2 files changed, 75 insertions, 2 deletions
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
new file mode 100644
index 0000000000..4bd967f788
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
@@ -0,0 +1,71 @@
+From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
+Date: Wed, 28 Mar 2018 16:45:05 +0100
+Subject: [PATCH] update-ca-certificates: use relative symlinks from
+ $ETCCERTSDIR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+update-ca-certificates symlinks (trusted) certificates
+from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
+update-ca-certificates can call hook scripts installed
+into /etc/ca-certificates/update.d. Those scripts are
+passed the pem file in /etc/ssl/certs/ that was added or
+removed in this run and those pem files are absolute
+symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
+When running update-ca-certificates during image build
+time, they thusly all point into the host's file system,
+not into the $SYSROOT. This means:
+* the host's file system layout must match the one
+  produced by OE, and
+* it also means that the host must have installed the same
+  (or more) certificates as the target in $CERTSDIR and
+  $LOCALCERTSDIR
+This is a problem when wanting to execute hook scripts,
+because they all need to be taught about $SYSROOT, and
+behave differently depending on whether they're called
+at image build time, or on the target, as otherwise they
+will be trying to actually read the host's certificates
+from $CERTSDIR or $LOCALCERTSDIR.
+This also is a problem when running anything else during
+image build time that depends on the trusted CA
+certificates.
+Changing the symlink to be relative solves all of these
+problems. Do so.
+Upstream-Status: Inappropriate [OE-specific]
+Signed-off-by: André Draszik <andre.draszik@jci.com>
+---
+ sbin/update-ca-certificates | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 00f80c7..7e911a9 100755
+--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
+@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
+ LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
+ CERTBUNDLE=ca-certificates.crt
+ ETCCERTSDIR=$SYSROOT/etc/ssl/certs
+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
+ HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
+ 
+ while [ $# -gt 0 ];
+@@ -125,9 +126,10 @@ add() {
+   PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+                                                   -e 's/[()]/=/g' \
+                                                   -e 's/,/_/g').pem"
+-  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
+  DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
+  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
+   then
+-    ln -sf "${CERT##$SYSROOT}" "$PEM"
+    ln -sf "${DST}" "$PEM"
+     echo "+$PEM" >> "$ADDED"
+   fi
+   # Add trailing newline to certificate, if it is missing (#635570)
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb b/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
index 49b7ffc36e..350294858b 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
@@ -21,10 +21,12 @@ SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
           file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
           file://update-ca-certificates-support-Toybox.patch \
           file://default-sysroot.patch \
-           file://sbindir.patch"
+           file://sbindir.patch \
+           file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
+           "
 S = "${WORKDIR}/git"
-SYSROOT_DIRS_class-native += "${sysconfdir}"
+SYSROOT_DIRS_class-native += "${sysconfdir} ${datadir}/ca-certificates"
 inherit allarch

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch new file mode 100644 index 0000000000..4bd967f788 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
@@ -0,0 +1,71 @@
		1	From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
		3	Date: Wed, 28 Mar 2018 16:45:05 +0100
		4	Subject: [PATCH] update-ca-certificates: use relative symlinks from
		5	$ETCCERTSDIR
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	update-ca-certificates symlinks (trusted) certificates
		11	from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
		12	update-ca-certificates can call hook scripts installed
		13	into /etc/ca-certificates/update.d. Those scripts are
		14	passed the pem file in /etc/ssl/certs/ that was added or
		15	removed in this run and those pem files are absolute
		16	symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
		17
		18	When running update-ca-certificates during image build
		19	time, they thusly all point into the host's file system,
		20	not into the $SYSROOT. This means:
		21	* the host's file system layout must match the one
		22	produced by OE, and
		23	* it also means that the host must have installed the same
		24	(or more) certificates as the target in $CERTSDIR and
		25	$LOCALCERTSDIR
		26
		27	This is a problem when wanting to execute hook scripts,
		28	because they all need to be taught about $SYSROOT, and
		29	behave differently depending on whether they're called
		30	at image build time, or on the target, as otherwise they
		31	will be trying to actually read the host's certificates
		32	from $CERTSDIR or $LOCALCERTSDIR.
		33
		34	This also is a problem when running anything else during
		35	image build time that depends on the trusted CA
		36	certificates.
		37
		38	Changing the symlink to be relative solves all of these
		39	problems. Do so.
		40
		41	Upstream-Status: Inappropriate [OE-specific]
		42	Signed-off-by: André Draszik <andre.draszik@jci.com>
		43	---
		44	sbin/update-ca-certificates \| 6 ++++--
		45	1 file changed, 4 insertions(+), 2 deletions(-)
		46
		47	diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
		48	index 00f80c7..7e911a9 100755
		49	--- a/sbin/update-ca-certificates
		50	+++ b/sbin/update-ca-certificates
		51	@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
		52	LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
		53	CERTBUNDLE=ca-certificates.crt
		54	ETCCERTSDIR=$SYSROOT/etc/ssl/certs
		55	+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
		56	HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
		57
		58	while [ $# -gt 0 ];
		59	@@ -125,9 +126,10 @@ add() {
		60	PEM="$ETCCERTSDIR/$(basename "$CERT" .crt \| sed -e 's/ /_/g' \
		61	-e 's/[()]/=/g' \
		62	-e 's/,/_/g').pem"
		63	- if ! test -e "$PEM" \|\| [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
		64	+ DST="$(echo ${CERT} \| sed -e "s\|^$SYSROOT\|\|" -e "s\|^/\|$FSROOT\|" )"
		65	+ if ! test -e "$PEM" \|\| [ "$(readlink "$PEM")" != "${DST}" ]
		66	then
		67	- ln -sf "${CERT##$SYSROOT}" "$PEM"
		68	+ ln -sf "${DST}" "$PEM"
		69	echo "+$PEM" >> "$ADDED"
		70	fi
		71	# Add trailing newline to certificate, if it is missing (#635570)


diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb b/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb index 49b7ffc36e..350294858b 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
@@ -21,10 +21,12 @@ SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
21	file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \	21	file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
22	file://update-ca-certificates-support-Toybox.patch \	22	file://update-ca-certificates-support-Toybox.patch \
23	file://default-sysroot.patch \	23	file://default-sysroot.patch \
24	file://sbindir.patch"	24	file://sbindir.patch \
		25	file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
		26	"
25		27
26	S = "${WORKDIR}/git"	28	S = "${WORKDIR}/git"
27	SYSROOT_DIRS_class-native += "${sysconfdir}"	29	SYSROOT_DIRS_class-native += "${sysconfdir} ${datadir}/ca-certificates"
28		30
29	inherit allarch	31	inherit allarch
30		32