Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store

[Mark H Weaver]

address@hidden (Ludovic Courtès) writes:

> Mark H Weaver <address@hidden> skribis:
>
>> No, it's not worse than it was before.  Sorry if I gave that impression.
>> The only issue is that we might need to generate a single-file
>> certificate bundle for now, because I haven't found a way to get 'git'
>> to check certificates on GuixSD without a single-file cert bundle, at
>> least not when curl is build with GnuTLS.
>
> It seems like adding this single-file bundle would be the simplest
> short-term option.  How would we create that file exactly?

The single-file bundle is just a concatenation of all the individual PEM
data, starting with "-----BEGIN CERTIFICATE-----" and ending with
"-----END CERTIFICATE-----", including those delimiters.

The only caveat is that the individual PEM files are not required to
have a newline after the "-----END CERTIFICATE-----", but in the
single-file cert bundle, we must ensure that the newline is present.
See <https://bugs.debian.org/635570>.

> Would it be OK to keep it in the nss-certs package?

In order to support multiple packages containing CA certs, it would be
good to handle creation of the single-file cert bundle in the profile
generation code, analogous to our handling of info "dir" files.  This
would allow us to create additional cert packages (e.g. one for
CAcert.org).

I think it belongs in the profile generation code for the benefit of
users running Guix packages on top of another distro, where they might
not have root access.  They can simply set GIT_SSL_CAINFO and
SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt

What do you think?

      Mark