From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: /etc/ssl/certs and the certificate bundle Date: Mon, 02 Mar 2015 23:12:40 +0100 Message-ID: <87zj7v2gmf.fsf_-_@gnu.org> References: <87r3u7di49.fsf@netris.org> <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> <87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian> <87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org> <87sidvhx0t.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35224) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSYa3-0004RC-VF for guix-devel@gnu.org; Mon, 02 Mar 2015 17:12:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YSYa0-0001C0-NT for guix-devel@gnu.org; Mon, 02 Mar 2015 17:12:51 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45397) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSYa0-0001Be-9T for guix-devel@gnu.org; Mon, 02 Mar 2015 17:12:48 -0500 In-Reply-To: <87sidvhx0t.fsf@netris.org> (Mark H. Weaver's message of "Tue, 24 Feb 2015 15:31:14 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Mark H Weaver skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> Mark H Weaver skribis: >> >>> No, it's not worse than it was before. Sorry if I gave that impression. >>> The only issue is that we might need to generate a single-file >>> certificate bundle for now, because I haven't found a way to get 'git' >>> to check certificates on GuixSD without a single-file cert bundle, at >>> least not when curl is build with GnuTLS. >> >> It seems like adding this single-file bundle would be the simplest >> short-term option. How would we create that file exactly? > > The single-file bundle is just a concatenation of all the individual PEM > data, starting with "-----BEGIN CERTIFICATE-----" and ending with > "-----END CERTIFICATE-----", including those delimiters. > > The only caveat is that the individual PEM files are not required to > have a newline after the "-----END CERTIFICATE-----", but in the > single-file cert bundle, we must ensure that the newline is present. > See . OK, I=E2=80=99ve implemented this for GuixSD in commit 993300f. Thanks to = you and Andreas for your help. > In order to support multiple packages containing CA certs, it would be > good to handle creation of the single-file cert bundle in the profile > generation code, analogous to our handling of info "dir" files. This > would allow us to create additional cert packages (e.g. one for > CAcert.org). > > I think it belongs in the profile generation code for the benefit of > users running Guix packages on top of another distro, where they might > not have root access. They can simply set GIT_SSL_CAINFO and > SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt > > What do you think? It=E2=80=99s a good but as of yet unimplemented idea. Although I now realize we could perhaps simple move the =E2=80=98certificate-bundle=E2=80=99 procedure to (guix profile), add the c= ertificate package to the system profile, and make /etc/ssl a symlink to /run/current-system/profile/etc/ssl. However there=E2=80=99s the complication that all the files of =E2=80=98nss= -certs=E2=80=99 would still be there in addition to the bundle. Hmm. Thoughts? Ludo=E2=80=99.