* [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES
@ 2026-04-24 8:38 Richard Purdie
2026-04-28 11:42 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: Richard Purdie @ 2026-04-24 8:38 UTC (permalink / raw)
To: meta-virtualization
This fixes yocto-check-layer failures:
ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220
List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})'
Variable SRC_URI value changed:
@@ -1 +1,2 @@
-${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)}
+DISTRO_FEATURES{virtualization} = Unset
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
.../ca-certificates_%.bbappend | 39 +------------------
.../ca-certificates_virtualization.inc | 38 ++++++++++++++++++
2 files changed, 39 insertions(+), 38 deletions(-)
create mode 100644 recipes-support/ca-certificates/ca-certificates_virtualization.inc
diff --git a/recipes-support/ca-certificates/ca-certificates_%.bbappend b/recipes-support/ca-certificates/ca-certificates_%.bbappend
index e659f1ed..617caccb 100644
--- a/recipes-support/ca-certificates/ca-certificates_%.bbappend
+++ b/recipes-support/ca-certificates/ca-certificates_%.bbappend
@@ -1,38 +1 @@
-# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
-#
-# Only active when 'virtualization' is in DISTRO_FEATURES.
-#
-# Some container registries (e.g., registry.yocto.io) don't send the
-# full certificate chain. Go's TLS library (used by Docker, skopeo,
-# podman) cannot verify the server certificate without the intermediate,
-# even though the root CAs (ISRG Root X1/X2) are present.
-#
-# These intermediates are fetched at build time and installed alongside
-# the standard CA certificates. update-ca-certificates (run in
-# pkg_postinst) incorporates them into the system CA bundle.
-#
-# Source: https://letsencrypt.org/certificates/
-
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', \
- 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
- https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', \
- '', d)}"
-SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
-SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
-
-do_install:append () {
- for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
- if [ -f "$pem" ]; then
- install -d ${D}${datadir}/ca-certificates/letsencrypt
- # ca-certificates expects .crt extension
- base=$(basename "$pem" .pem)
- install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
- fi
- done
-
- # Add to ca-certificates.conf so update-ca-certificates includes them
- for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
- [ -f "$crt" ] || continue
- echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
- done
-}
+require ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', '${BPN}_virtualization.inc', '', d)}
diff --git a/recipes-support/ca-certificates/ca-certificates_virtualization.inc b/recipes-support/ca-certificates/ca-certificates_virtualization.inc
new file mode 100644
index 00000000..e659f1ed
--- /dev/null
+++ b/recipes-support/ca-certificates/ca-certificates_virtualization.inc
@@ -0,0 +1,38 @@
+# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
+#
+# Only active when 'virtualization' is in DISTRO_FEATURES.
+#
+# Some container registries (e.g., registry.yocto.io) don't send the
+# full certificate chain. Go's TLS library (used by Docker, skopeo,
+# podman) cannot verify the server certificate without the intermediate,
+# even though the root CAs (ISRG Root X1/X2) are present.
+#
+# These intermediates are fetched at build time and installed alongside
+# the standard CA certificates. update-ca-certificates (run in
+# pkg_postinst) incorporates them into the system CA bundle.
+#
+# Source: https://letsencrypt.org/certificates/
+
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', \
+ 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
+ https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', \
+ '', d)}"
+SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
+SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
+
+do_install:append () {
+ for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
+ if [ -f "$pem" ]; then
+ install -d ${D}${datadir}/ca-certificates/letsencrypt
+ # ca-certificates expects .crt extension
+ base=$(basename "$pem" .pem)
+ install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
+ fi
+ done
+
+ # Add to ca-certificates.conf so update-ca-certificates includes them
+ for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
+ [ -f "$crt" ] || continue
+ echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
+ done
+}
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES
2026-04-24 8:38 [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES Richard Purdie
@ 2026-04-28 11:42 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2026-04-28 11:42 UTC (permalink / raw)
To: richard.purdie; +Cc: meta-virtualization
I fixed the typo on the shortlog and pushed this to master
this morning.
Let me know if there are any other lurking issues.
