[Buildroot] [PATCH v3] ca-certificates: new package

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v3] ca-certificates: new package
Date: Sun, 12 Jan 2014 00:48:53 +0100	[thread overview]
Message-ID: <20140111234853.GE3391@free.fr> (raw)
In-Reply-To: <1389368384-1332-1-git-send-email-martin@barkynet.com>

Martin, All,

On 2014-01-10 15:39 +0000, Martin Bark spake thusly:
[--SNIP--]
> diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
> new file mode 100644
> index 0000000..37ed746
> --- /dev/null
> +++ b/package/ca-certificates/ca-certificates.mk
> @@ -0,0 +1,37 @@
> +################################################################################
> +#
> +# ca-certificates
> +#
> +################################################################################
> +
> +CA_CERTIFICATES_VERSION = 20130906
> +CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz
> +CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20130907T154615Z/pool/main/c/ca-certificates

It's a pity we can't get that from a trusted channel (ie. https instead
of plain http). Sigh... :-(

I know we do not do that for the other packages, but I'd like that we
check the authenticity of that specific one. There's no point in adding
a security-related package that we can validate in the first place.

I'd suggest we do that with a _POST_DOWNLOAD_HOOKS, something like:

CA_CERTIFICATES_CHECKSUM = SHA1-hash
define CA_CERTIFICATES_VERIFY_CHECKSUM
    hash=$$( sha1sum $(DL_DIR)/$(CA_CERTIFICATES_SOURCE) |cut -d ' ' -f 1 )
    if [ ! $${hash} = $(CA_CERTIFICATES_CHECKSUM) ]; then
        printf "ERROR: $(CA_CERTIFICATES_SOURCE) has wrong SHA1\n"
        printf "ERROR: Maybe the download was MITMed\n"
        exit 1
    fi
endef
CA_CERTIFICATES_POST_DOWNLOAD_HOOKS += CA_CERTIFICATES_VERIFY_CHECKSUM

I don't know what others think of it. Peter, Thomas, others?

> +define CA_CERTIFICATES_INSTALL_TARGET_CMDS
> +   $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates
> +   $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs
> +   $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
> +   rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates
> +
> +   #remove any existing certificates under /etc/ssl/certs

Usually, we add a space after the sharp symbol, and we start comments
with an uppercase letter, as for all sentences:
    # Remove any existing certificates under /etc/ssl/certs

> +   rm -f  $(TARGET_DIR)/etc/ssl/certs/*

[--SNIP--]
> +	#create symlinks to certificates under /etc/ssl/certs

Comment: ditto.

> +	cd $(TARGET_DIR) ;\
> +	for i in `find usr/share/ca-certificates -name "*.crt"` ; do \
> +		ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\
> +	done ;\

That last trailing  ';\' is unneeded. It works because you have a empty
line below.

> +	#create symlinks to the certificates by their hash values

Comment: ditto.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

next prev parent reply	other threads:[~2014-01-11 23:48 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-10 15:39 [Buildroot] [PATCH v3] ca-certificates: new package Martin Bark
2014-01-11 23:48 ` Yann E. MORIN [this message]
2014-01-12  8:38   ` Peter Korsgaard
2014-01-12 11:27     ` Yann E. MORIN
2014-01-12 18:23       ` Peter Korsgaard
2014-01-12 18:34         ` Yann E. MORIN
2014-01-12 19:19           ` Peter Korsgaard
2014-01-12 20:09             ` Yann E. MORIN
2014-01-12 20:32               ` Peter Korsgaard
2014-01-12 21:01                 ` Yann E. MORIN
2014-01-12 21:08                   ` Peter Korsgaard
2014-01-12 21:21               ` Bernd Kuhls
2014-01-12 21:38                 ` Yann E. MORIN
2014-01-14  7:13           ` Arnout Vandecappelle
2014-01-12 20:09 ` Peter Korsgaard
2014-01-12 20:39   ` Martin Bark

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140111234853.GE3391@free.fr \
    --to=yann.morin.1998@free.fr \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox