summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch71
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates_20170717.bb6
2 files changed, 75 insertions, 2 deletions
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
new file mode 100644
index 0000000000..4bd967f788
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
@@ -0,0 +1,71 @@
1From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
3Date: Wed, 28 Mar 2018 16:45:05 +0100
4Subject: [PATCH] update-ca-certificates: use relative symlinks from
5 $ETCCERTSDIR
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10update-ca-certificates symlinks (trusted) certificates
11from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
12update-ca-certificates can call hook scripts installed
13into /etc/ca-certificates/update.d. Those scripts are
14passed the pem file in /etc/ssl/certs/ that was added or
15removed in this run and those pem files are absolute
16symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
17
18When running update-ca-certificates during image build
19time, they thusly all point into the host's file system,
20not into the $SYSROOT. This means:
21* the host's file system layout must match the one
22 produced by OE, and
23* it also means that the host must have installed the same
24 (or more) certificates as the target in $CERTSDIR and
25 $LOCALCERTSDIR
26
27This is a problem when wanting to execute hook scripts,
28because they all need to be taught about $SYSROOT, and
29behave differently depending on whether they're called
30at image build time, or on the target, as otherwise they
31will be trying to actually read the host's certificates
32from $CERTSDIR or $LOCALCERTSDIR.
33
34This also is a problem when running anything else during
35image build time that depends on the trusted CA
36certificates.
37
38Changing the symlink to be relative solves all of these
39problems. Do so.
40
41Upstream-Status: Inappropriate [OE-specific]
42Signed-off-by: André Draszik <andre.draszik@jci.com>
43---
44 sbin/update-ca-certificates | 6 ++++--
45 1 file changed, 4 insertions(+), 2 deletions(-)
46
47diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
48index 00f80c7..7e911a9 100755
49--- a/sbin/update-ca-certificates
50+++ b/sbin/update-ca-certificates
51@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
52 LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
53 CERTBUNDLE=ca-certificates.crt
54 ETCCERTSDIR=$SYSROOT/etc/ssl/certs
55+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
56 HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
57
58 while [ $# -gt 0 ];
59@@ -125,9 +126,10 @@ add() {
60 PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
61 -e 's/[()]/=/g' \
62 -e 's/,/_/g').pem"
63- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
64+ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
65+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
66 then
67- ln -sf "${CERT##$SYSROOT}" "$PEM"
68+ ln -sf "${DST}" "$PEM"
69 echo "+$PEM" >> "$ADDED"
70 fi
71 # Add trailing newline to certificate, if it is missing (#635570)
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb b/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
index 49b7ffc36e..350294858b 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20170717.bb
@@ -21,10 +21,12 @@ SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
21 file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ 21 file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
22 file://update-ca-certificates-support-Toybox.patch \ 22 file://update-ca-certificates-support-Toybox.patch \
23 file://default-sysroot.patch \ 23 file://default-sysroot.patch \
24 file://sbindir.patch" 24 file://sbindir.patch \
25 file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
26 "
25 27
26S = "${WORKDIR}/git" 28S = "${WORKDIR}/git"
27SYSROOT_DIRS_class-native += "${sysconfdir}" 29SYSROOT_DIRS_class-native += "${sysconfdir} ${datadir}/ca-certificates"
28 30
29inherit allarch 31inherit allarch
30 32