Bruce
In message: [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES
on 24/04/2026 Richard Purdie via lists.yoctoproject.org wrote:
> This fixes yocto-check-layer failures:
>
> ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220
> List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})'
> Variable SRC_URI value changed:
> @@ -1 +1,2 @@
> -${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
> +${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)}
> +DISTRO_FEATURES{virtualization} = Unset
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
> .../ca-certificates_%.bbappend | 39 +------------------
> .../ca-certificates_virtualization.inc | 38 ++++++++++++++++++
> 2 files changed, 39 insertions(+), 38 deletions(-)
> create mode 100644 recipes-support/ca-certificates/ca-certificates_virtualization.inc
>
> diff --git a/recipes-support/ca-certificates/ca-certificates_%.bbappend b/recipes-support/ca-certificates/ca-certificates_%.bbappend
> index e659f1ed..617caccb 100644
> --- a/recipes-support/ca-certificates/ca-certificates_%.bbappend
> +++ b/recipes-support/ca-certificates/ca-certificates_%.bbappend
> @@ -1,38 +1 @@
> -# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
> -#
> -# Only active when 'virtualization' is in DISTRO_FEATURES.
> -#
> -# Some container registries (e.g., registry.yocto.io) don't send the
> -# full certificate chain. Go's TLS library (used by Docker, skopeo,
> -# podman) cannot verify the server certificate without the intermediate,
> -# even though the root CAs (ISRG Root X1/X2) are present.
> -#
> -# These intermediates are fetched at build time and installed alongside
> -# the standard CA certificates. update-ca-certificates (run in
> -# pkg_postinst) incorporates them into the system CA bundle.
> -#
> -# Source: https://letsencrypt.org/certificates/
> -
> -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', \
> - 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
> - https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', \
> - '', d)}"
> -SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
> -SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
> -
> -do_install:append () {
> - for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
> - if [ -f "$pem" ]; then
> - install -d ${D}${datadir}/ca-certificates/letsencrypt
> - # ca-certificates expects .crt extension
> - base=$(basename "$pem" .pem)
> - install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
> - fi
> - done
> -
> - # Add to ca-certificates.conf so update-ca-certificates includes them
> - for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
> - [ -f "$crt" ] || continue
> - echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
> - done
> -}
> +require ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', '${BPN}_virtualization.inc', '', d)}
> diff --git a/recipes-support/ca-certificates/ca-certificates_virtualization.inc b/recipes-support/ca-certificates/ca-certificates_virtualization.inc
> new file mode 100644
> index 00000000..e659f1ed
> --- /dev/null
> +++ b/recipes-support/ca-certificates/ca-certificates_virtualization.inc
> @@ -0,0 +1,38 @@
> +# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
> +#
> +# Only active when 'virtualization' is in DISTRO_FEATURES.
> +#
> +# Some container registries (e.g., registry.yocto.io) don't send the
> +# full certificate chain. Go's TLS library (used by Docker, skopeo,
> +# podman) cannot verify the server certificate without the intermediate,
> +# even though the root CAs (ISRG Root X1/X2) are present.
> +#
> +# These intermediates are fetched at build time and installed alongside
> +# the standard CA certificates. update-ca-certificates (run in
> +# pkg_postinst) incorporates them into the system CA bundle.
> +#
> +# Source: https://letsencrypt.org/certificates/
> +
> +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', \
> + 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
> + https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', \
> + '', d)}"
> +SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
> +SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
> +
> +do_install:append () {
> + for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
> + if [ -f "$pem" ]; then
> + install -d ${D}${datadir}/ca-certificates/letsencrypt
> + # ca-certificates expects .crt extension
> + base=$(basename "$pem" .pem)
> + install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
> + fi
> + done
> +
> + # Add to ca-certificates.conf so update-ca-certificates includes them
> + for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
> + [ -f "$crt" ] || continue
> + echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
> + done
> +}
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9739): https://lists.yoctoproject.org/g/meta-virtualization/message/9739
> Mute This Topic: https://lists.yoctoproject.org/mt/118984634/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-28 11:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24 8:38 [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES Richard Purdie
2026-04-28 11:42 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.