Re: CA certificates

[Ludovic Courtès]

Andreas Enge <address@hidden> skribis:

> The attached patch series
> 1) adds a (private) python script to extract single certificates in .pem 
>    format from a big textfile in mozilla source format;
> 2) adds the package nss-certs, which contains the certificates thus extracted
>    in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl;
> 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl.

Cool.  I agree with Mark’s suggestion regarding UTF-8 file name
handling.  Other than that the patches LGTM.

All this X.509 stuff looks like a security quagmire but I suppose we’ll
have to live with it for some time more...

> So if you do a
>    guix package -i openssl nss-certs youtube-dl
> and add SSL_CERT_DIR as stipulated by the text output after the installation,
> things work out of the box.

Nice!  The (untested) patch below binds nss-certs to /etc/ssl/certs on
GuixSD, which should allow for more out-of-the-box goodness.  :-)

diff --git a/gnu/system.scm b/gnu/system.scm
index 3fe7833..4b66e5d 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -41,6 +41,7 @@
   #:use-module (gnu packages man)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages firmware)
+  #:use-module (gnu packages certs)
   #:autoload   (gnu packages cryptsetup) (cryptsetup)
   #:use-module (gnu services)
   #:use-module (gnu services dmd)
@@ -470,6 +471,7 @@ export ASPELL_CONF=\"dict-dir 
$HOME/.guix-profile/lib/aspell\"
                   ("shells" ,#~#$shells)
                   ("profile" ,#~#$profile)
                   ("hosts" ,#~#$hosts-file)
+                  ("ssl" ,#~(string-append #$nss-certs "/etc/ssl"))
                   ("localtime" ,#~(string-append #$tzdata "/share/zoneinfo/"
                                                  #$timezone))
                   ("sudoers" ,#~#$sudoers)))))

Thanks for working on it!

Ludo’.