Re: [Buildroot] Updating trust store using update-ca-certificates

["Yann E. MORIN" <yann.morin.1998@free.fr>]

Thomas, Sourabh, All,

On 2023-02-18 15:21 +0100, Yann E. MORIN spake thusly:
> On 2023-02-18 14:19 +0100, Thomas Petazzoni via buildroot spake thusly:
> > On Sat, 18 Feb 2023 13:54:15 +0100
> > Sourabh Hegde <hrsourabh011@gmail.com> wrote:
> > > I was thinking the ca-certificates package will take care of this. Maybe I
> > > was wrong.
> > > So, how should we add local CA to the trust store in the target?
> > I am not sure as I'm not super familiar with that aspect. If what you
> > need to do is to call update-ca-certificates during the build, then we
> > could potentially build it for the host, and run it as a post-build
> > script. Of course, this assumes update-ca-certificates is capable of
> > doing its work on a root filesystem that isn't at the root.

No, update-ca-certificates does not know how to work out-of-tree, which
is the reason why we already need to handle it manually when we install
ca-certificates.

Also, we do remove update-ca-certificates on purpose from TARGET_DIR,
because it is not expected that we need/can regenerate the root bundle
on the target.

> > Do you have more details about what needs to be done? With more
> > details, we could probably give some more useful hints.
> 
> I think we just need to split CA_CERTIFICATES_INSTALL_TARGET_CMDS in two:
> one part to actually instll the certifcates provided by ca-certificates
> itself, and the rest to update the castore with all certificate, as a
> target-finalize hook.
> 
> I.e. all that starts from "Remove any existing certificates under
> /etc/ssl/certs" should be moved to a target-finalize hook.

Basically, something around those lines (totally untested):

diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
index 0b6962ab7b..cc55d39957 100644
--- a/package/ca-certificates/ca-certificates.mk
+++ b/package/ca-certificates/ca-certificates.mk
@@ -20,7 +20,9 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS
 	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
 	rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates
+endef
 
+define CA_CERTIFICATES_GEN_BUNDLE
 	# Remove any existing certificates under /etc/ssl/certs
 	rm -f $(TARGET_DIR)/etc/ssl/certs/*
 
@@ -30,14 +32,15 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS
 	for i in `find usr/share/ca-certificates -name "*.crt" | LC_COLLATE=C sort` ; do \
 		ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\
 		cat $$i ;\
-	done >$(@D)/ca-certificates.crt
+	done >$(BUILD_DIR)/ca-certificates.crt
 
 	# Create symlinks to the certificates by their hash values
 	$(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
 
 	# Install the certificates bundle
-	$(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \
+	$(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \
 		$(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt
 endef
+CA_CERTIFICATES_TARGET_FINALIZE_HOOKS += CA_CERTIFICATES_GEN_BUNDLE
 
 $(eval $(generic-package))

Sourabh, can you test and adapt that and report, please?

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot