From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: root certificate Date: Wed, 13 Jun 2018 17:25:56 -0400 Message-ID: <87d0wuv0nv.fsf@netris.org> References: <87y3flo3rc.fsf@santanas.co.za> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39746) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTDIT-0003PV-Ou for help-guix@gnu.org; Wed, 13 Jun 2018 17:27:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fTDIP-0001u6-NW for help-guix@gnu.org; Wed, 13 Jun 2018 17:27:17 -0400 Received: from world.peace.net ([64.112.178.59]:36626) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fTDIP-0001tg-Ir for help-guix@gnu.org; Wed, 13 Jun 2018 17:27:13 -0400 In-Reply-To: <87y3flo3rc.fsf@santanas.co.za> (Divan Santana's message of "Mon, 11 Jun 2018 15:24:07 +0200") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Divan Santana Cc: help-guix@gnu.org Hi Divan, Divan Santana writes: > How does one import a root certificate for GuixSD? > > I didn't see it in the manual. You didn't see it because we don't yet have a polished way to do this, unfortunately. The good news is that we've already laid the groundwork for supporting local certificate stores. Our 'le-certs' package in gnu/packages/certs.scm is a good template for making custom certificate packages, and can be easily adapted to your needs. For now, you could simply make a copy of the 'le-certs' package, but with a different package name and different certificate inputs. Something like this (untested): --8<---------------cut here---------------start------------->8--- (define-public my-root-cert (package (name "my-root-cert") (version "0") (source #f) (build-system trivial-build-system) (arguments '(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils)) (let ((root (assoc-ref %build-inputs "my-root-cert.pem")) (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs")) (openssl (assoc-ref %build-inputs "openssl")) (perl (assoc-ref %build-inputs "perl"))) (mkdir-p out) (copy-file cert (string-append out "/" (strip-store-file-name cert))) ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and ;; similar.) (chdir (string-append %output "/etc/ssl/certs")) (invoke (string-append perl "/bin/perl") (string-append openssl "/bin/c_rehash") "."))))) (native-inputs `(("openssl" ,openssl) ("perl" ,perl))) ;for 'c_rehash' (inputs `(("my-root-cert.pem" ,(origin (method url-fetch) (uri "https://example.com/certs/my-root-cert.pem") (sha256 (base32 "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee")))))) (home-page "https://example.com/certs/my-root-cert.pem") (synopsis "My self-signed root certificate") (description "This package provides my self-signed root certificate.") (license license:public-domain))) --8<---------------cut here---------------end--------------->8--- and then you would need to add this package to the 'packages' field of your OS configuration, and reconfigure your system. However, it would be good to provide a way to more easily create custom certificate packages from a set of .pem files, perhaps by changing the above package definition into a procedure that accepts a list of root certificates and dynamically creates a certificate package. If you'd like to work on this, I'd be glad to discuss it further. Regards, Mark