[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CA certificates
|
From: |
Mark H Weaver |
|
Subject: |
Re: CA certificates |
|
Date: |
Thu, 12 Feb 2015 12:26:52 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) |
Andreas Enge <address@hidden> writes:
> The attached patch series
> 1) adds a (private) python script to extract single certificates in .pem
> format from a big textfile in mozilla source format;
> 2) adds the package nss-certs, which contains the certificates thus extracted
> in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl;
Excellent, thanks very much! :)
> 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl.
>
> So if you do a
> guix package -i openssl nss-certs youtube-dl
> and add SSL_CERT_DIR as stipulated by the text output after the installation,
> things work out of the box.
>
> The search path definition means that we could have alternative root
> certificate packages (potentially one per certification authority) and that
> the user could install the ones he trusts.
Sounds good! It should be noted, however, that GnuTLS will currently
only use the certs in /etc/ssl/certs unless some application-specific
setting is provided. This will later be improved with the 'p11-kit'
solution.
> The patches currently are in a branch wip-certs. Suggestions are
> welcome.
Regarding this commit:
> From b703198b70850017c2ed5e3510790898a214b7bd Mon Sep 17 00:00:00 2001
> From: Andreas Enge <address@hidden>
> Date: Tue, 10 Feb 2015 19:55:53 +0000
> Subject: gnu: Add nss-certs, certificates extracted from nss
>
> * gnu/packages/certs.scm (nss-certs): New variable.
> ---
[...]
> + #:phases
> + (alist-cons-after
> + 'unpack 'install
> + (lambda _
> + (let ((certsdir (string-append %output "/etc/ssl/certs/")))
> + (mkdir-p certsdir)
> + (with-directory-excursion "nss/lib/ckfw/builtins/"
> + ;; extract single certificates from blob
> + (system* "certdata2pem.py" "certdata.txt")
> + ;; copy the .pem files into the output
> + (for-each
> + (lambda (file)
> + (copy-file file (string-append certsdir file)))
> + ;; FIXME: Some of the file names are UTF8 (?) and cause an
> + ;; error message such as
> + ;; find-files:
> + ;;
> ./EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??:2.8.76.175.115.66.28.142.116.2.pem:
> + ;; No such file or directory
> + (find-files "." ".*\\.pem")))
Guile converts POSIX byte strings (e.g. file names) to strings using to
the current locale encoding, but the default locale in our build
environment is "C" which means ASCII-only.
I would advocate using a UTF-8 locale for all builds by default.
For now, I would try putting the following code at the beginning of your
custom 'install' phase:
--8<---------------cut here---------------start------------->8---
(setenv "LOCPATH" (getcwd))
(zero? (system* "localedef" "--no-archive"
"--prefix" (getcwd) "-i" "en_US"
"-f" "UTF-8" "./en_US.UTF-8"))
(setlocale LC_ALL "en_US.UTF-8")
--8<---------------cut here---------------end--------------->8---
Thanks!
Mark
- CA certificates, Andreas Enge, 2015/02/10
- Re: CA certificates, Andreas Enge, 2015/02/12
- Re: CA certificates,
Mark H Weaver <=
- Re: CA certificates, Andreas Enge, 2015/02/12
- Locale of build environments, Ludovic Courtès, 2015/02/12
- Re: Locale of build environments, Andreas Enge, 2015/02/12
- Re: Locale of build environments, Mark H Weaver, 2015/02/14
- Re: Locale of build environments, Ludovic Courtès, 2015/02/26
- Re: Locale of build environments, Mark H Weaver, 2015/02/26
- Re: Locale of build environments, Ludovic Courtès, 2015/02/27
- Re: Locale of build environments, Ludovic Courtès, 2015/02/27
Re: CA certificates, Mark H Weaver, 2015/02/13