.252.239.5]:46370) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLxXL-0007Lu-RD for guix-devel@gnu.org; Thu, 12 Feb 2015 12:26:47 -0500 In-Reply-To: <20150210201452.GA15529@debian> (Andreas Enge's message of "Tue, 10 Feb 2015 21:14:52 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org Andreas Enge writes: > The attached patch series > 1) adds a (private) python script to extract single certificates in .pem > format from a big textfile in mozilla source format; > 2) adds the package nss-certs, which contains the certificates thus extracted > in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl; Excellent, thanks very much! :) > 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl. > > So if you do a > guix package -i openssl nss-certs youtube-dl > and add SSL_CERT_DIR as stipulated by the text output after the installation, > things work out of the box. > > The search path definition means that we could have alternative root > certificate packages (potentially one per certification authority) and that > the user could install the ones he trusts. Sounds good! It should be noted, however, that GnuTLS will currently only use the certs in /etc/ssl/certs unless some application-specific setting is provided. This will later be improved with the 'p11-kit' solution. > The patches currently are in a branch wip-certs. Suggestions are > welcome. Regarding this commit: > From b703198b70850017c2ed5e3510790898a214b7bd Mon Sep 17 00:00:00 2001 > From: Andreas Enge > Date: Tue, 10 Feb 2015 19:55:53 +0000 > Subject: gnu: Add nss-certs, certificates extracted from nss > > * gnu/packages/certs.scm (nss-certs): New variable. > --- [...] > + #:phases > + (alist-cons-after > + 'unpack 'install > + (lambda _ > + (let ((certsdir (string-append %output "/etc/ssl/certs/"))) > + (mkdir-p certsdir) > + (with-directory-excursion "nss/lib/ckfw/builtins/" > + ;; extract single certificates from blob > + (system* "certdata2pem.py" "certdata.txt") > + ;; copy the .pem files into the output > + (for-each > + (lambda (file) > + (copy-file file (string-append certsdir file))) > + ;; FIXME: Some of the file names are UTF8 (?) and cause an > + ;; error message such as > + ;; find-files: > + ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem: > + ;; No such file or directory > + (find-files "." ".*\\.pem"))) Guile converts POSIX byte strings (e.g. file names) to strings using to the current locale encoding, but the default locale in our build environment is "C" which means ASCII-only. I would advocate using a UTF-8 locale for all builds by default. For now, I would try putting the following code at the beginning of your custom 'install' phase: --8<---------------cut here---------------start------------->8--- (setenv "LOCPATH" (getcwd)) (zero? (system* "localedef" "--no-archive" "--prefix" (getcwd) "-i" "en_US" "-f" "UTF-8" "./en_US.UTF-8")) (setlocale LC_ALL "en_US.UTF-8") --8<---------------cut here---------------end--------------->8--- Thanks! Mark