TLS certificates for web browsers in guix environment --container

TLS certificates for web browsers in guix environment --container

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]

Hi!

I'd like to run browsers in `guix environment` which seems to be a good
idea! :)

IceCat has been discussed in the past.  Now I'd like to run
WebKitGTK-based browsers.

Let's try with Eolie for now, since it seems to have less issues than,
say, Epiphany.

--8<---------------cut here---------------start------------->8---
$ guix environment -C -N --expose=/etc/machine-id --expose=/etc/ssl/certs/ --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ --ad-hoc dbus eolie coreutils -- env DISPLAY=$DISPLAY SSL_CERT_DIR="$SSL_CERT_DIR" SSL_CERT_FILE="$SSL_CERT_FILE" eolie

(org.gnome.Eolie:1): Gtk-WARNING **: 12:50:06.747: Could not find the icon 'go-previous-symbolic-ltr'. The 'hicolor' theme
was not found either, perhaps you need to install it.
You can get a copy from:
	http://icon-theme.freedesktop.org/releases
[ERROR] 2020-04-21 12:50:07 DatabasePhishing::__save_rules():Expecting value: line 1 column 1 (char 0) -> b'error code: 1020'
[WARNING] 2020-04-21 12:50:08 TaskHelper::__on_request_send_async(): g-io-error-quark: Operation was cancelled (19)
[ERROR] 2020-04-21 12:50:08 DatabaseAdblock::__on_load_uri_content(): https://adaway.org/hosts.txt
--8<---------------cut here---------------end--------------->8---

It seems to work well except for TLS certificate validation.  I
guess the certificate files cannot be found in the container since they
can be found in a --pure environment:

--8<---------------cut here---------------start------------->8---
$ guix environment --pure --ad-hoc dbus eolie coreutils -- env DISPLAY=$DISPLAY eolie
--8<---------------cut here---------------end--------------->8---

so I presume the certificate errors are not due to my environment and
'bin/eolie' exports the right environment variables.

My guess is that webkitgtk, glib-networking, glib or gnutls tries to
fetch the certificates in a well-known location.

Any idea about this?

--
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: TLS certificates for web browsers in guix environment --container

[John Soo]

Hi Pierre,

I think you need the nss-certs package in the environment, to start. Does adding them help?

- John

Re: TLS certificates for web browsers in guix environment --container

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]

It works!

--8<---------------cut here---------------start------------->8---
guix environment -C -N --expose=/etc/machine-id --expose=/etc/ssl/certs/ \
  --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
  --ad-hoc dbus eolie coreutils nss-certs -- \
  env DISPLAY=$DISPLAY eolie
--8<---------------cut here---------------end--------------->8---

Note that the "--expose=/etc/ssl/certs/" is important.

Should we consider this a bug?  If not, then should we document
it?

Maybe this could be automated a bit.

--8<---------------cut here---------------start------------->8---
guix size webkitgtk glib-networking
--8<---------------cut here---------------end--------------->8---

does not return nss-certs.  So if we made nss-certs an input of
webkitgtk (or glib-networking?), we would not need nss-certs in the guix
environment invocation.

Finally, I'm not sure how to fix the /etc/ssl/certs issue.  Why do we
have to put it under /etc/ in the first place?

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: TLS certificates for web browsers in guix environment --container

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

On Tue, Apr 21, 2020 at 06:17:58PM +0200, Pierre Neidhardt wrote:
> Note that the "--expose=/etc/ssl/certs/" is important.
> 
> Should we consider this a bug?  If not, then should we document
> it?

No, it's not a bug.

TLS X.509 certificates need to be looked up dynamically at run-time,
because their validity depends on the current time. We need to be able
to change the certificates without requiring the packages that use them
to rebuild. Otherwise built packages would become obsolete just because
some time has passed.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: TLS certificates for web browsers in guix environment --container

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 171 bytes --]

Makes sense, thank you for the details.

What about adding the above example to the manual page of `guix environment'??

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: TLS certificates for web browsers in guix environment --container

[Konrad Hinsen]

On 21/04/2020 22:50, Pierre Neidhardt wrote:
> Makes sense, thank you for the details.
>
> What about adding the above example to the manual page of `guix environment'??


Good idea. I suppose it's not just Web browsers that will need this. I 
remember occasional certificate problems when running scripts in 
containerized environments. Perhaps they were just using wget or curl. I 
was too lazy to explore this so I switched to --pure.


Cheers,

   Konrad

Re: TLS certificates for web browsers in guix environment --container

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 515 bytes --]

On Tue, Apr 21, 2020 at 10:50:09PM +0200, Pierre Neidhardt wrote:
> Makes sense, thank you for the details.
> 
> What about adding the above example to the manual page of `guix environment'??

Take a look at the existing docs on X.509 Certificates and see if we can
improve them or the documentation of `guix environment`.

https://guix.gnu.org/manual/en/html_node/Application-Setup.html#X_002e509-Certificates-1
https://guix.gnu.org/manual/en/html_node/X_002e509-Certificates.html#X_002e509-Certificates

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: TLS certificates for web browsers in guix environment --container

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 27 bytes --]

I've sent a patch: #41041.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]