From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: richard.purdie@linuxfoundation.org
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES
Date: Tue, 28 Apr 2026 11:42:51 +0000 [thread overview]
Message-ID: <afCdOwt4h9p5BwCR@gmail.com> (raw)
In-Reply-To: <20260424083855.3214724-1-richard.purdie@linuxfoundation.org>
I fixed the typo on the shortlog and pushed this to master
this morning.
Let me know if there are any other lurking issues.
Bruce
In message: [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES
on 24/04/2026 Richard Purdie via lists.yoctoproject.org wrote:
> This fixes yocto-check-layer failures:
>
> ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220
> List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})'
> Variable SRC_URI value changed:
> @@ -1 +1,2 @@
> -${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
> +${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)}
> +DISTRO_FEATURES{virtualization} = Unset
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
> .../ca-certificates_%.bbappend | 39 +------------------
> .../ca-certificates_virtualization.inc | 38 ++++++++++++++++++
> 2 files changed, 39 insertions(+), 38 deletions(-)
> create mode 100644 recipes-support/ca-certificates/ca-certificates_virtualization.inc
>
> diff --git a/recipes-support/ca-certificates/ca-certificates_%.bbappend b/recipes-support/ca-certificates/ca-certificates_%.bbappend
> index e659f1ed..617caccb 100644
> --- a/recipes-support/ca-certificates/ca-certificates_%.bbappend
> +++ b/recipes-support/ca-certificates/ca-certificates_%.bbappend
> @@ -1,38 +1 @@
> -# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
> -#
> -# Only active when 'virtualization' is in DISTRO_FEATURES.
> -#
> -# Some container registries (e.g., registry.yocto.io) don't send the
> -# full certificate chain. Go's TLS library (used by Docker, skopeo,
> -# podman) cannot verify the server certificate without the intermediate,
> -# even though the root CAs (ISRG Root X1/X2) are present.
> -#
> -# These intermediates are fetched at build time and installed alongside
> -# the standard CA certificates. update-ca-certificates (run in
> -# pkg_postinst) incorporates them into the system CA bundle.
> -#
> -# Source: https://letsencrypt.org/certificates/
> -
> -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', \
> - 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
> - https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', \
> - '', d)}"
> -SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
> -SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
> -
> -do_install:append () {
> - for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
> - if [ -f "$pem" ]; then
> - install -d ${D}${datadir}/ca-certificates/letsencrypt
> - # ca-certificates expects .crt extension
> - base=$(basename "$pem" .pem)
> - install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
> - fi
> - done
> -
> - # Add to ca-certificates.conf so update-ca-certificates includes them
> - for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
> - [ -f "$crt" ] || continue
> - echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
> - done
> -}
> +require ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', '${BPN}_virtualization.inc', '', d)}
> diff --git a/recipes-support/ca-certificates/ca-certificates_virtualization.inc b/recipes-support/ca-certificates/ca-certificates_virtualization.inc
> new file mode 100644
> index 00000000..e659f1ed
> --- /dev/null
> +++ b/recipes-support/ca-certificates/ca-certificates_virtualization.inc
> @@ -0,0 +1,38 @@
> +# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
> +#
> +# Only active when 'virtualization' is in DISTRO_FEATURES.
> +#
> +# Some container registries (e.g., registry.yocto.io) don't send the
> +# full certificate chain. Go's TLS library (used by Docker, skopeo,
> +# podman) cannot verify the server certificate without the intermediate,
> +# even though the root CAs (ISRG Root X1/X2) are present.
> +#
> +# These intermediates are fetched at build time and installed alongside
> +# the standard CA certificates. update-ca-certificates (run in
> +# pkg_postinst) incorporates them into the system CA bundle.
> +#
> +# Source: https://letsencrypt.org/certificates/
> +
> +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', \
> + 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
> + https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', \
> + '', d)}"
> +SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
> +SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
> +
> +do_install:append () {
> + for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
> + if [ -f "$pem" ]; then
> + install -d ${D}${datadir}/ca-certificates/letsencrypt
> + # ca-certificates expects .crt extension
> + base=$(basename "$pem" .pem)
> + install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
> + fi
> + done
> +
> + # Add to ca-certificates.conf so update-ca-certificates includes them
> + for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
> + [ -f "$crt" ] || continue
> + echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
> + done
> +}
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9739): https://lists.yoctoproject.org/g/meta-virtualization/message/9739
> Mute This Topic: https://lists.yoctoproject.org/mt/118984634/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2026-04-28 11:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 8:38 [meta-virtualization] [PATCH] ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES Richard Purdie
2026-04-28 11:42 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afCdOwt4h9p5BwCR@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=richard.purdie@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox