From: Mark H Weaver <mhw@netris.org>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: CA certificates
Date: Thu, 12 Feb 2015 12:26:52 -0500 [thread overview]
Message-ID: <87h9urt50j.fsf@netris.org> (raw)
In-Reply-To: <20150210201452.GA15529@debian> (Andreas Enge's message of "Tue, 10 Feb 2015 21:14:52 +0100")
Andreas Enge <andreas@enge.fr> writes:
> The attached patch series
> 1) adds a (private) python script to extract single certificates in .pem
> format from a big textfile in mozilla source format;
> 2) adds the package nss-certs, which contains the certificates thus extracted
> in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl;
Excellent, thanks very much! :)
> 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl.
>
> So if you do a
> guix package -i openssl nss-certs youtube-dl
> and add SSL_CERT_DIR as stipulated by the text output after the installation,
> things work out of the box.
>
> The search path definition means that we could have alternative root
> certificate packages (potentially one per certification authority) and that
> the user could install the ones he trusts.
Sounds good! It should be noted, however, that GnuTLS will currently
only use the certs in /etc/ssl/certs unless some application-specific
setting is provided. This will later be improved with the 'p11-kit'
solution.
> The patches currently are in a branch wip-certs. Suggestions are
> welcome.
Regarding this commit:
> From b703198b70850017c2ed5e3510790898a214b7bd Mon Sep 17 00:00:00 2001
> From: Andreas Enge <andreas@enge.fr>
> Date: Tue, 10 Feb 2015 19:55:53 +0000
> Subject: gnu: Add nss-certs, certificates extracted from nss
>
> * gnu/packages/certs.scm (nss-certs): New variable.
> ---
[...]
> + #:phases
> + (alist-cons-after
> + 'unpack 'install
> + (lambda _
> + (let ((certsdir (string-append %output "/etc/ssl/certs/")))
> + (mkdir-p certsdir)
> + (with-directory-excursion "nss/lib/ckfw/builtins/"
> + ;; extract single certificates from blob
> + (system* "certdata2pem.py" "certdata.txt")
> + ;; copy the .pem files into the output
> + (for-each
> + (lambda (file)
> + (copy-file file (string-append certsdir file)))
> + ;; FIXME: Some of the file names are UTF8 (?) and cause an
> + ;; error message such as
> + ;; find-files:
> + ;; ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem:
> + ;; No such file or directory
> + (find-files "." ".*\\.pem")))
Guile converts POSIX byte strings (e.g. file names) to strings using to
the current locale encoding, but the default locale in our build
environment is "C" which means ASCII-only.
I would advocate using a UTF-8 locale for all builds by default.
For now, I would try putting the following code at the beginning of your
custom 'install' phase:
--8<---------------cut here---------------start------------->8---
(setenv "LOCPATH" (getcwd))
(zero? (system* "localedef" "--no-archive"
"--prefix" (getcwd) "-i" "en_US"
"-f" "UTF-8" "./en_US.UTF-8"))
(setlocale LC_ALL "en_US.UTF-8")
--8<---------------cut here---------------end--------------->8---
Thanks!
Mark
next prev parent reply other threads:[~2015-02-12 17:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-10 20:14 CA certificates Andreas Enge
2015-02-12 16:44 ` Andreas Enge
2015-02-12 17:26 ` Mark H Weaver [this message]
2015-02-12 19:48 ` Andreas Enge
2015-02-12 20:20 ` Locale of build environments Ludovic Courtès
2015-02-12 20:28 ` Andreas Enge
2015-02-15 0:12 ` Mark H Weaver
2015-02-26 23:16 ` Ludovic Courtès
2015-02-26 23:45 ` Mark H Weaver
2015-02-27 10:36 ` Ludovic Courtès
2015-02-27 14:13 ` Ludovic Courtès
2015-03-01 16:48 ` Ludovic Courtès
2015-02-13 7:28 ` CA certificates Mark H Weaver
2015-02-13 10:23 ` Andreas Enge
2015-02-12 20:30 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h9urt50j.fsf@netris.org \
--to=mhw@netris.org \
--cc=andreas@enge.fr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.