* [Buildroot] Updating trust store using update-ca-certificates @ 2023-02-17 16:15 Sourabh Hegde 2023-02-18 11:19 ` Thomas Petazzoni via buildroot 0 siblings, 1 reply; 12+ messages in thread From: Sourabh Hegde @ 2023-02-17 16:15 UTC (permalink / raw) To: buildroot [-- Attachment #1.1: Type: text/plain, Size: 500 bytes --] Hello, I am trying to add a custom CA to the trust store. I have copied the CA file to "/usr/local/share/ca-certificates/" in the rootfs_overlay and also has a .crt extension. Now after executing "make" the CA is not added to the trust store in /etc/ssl/certs/ in the target. Anyways it's installed only in "/usr/local/share/ca-certificates/" in the target. I thought "update-ca-certificates" will add this during image build. Can anyone please let me know what is missing here? Thank you, Sourabh [-- Attachment #1.2: Type: text/html, Size: 638 bytes --] [-- Attachment #2: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-17 16:15 [Buildroot] Updating trust store using update-ca-certificates Sourabh Hegde @ 2023-02-18 11:19 ` Thomas Petazzoni via buildroot 2023-02-18 12:54 ` Sourabh Hegde 0 siblings, 1 reply; 12+ messages in thread From: Thomas Petazzoni via buildroot @ 2023-02-18 11:19 UTC (permalink / raw) To: Sourabh Hegde; +Cc: buildroot On Fri, 17 Feb 2023 17:15:39 +0100 Sourabh Hegde <hrsourabh011@gmail.com> wrote: > I am trying to add a custom CA to the trust store. I have copied the CA > file to "/usr/local/share/ca-certificates/" in the rootfs_overlay and also > has a .crt extension. Now after executing "make" the CA is not added to the > trust store in /etc/ssl/certs/ in the target. Anyways it's installed only > in "/usr/local/share/ca-certificates/" in the target. I thought > "update-ca-certificates" will add this during image build. > Can anyone please let me know what is missing here? What makes you think update-ca-certificates is run during the build? I don't remember Buildroot having anything that does this. Best regards, Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 11:19 ` Thomas Petazzoni via buildroot @ 2023-02-18 12:54 ` Sourabh Hegde 2023-02-18 13:19 ` Thomas Petazzoni via buildroot 0 siblings, 1 reply; 12+ messages in thread From: Sourabh Hegde @ 2023-02-18 12:54 UTC (permalink / raw) To: Thomas Petazzoni; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 1160 bytes --] Hello Thomas, Thanks for the update. I was thinking the ca-certificates package will take care of this. Maybe I was wrong. So, how should we add local CA to the trust store in the target? On Sat, 18 Feb 2023 at 12:19, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > On Fri, 17 Feb 2023 17:15:39 +0100 > Sourabh Hegde <hrsourabh011@gmail.com> wrote: > > > I am trying to add a custom CA to the trust store. I have copied the CA > > file to "/usr/local/share/ca-certificates/" in the rootfs_overlay and > also > > has a .crt extension. Now after executing "make" the CA is not added to > the > > trust store in /etc/ssl/certs/ in the target. Anyways it's installed only > > in "/usr/local/share/ca-certificates/" in the target. I thought > > "update-ca-certificates" will add this during image build. > > Can anyone please let me know what is missing here? > > What makes you think update-ca-certificates is run during the build? I > don't remember Buildroot having anything that does this. > > Best regards, > > Thomas > -- > Thomas Petazzoni, co-owner and CEO, Bootlin > Embedded Linux and Kernel engineering and training > https://bootlin.com > [-- Attachment #1.2: Type: text/html, Size: 1785 bytes --] [-- Attachment #2: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 12:54 ` Sourabh Hegde @ 2023-02-18 13:19 ` Thomas Petazzoni via buildroot 2023-02-18 13:39 ` Sourabh Hegde 2023-02-18 14:21 ` Yann E. MORIN 0 siblings, 2 replies; 12+ messages in thread From: Thomas Petazzoni via buildroot @ 2023-02-18 13:19 UTC (permalink / raw) To: Sourabh Hegde; +Cc: buildroot Hello, On Sat, 18 Feb 2023 13:54:15 +0100 Sourabh Hegde <hrsourabh011@gmail.com> wrote: > Thanks for the update. > > I was thinking the ca-certificates package will take care of this. Maybe I > was wrong. > > So, how should we add local CA to the trust store in the target? I am not sure as I'm not super familiar with that aspect. If what you need to do is to call update-ca-certificates during the build, then we could potentially build it for the host, and run it as a post-build script. Of course, this assumes update-ca-certificates is capable of doing its work on a root filesystem that isn't at the root. Do you have more details about what needs to be done? With more details, we could probably give some more useful hints. Best regards, Thomas Petazzoni -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 13:19 ` Thomas Petazzoni via buildroot @ 2023-02-18 13:39 ` Sourabh Hegde 2023-02-18 14:21 ` Yann E. MORIN 1 sibling, 0 replies; 12+ messages in thread From: Sourabh Hegde @ 2023-02-18 13:39 UTC (permalink / raw) To: Thomas Petazzoni; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 1479 bytes --] Hi Thomas, I want to add a local CA to the openssl trust-store in my image. This CA will be used by other applications in the target. As I read in other blogs the local CA needs to be in /usr/local/share/ca-certificates with .crt extension and executing update-ca-certificates will add it to /etc/ssl/certs/. But, what I have noticed is this is always done with "sudo". So, do you think post-build script can handle this? How about post-image script? On Sat, Feb 18, 2023, 14:19 Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Hello, > > On Sat, 18 Feb 2023 13:54:15 +0100 > Sourabh Hegde <hrsourabh011@gmail.com> wrote: > > > Thanks for the update. > > > > I was thinking the ca-certificates package will take care of this. Maybe > I > > was wrong. > > > > So, how should we add local CA to the trust store in the target? > > I am not sure as I'm not super familiar with that aspect. If what you > need to do is to call update-ca-certificates during the build, then we > could potentially build it for the host, and run it as a post-build > script. Of course, this assumes update-ca-certificates is capable of > doing its work on a root filesystem that isn't at the root. > > Do you have more details about what needs to be done? With more > details, we could probably give some more useful hints. > > Best regards, > > Thomas Petazzoni > -- > Thomas Petazzoni, co-owner and CEO, Bootlin > Embedded Linux and Kernel engineering and training > https://bootlin.com > [-- Attachment #1.2: Type: text/html, Size: 2120 bytes --] [-- Attachment #2: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 13:19 ` Thomas Petazzoni via buildroot 2023-02-18 13:39 ` Sourabh Hegde @ 2023-02-18 14:21 ` Yann E. MORIN 2023-02-18 15:32 ` Yann E. MORIN 1 sibling, 1 reply; 12+ messages in thread From: Yann E. MORIN @ 2023-02-18 14:21 UTC (permalink / raw) To: Thomas Petazzoni; +Cc: buildroot, Sourabh Hegde Thomas, All, On 2023-02-18 14:19 +0100, Thomas Petazzoni via buildroot spake thusly: > On Sat, 18 Feb 2023 13:54:15 +0100 > Sourabh Hegde <hrsourabh011@gmail.com> wrote: > > I was thinking the ca-certificates package will take care of this. Maybe I > > was wrong. > > So, how should we add local CA to the trust store in the target? > I am not sure as I'm not super familiar with that aspect. If what you > need to do is to call update-ca-certificates during the build, then we > could potentially build it for the host, and run it as a post-build > script. Of course, this assumes update-ca-certificates is capable of > doing its work on a root filesystem that isn't at the root. > > Do you have more details about what needs to be done? With more > details, we could probably give some more useful hints. I think we just need to split CA_CERTIFICATES_INSTALL_TARGET_CMDS in two: one part to actually instll the certifcates provided by ca-certificates itself, and the rest to update the castore with all certificate, as a target-finalize hook. I.e. all that starts from "Remove any existing certificates under /etc/ssl/certs" should be moved to a target-finalize hook. Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 14:21 ` Yann E. MORIN @ 2023-02-18 15:32 ` Yann E. MORIN 2023-02-18 15:56 ` Sourabh Hegde 0 siblings, 1 reply; 12+ messages in thread From: Yann E. MORIN @ 2023-02-18 15:32 UTC (permalink / raw) To: Thomas Petazzoni; +Cc: Sourabh Hegde, buildroot Thomas, Sourabh, All, On 2023-02-18 15:21 +0100, Yann E. MORIN spake thusly: > On 2023-02-18 14:19 +0100, Thomas Petazzoni via buildroot spake thusly: > > On Sat, 18 Feb 2023 13:54:15 +0100 > > Sourabh Hegde <hrsourabh011@gmail.com> wrote: > > > I was thinking the ca-certificates package will take care of this. Maybe I > > > was wrong. > > > So, how should we add local CA to the trust store in the target? > > I am not sure as I'm not super familiar with that aspect. If what you > > need to do is to call update-ca-certificates during the build, then we > > could potentially build it for the host, and run it as a post-build > > script. Of course, this assumes update-ca-certificates is capable of > > doing its work on a root filesystem that isn't at the root. No, update-ca-certificates does not know how to work out-of-tree, which is the reason why we already need to handle it manually when we install ca-certificates. Also, we do remove update-ca-certificates on purpose from TARGET_DIR, because it is not expected that we need/can regenerate the root bundle on the target. > > Do you have more details about what needs to be done? With more > > details, we could probably give some more useful hints. > > I think we just need to split CA_CERTIFICATES_INSTALL_TARGET_CMDS in two: > one part to actually instll the certifcates provided by ca-certificates > itself, and the rest to update the castore with all certificate, as a > target-finalize hook. > > I.e. all that starts from "Remove any existing certificates under > /etc/ssl/certs" should be moved to a target-finalize hook. Basically, something around those lines (totally untested): diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk index 0b6962ab7b..cc55d39957 100644 --- a/package/ca-certificates/ca-certificates.mk +++ b/package/ca-certificates/ca-certificates.mk @@ -20,7 +20,9 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates +endef +define CA_CERTIFICATES_GEN_BUNDLE # Remove any existing certificates under /etc/ssl/certs rm -f $(TARGET_DIR)/etc/ssl/certs/* @@ -30,14 +32,15 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS for i in `find usr/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ cat $$i ;\ - done >$(@D)/ca-certificates.crt + done >$(BUILD_DIR)/ca-certificates.crt # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs # Install the certificates bundle - $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ + $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt endef +CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE $(eval $(generic-package)) Sourabh, can you test and adapt that and report, please? Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 15:32 ` Yann E. MORIN @ 2023-02-18 15:56 ` Sourabh Hegde 2023-02-18 17:00 ` Sourabh Hegde 0 siblings, 1 reply; 12+ messages in thread From: Sourabh Hegde @ 2023-02-18 15:56 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Thomas Petazzoni, buildroot [-- Attachment #1.1: Type: text/plain, Size: 4514 bytes --] Hello Yann, All, Thanks for the update. Yes, I will try this patch and let you know. Also, we do remove update-ca-certificates on purpose from TARGET_DIR, > because it is not expected that we need/can regenerate the root bundle > on the target. > I am not sure if I understood this completely. I have a generic question: What if someone wants to update castore on the target itself. Let's say if the local CA is already available on the target then how can it be added to the trust store with update-ca-certificates? Is it not a good option to include "update-ca-certificates" in TARGET_DIR? On Sat, 18 Feb 2023 at 16:32, Yann E. MORIN <yann.morin.1998@free.fr> wrote: > Thomas, Sourabh, All, > > On 2023-02-18 15:21 +0100, Yann E. MORIN spake thusly: > > On 2023-02-18 14:19 +0100, Thomas Petazzoni via buildroot spake thusly: > > > On Sat, 18 Feb 2023 13:54:15 +0100 > > > Sourabh Hegde <hrsourabh011@gmail.com> wrote: > > > > I was thinking the ca-certificates package will take care of this. > Maybe I > > > > was wrong. > > > > So, how should we add local CA to the trust store in the target? > > > I am not sure as I'm not super familiar with that aspect. If what you > > > need to do is to call update-ca-certificates during the build, then we > > > could potentially build it for the host, and run it as a post-build > > > script. Of course, this assumes update-ca-certificates is capable of > > > doing its work on a root filesystem that isn't at the root. > > No, update-ca-certificates does not know how to work out-of-tree, which > is the reason why we already need to handle it manually when we install > ca-certificates. > > Also, we do remove update-ca-certificates on purpose from TARGET_DIR, > because it is not expected that we need/can regenerate the root bundle > on the target. > > > > Do you have more details about what needs to be done? With more > > > details, we could probably give some more useful hints. > > > > I think we just need to split CA_CERTIFICATES_INSTALL_TARGET_CMDS in two: > > one part to actually instll the certifcates provided by ca-certificates > > itself, and the rest to update the castore with all certificate, as a > > target-finalize hook. > > > > I.e. all that starts from "Remove any existing certificates under > > /etc/ssl/certs" should be moved to a target-finalize hook. > > Basically, something around those lines (totally untested): > > diff --git a/package/ca-certificates/ca-certificates.mk > b/package/ca-certificates/ca-certificates.mk > index 0b6962ab7b..cc55d39957 100644 > --- a/package/ca-certificates/ca-certificates.mk > +++ b/package/ca-certificates/ca-certificates.mk > @@ -20,7 +20,9 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS > $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs > $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) > rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates > +endef > > +define CA_CERTIFICATES_GEN_BUNDLE > # Remove any existing certificates under /etc/ssl/certs > rm -f $(TARGET_DIR)/etc/ssl/certs/* > > @@ -30,14 +32,15 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS > for i in `find usr/share/ca-certificates -name "*.crt" | > LC_COLLATE=C sort` ; do \ > ln -sf ../../../$$i etc/ssl/certs/`basename $${i} > .crt`.pem ;\ > cat $$i ;\ > - done >$(@D)/ca-certificates.crt > + done >$(BUILD_DIR)/ca-certificates.crt > > # Create symlinks to the certificates by their hash values > $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > > # Install the certificates bundle > - $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ > + $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ > $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt > endef > +CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE > > $(eval $(generic-package)) > > Sourabh, can you test and adapt that and report, please? > > Regards, > Yann E. MORIN. > > -- > > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' > conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ > | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is > no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v > conspiracy. | > > '------------------------------^-------^------------------^--------------------' > [-- Attachment #1.2: Type: text/html, Size: 5984 bytes --] [-- Attachment #2: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 15:56 ` Sourabh Hegde @ 2023-02-18 17:00 ` Sourabh Hegde 2023-02-19 12:53 ` Sourabh Hegde 0 siblings, 1 reply; 12+ messages in thread From: Sourabh Hegde @ 2023-02-18 17:00 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Thomas Petazzoni, buildroot [-- Attachment #1.1: Type: text/plain, Size: 6913 bytes --] Hello Yann, I am trying to apply the patch. I am doing below steps: 1. modified the ca-certificates.mk to include changes. Also attached in this mail. Could you please verify the changes? 2. Generated patch file using "diff -u "old_file" "new_file" > file.patch". Placed the patch file in /buildroot/package/ca-certificates/ dir 0002-ca-certificates-add_local_CAs.patch +++ ca-certificates.mk 2023-02-18 14:13:13.181814043 +0000 @@ -20,24 +20,29 @@ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates +endef +define CA_CERTIFICATES_GEN_BUNDLE # Remove any existing certificates under /etc/ssl/certs rm -f $(TARGET_DIR)/etc/ssl/certs/* +endef # Create symlinks to certificates under /etc/ssl/certs # and generate the bundle cd $(TARGET_DIR) ;\ +define CA_CERTIFICATES_INSTALL_TARGET_CMDS for i in `find usr/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ cat $$i ;\ - done >$(@D)/ca-certificates.crt + done >$(BUILD_DIR)/ca-certificates.crt # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs # Install the certificates bundle - $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ + $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt endef +CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE $(eval $(generic-package)) 3. Trying to rebuild the package: make ca-certificates-dirclean make But, the patch is not applied. Getting below error: Applying 0002-ca-certificates-add_local_CAs.patch using patch: can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? Can you please let me know what am I doing wrong here? Thank you. On Sat, 18 Feb 2023 at 16:56, Sourabh Hegde <hrsourabh011@gmail.com> wrote: > Hello Yann, All, > > Thanks for the update. > > Yes, I will try this patch and let you know. > > Also, we do remove update-ca-certificates on purpose from TARGET_DIR, >> because it is not expected that we need/can regenerate the root bundle >> on the target. >> > > I am not sure if I understood this completely. I have a generic question: > What if someone wants to update castore on the target itself. Let's say if > the local CA is already available on the target then how can it be added to > the trust store with update-ca-certificates? Is it not a good option to > include "update-ca-certificates" in TARGET_DIR? > > On Sat, 18 Feb 2023 at 16:32, Yann E. MORIN <yann.morin.1998@free.fr> > wrote: > >> Thomas, Sourabh, All, >> >> On 2023-02-18 15:21 +0100, Yann E. MORIN spake thusly: >> > On 2023-02-18 14:19 +0100, Thomas Petazzoni via buildroot spake thusly: >> > > On Sat, 18 Feb 2023 13:54:15 +0100 >> > > Sourabh Hegde <hrsourabh011@gmail.com> wrote: >> > > > I was thinking the ca-certificates package will take care of this. >> Maybe I >> > > > was wrong. >> > > > So, how should we add local CA to the trust store in the target? >> > > I am not sure as I'm not super familiar with that aspect. If what you >> > > need to do is to call update-ca-certificates during the build, then we >> > > could potentially build it for the host, and run it as a post-build >> > > script. Of course, this assumes update-ca-certificates is capable of >> > > doing its work on a root filesystem that isn't at the root. >> >> No, update-ca-certificates does not know how to work out-of-tree, which >> is the reason why we already need to handle it manually when we install >> ca-certificates. >> >> Also, we do remove update-ca-certificates on purpose from TARGET_DIR, >> because it is not expected that we need/can regenerate the root bundle >> on the target. >> >> > > Do you have more details about what needs to be done? With more >> > > details, we could probably give some more useful hints. >> > >> > I think we just need to split CA_CERTIFICATES_INSTALL_TARGET_CMDS in >> two: >> > one part to actually instll the certifcates provided by ca-certificates >> > itself, and the rest to update the castore with all certificate, as a >> > target-finalize hook. >> > >> > I.e. all that starts from "Remove any existing certificates under >> > /etc/ssl/certs" should be moved to a target-finalize hook. >> >> Basically, something around those lines (totally untested): >> >> diff --git a/package/ca-certificates/ca-certificates.mk >> b/package/ca-certificates/ca-certificates.mk >> index 0b6962ab7b..cc55d39957 100644 >> --- a/package/ca-certificates/ca-certificates.mk >> +++ b/package/ca-certificates/ca-certificates.mk >> @@ -20,7 +20,9 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS >> $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs >> $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) >> rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates >> +endef >> >> +define CA_CERTIFICATES_GEN_BUNDLE >> # Remove any existing certificates under /etc/ssl/certs >> rm -f $(TARGET_DIR)/etc/ssl/certs/* >> >> @@ -30,14 +32,15 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS >> for i in `find usr/share/ca-certificates -name "*.crt" | >> LC_COLLATE=C sort` ; do \ >> ln -sf ../../../$$i etc/ssl/certs/`basename $${i} >> .crt`.pem ;\ >> cat $$i ;\ >> - done >$(@D)/ca-certificates.crt >> + done >$(BUILD_DIR)/ca-certificates.crt >> >> # Create symlinks to the certificates by their hash values >> $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs >> >> # Install the certificates bundle >> - $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ >> + $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ >> $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt >> endef >> +CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE >> >> $(eval $(generic-package)) >> >> Sourabh, can you test and adapt that and report, please? >> >> Regards, >> Yann E. MORIN. >> >> -- >> >> .-----------------.--------------------.------------------.--------------------. >> | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' >> conspiracy: | >> | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ >> | >> | +33 561 099 427 `------------.-------: X AGAINST | \e/ There >> is no | >> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v >> conspiracy. | >> >> '------------------------------^-------^------------------^--------------------' >> > [-- Attachment #1.2: Type: text/html, Size: 9177 bytes --] [-- Attachment #2: ca-certificates.mk --] [-- Type: application/octet-stream, Size: 1942 bytes --] ################################################################################ # # ca-certificates # ################################################################################ CA_CERTIFICATES_VERSION = 20211016 CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.xz CA_CERTIFICATES_SITE = https://snapshot.debian.org/archive/debian/20211022T144903Z/pool/main/c/ca-certificates CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python3 CA_CERTIFICATES_LICENSE = GPL-2.0+ (script), MPL-2.0 (data) CA_CERTIFICATES_LICENSE_FILES = debian/copyright define CA_CERTIFICATES_BUILD_CMDS $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) clean all endef define CA_CERTIFICATES_INSTALL_TARGET_CMDS $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates endef define CA_CERTIFICATES_GEN_BUNDLE # Remove any existing certificates under /etc/ssl/certs rm -f $(TARGET_DIR)/etc/ssl/certs/* endef # Create symlinks to certificates under /etc/ssl/certs # and generate the bundle cd $(TARGET_DIR) ;\ define CA_CERTIFICATES_INSTALL_TARGET_CMDS for i in `find usr/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ cat $$i ;\ done >$(BUILD_DIR)/ca-certificates.crt # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs # Install the certificates bundle $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt endef CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE $(eval $(generic-package)) [-- Attachment #3: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-18 17:00 ` Sourabh Hegde @ 2023-02-19 12:53 ` Sourabh Hegde 2023-02-19 13:17 ` Yann E. MORIN 0 siblings, 1 reply; 12+ messages in thread From: Sourabh Hegde @ 2023-02-19 12:53 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Thomas Petazzoni, buildroot [-- Attachment #1.1: Type: text/plain, Size: 7560 bytes --] Hello Yann, All, Applying 0002-ca-certificates-add_local_CAs.patch using patch: > can't find file to patch at input line 3 > I think the issue is during build, the ca-certificates.mk is not available in the output/build/ca-certificates/ dir. Only Makefile and ca-certificates.crt file is present. So how can I patch the makefile? On Sat, 18 Feb 2023 at 18:00, Sourabh Hegde <hrsourabh011@gmail.com> wrote: > Hello Yann, > > I am trying to apply the patch. I am doing below steps: > > 1. modified the ca-certificates.mk to include changes. Also attached in > this mail. Could you please verify the changes? > 2. Generated patch file using "diff -u "old_file" "new_file" > > file.patch". Placed the patch file in /buildroot/package/ca-certificates/ > dir > 0002-ca-certificates-add_local_CAs.patch > +++ ca-certificates.mk 2023-02-18 14:13:13.181814043 +0000 > @@ -20,24 +20,29 @@ > $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs > $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install > DESTDIR=$(TARGET_DIR) > rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates > +endef > > +define CA_CERTIFICATES_GEN_BUNDLE > # Remove any existing certificates under /etc/ssl/certs > rm -f $(TARGET_DIR)/etc/ssl/certs/* > +endef > > # Create symlinks to certificates under /etc/ssl/certs > # and generate the bundle > cd $(TARGET_DIR) ;\ > +define CA_CERTIFICATES_INSTALL_TARGET_CMDS > for i in `find usr/share/ca-certificates -name "*.crt" | > LC_COLLATE=C sort` ; do \ > ln -sf ../../../$$i etc/ssl/certs/`basename $${i} > .crt`.pem ;\ > cat $$i ;\ > - done >$(@D)/ca-certificates.crt > + done >$(BUILD_DIR)/ca-certificates.crt > > # Create symlinks to the certificates by their hash values > $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs > > # Install the certificates bundle > - $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ > + $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ > $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt > endef > +CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE > > $(eval $(generic-package)) > > 3. Trying to rebuild the package: > make ca-certificates-dirclean > make > > But, the patch is not applied. Getting below error: > Applying 0002-ca-certificates-add_local_CAs.patch using patch: > can't find file to patch at input line 3 > Perhaps you used the wrong -p or --strip option? > > Can you please let me know what am I doing wrong here? > > Thank you. > > On Sat, 18 Feb 2023 at 16:56, Sourabh Hegde <hrsourabh011@gmail.com> > wrote: > >> Hello Yann, All, >> >> Thanks for the update. >> >> Yes, I will try this patch and let you know. >> >> Also, we do remove update-ca-certificates on purpose from TARGET_DIR, >>> because it is not expected that we need/can regenerate the root bundle >>> on the target. >>> >> >> I am not sure if I understood this completely. I have a generic question: >> What if someone wants to update castore on the target itself. Let's say if >> the local CA is already available on the target then how can it be added to >> the trust store with update-ca-certificates? Is it not a good option to >> include "update-ca-certificates" in TARGET_DIR? >> >> On Sat, 18 Feb 2023 at 16:32, Yann E. MORIN <yann.morin.1998@free.fr> >> wrote: >> >>> Thomas, Sourabh, All, >>> >>> On 2023-02-18 15:21 +0100, Yann E. MORIN spake thusly: >>> > On 2023-02-18 14:19 +0100, Thomas Petazzoni via buildroot spake thusly: >>> > > On Sat, 18 Feb 2023 13:54:15 +0100 >>> > > Sourabh Hegde <hrsourabh011@gmail.com> wrote: >>> > > > I was thinking the ca-certificates package will take care of this. >>> Maybe I >>> > > > was wrong. >>> > > > So, how should we add local CA to the trust store in the target? >>> > > I am not sure as I'm not super familiar with that aspect. If what you >>> > > need to do is to call update-ca-certificates during the build, then >>> we >>> > > could potentially build it for the host, and run it as a post-build >>> > > script. Of course, this assumes update-ca-certificates is capable of >>> > > doing its work on a root filesystem that isn't at the root. >>> >>> No, update-ca-certificates does not know how to work out-of-tree, which >>> is the reason why we already need to handle it manually when we install >>> ca-certificates. >>> >>> Also, we do remove update-ca-certificates on purpose from TARGET_DIR, >>> because it is not expected that we need/can regenerate the root bundle >>> on the target. >>> >>> > > Do you have more details about what needs to be done? With more >>> > > details, we could probably give some more useful hints. >>> > >>> > I think we just need to split CA_CERTIFICATES_INSTALL_TARGET_CMDS in >>> two: >>> > one part to actually instll the certifcates provided by ca-certificates >>> > itself, and the rest to update the castore with all certificate, as a >>> > target-finalize hook. >>> > >>> > I.e. all that starts from "Remove any existing certificates under >>> > /etc/ssl/certs" should be moved to a target-finalize hook. >>> >>> Basically, something around those lines (totally untested): >>> >>> diff --git a/package/ca-certificates/ca-certificates.mk >>> b/package/ca-certificates/ca-certificates.mk >>> index 0b6962ab7b..cc55d39957 100644 >>> --- a/package/ca-certificates/ca-certificates.mk >>> +++ b/package/ca-certificates/ca-certificates.mk >>> @@ -20,7 +20,9 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS >>> $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs >>> $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) >>> rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates >>> +endef >>> >>> +define CA_CERTIFICATES_GEN_BUNDLE >>> # Remove any existing certificates under /etc/ssl/certs >>> rm -f $(TARGET_DIR)/etc/ssl/certs/* >>> >>> @@ -30,14 +32,15 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS >>> for i in `find usr/share/ca-certificates -name "*.crt" | >>> LC_COLLATE=C sort` ; do \ >>> ln -sf ../../../$$i etc/ssl/certs/`basename $${i} >>> .crt`.pem ;\ >>> cat $$i ;\ >>> - done >$(@D)/ca-certificates.crt >>> + done >$(BUILD_DIR)/ca-certificates.crt >>> >>> # Create symlinks to the certificates by their hash values >>> $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs >>> >>> # Install the certificates bundle >>> - $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \ >>> + $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ >>> $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt >>> endef >>> +CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE >>> >>> $(eval $(generic-package)) >>> >>> Sourabh, can you test and adapt that and report, please? >>> >>> Regards, >>> Yann E. MORIN. >>> >>> -- >>> >>> .-----------------.--------------------.------------------.--------------------. >>> | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' >>> conspiracy: | >>> | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ >>> | >>> | +33 561 099 427 `------------.-------: X AGAINST | \e/ There >>> is no | >>> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v >>> conspiracy. | >>> >>> '------------------------------^-------^------------------^--------------------' >>> >> [-- Attachment #1.2: Type: text/html, Size: 10105 bytes --] [-- Attachment #2: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-19 12:53 ` Sourabh Hegde @ 2023-02-19 13:17 ` Yann E. MORIN 2023-02-20 10:10 ` Sourabh Hegde 0 siblings, 1 reply; 12+ messages in thread From: Yann E. MORIN @ 2023-02-19 13:17 UTC (permalink / raw) To: Sourabh Hegde; +Cc: Thomas Petazzoni, buildroot Sourabh, All, On 2023-02-19 13:53 +0100, Sourabh Hegde spake thusly: > I think the issue is during build, the [1]ca-certificates.mk is not available in the output/build/ca-certificates/ dir. Only > Makefile and ca-certificates.crt file is present. > So how can I patch the makefile? This is a patch agaisnt Buildroot itself. Apply it to Buildroot. Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] Updating trust store using update-ca-certificates 2023-02-19 13:17 ` Yann E. MORIN @ 2023-02-20 10:10 ` Sourabh Hegde 0 siblings, 0 replies; 12+ messages in thread From: Sourabh Hegde @ 2023-02-20 10:10 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Thomas Petazzoni, buildroot [-- Attachment #1.1: Type: text/plain, Size: 2068 bytes --] HI Yann, All, Yes, will do it. I am testing it now New changes: define CA_CERTIFICATES_GEN_BUNDLE # Create symlinks to certificates under /etc/ssl/certs # and generate the bundle cd $(TARGET_DIR) ;\ for i in `find usr/local/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ cat $$i ;\ done >>$(BUILD_DIR)/ca-certificates.crt # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs # Install the certificates bundle $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt endef So, after "make" new local CA is added to trust-store. So far so good. But now I did "make clean" and "make". And no certificates are installed!. Even the default certificates (from mozilla) are not installed. I could't find /usr/share/ca-certificates in the target. Any idea why this is happening? On Sun, 19 Feb 2023 at 14:17, Yann E. MORIN <yann.morin.1998@free.fr> wrote: > Sourabh, All, > > On 2023-02-19 13:53 +0100, Sourabh Hegde spake thusly: > > I think the issue is during build, the [1]ca-certificates.mk is not > available in the output/build/ca-certificates/ dir. Only > > Makefile and ca-certificates.crt file is present. > > So how can I patch the makefile? > > This is a patch agaisnt Buildroot itself. Apply it to Buildroot. > > Regards, > Yann E. MORIN. > > -- > > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' > conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ > | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is > no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v > conspiracy. | > > '------------------------------^-------^------------------^--------------------' > [-- Attachment #1.2: Type: text/html, Size: 2915 bytes --] [-- Attachment #2: ca-certificates.mk --] [-- Type: application/octet-stream, Size: 2620 bytes --] ################################################################################ # # ca-certificates # ################################################################################ CA_CERTIFICATES_VERSION = 20211016 CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.xz CA_CERTIFICATES_SITE = https://snapshot.debian.org/archive/debian/20211022T144903Z/pool/main/c/ca-certificates CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python3 CA_CERTIFICATES_LICENSE = GPL-2.0+ (script), MPL-2.0 (data) CA_CERTIFICATES_LICENSE_FILES = debian/copyright define CA_CERTIFICATES_BUILD_CMDS $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) clean all endef define CA_CERTIFICATES_INSTALL_TARGET_CMDS $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates endef define CA_CERTIFICATES_GEN_BUNDLE # Create symlinks to certificates under /etc/ssl/certs # and generate the bundle cd $(TARGET_DIR) ;\ for i in `find usr/local/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ cat $$i ;\ done >>$(BUILD_DIR)/ca-certificates.crt # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs # Install the certificates bundle $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt endef define CA_CERTIFICATES_INSTALL_TARGET_CMDS # Remove any existing certificates under /etc/ssl/certs rm -f $(TARGET_DIR)/etc/ssl/certs/* # Create symlinks to certificates under /etc/ssl/certs # and generate the bundle cd $(TARGET_DIR) ;\ for i in `find usr/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \ ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\ cat $$i ;\ done >$(BUILD_DIR)/ca-certificates.crt # Create symlinks to the certificates by their hash values $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs # Install the certificates bundle $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt endef CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE $(eval $(generic-package)) [-- Attachment #3: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-02-20 10:10 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-02-17 16:15 [Buildroot] Updating trust store using update-ca-certificates Sourabh Hegde 2023-02-18 11:19 ` Thomas Petazzoni via buildroot 2023-02-18 12:54 ` Sourabh Hegde 2023-02-18 13:19 ` Thomas Petazzoni via buildroot 2023-02-18 13:39 ` Sourabh Hegde 2023-02-18 14:21 ` Yann E. MORIN 2023-02-18 15:32 ` Yann E. MORIN 2023-02-18 15:56 ` Sourabh Hegde 2023-02-18 17:00 ` Sourabh Hegde 2023-02-19 12:53 ` Sourabh Hegde 2023-02-19 13:17 ` Yann E. MORIN 2023-02-20 10:10 ` Sourabh Hegde
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox