buildtools-tarball: Make buildtools respects host CA certificates

To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Changqing Li <changqing.li@windriver.com> 2025-04-28 13:53:07 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-05-02 08:20:12 -0700
commit: 18206fc2dba1684bc96efecf95c65450f9577203 (patch)
tree: cc7e48cb9fc750986ddb99e8aad5e0e513ad5551 /meta/recipes-devtools
parent: 397d432a62c265f481cf1ac4d9c760504d9eb9f5 (diff)
download: poky-18206fc2dba1684bc96efecf95c65450f9577203.tar.gz
2 files changed, 28 insertions, 6 deletions
diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh
index f8e3221510..9c7b5a9251 100644
--- a/meta/recipes-devtools/git/git/environment.d-git.sh
+++ b/meta/recipes-devtools/git/git/environment.d-git.sh
@@ -1,4 +1,19 @@
-if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+# Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools
-    export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+# CAFILE/CAPATH is auto-deteced when source buildtools
-    export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO"
+if [ -z "$GIT_SSL_CAINFO" ]; then
+        if [ -n "$CAFILE" ];then
+                export GIT_SSL_CAINFO="$CAFILE"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+        fi
 fi
+if [ -z "$GIT_SSL_CAPATH" ]; then
+        if [ -n "$CAPATH" ];then
+                export GIT_SSL_CAPATH="$CAPATH"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
+        fi
+fi
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO GIT_SSL_CAPATH"
diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
index c7faec127d..492177a9c3 100644
--- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
+++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
@@ -1,4 +1,11 @@
-if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+# Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools
-    export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+# CAFILE/CAPATH is auto-deteced when source buildtools
-    export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
+if [ -z "$REQUESTS_CA_BUNDLE" ]; then
+        if [ -n "$CAFILE" ];then
+                export REQUESTS_CA_BUNDLE="$CAFILE"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+        fi
 fi
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
author	Changqing Li <changqing.li@windriver.com>	2025-04-28 13:53:07 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-05-02 08:20:12 -0700
commit	18206fc2dba1684bc96efecf95c65450f9577203 (patch)
tree	cc7e48cb9fc750986ddb99e8aad5e0e513ad5551 /meta/recipes-devtools
parent	397d432a62c265f481cf1ac4d9c760504d9eb9f5 (diff)
download	poky-18206fc2dba1684bc96efecf95c65450f9577203.tar.gz

diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh index f8e3221510..9c7b5a9251 100644 --- a/meta/recipes-devtools/git/git/environment.d-git.sh +++ b/meta/recipes-devtools/git/git/environment.d-git.sh
@@ -1,4 +1,19 @@
1	if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then	1	# Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools
2	export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"	2	# CAFILE/CAPATH is auto-deteced when source buildtools
3	export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO"	3	if [ -z "$GIT_SSL_CAINFO" ]; then
		4	if [ -n "$CAFILE" ];then
		5	export GIT_SSL_CAINFO="$CAFILE"
		6	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
		7	export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
		8	fi
4	fi	9	fi
		10
		11	if [ -z "$GIT_SSL_CAPATH" ]; then
		12	if [ -n "$CAPATH" ];then
		13	export GIT_SSL_CAPATH="$CAPATH"
		14	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
		15	export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
		16	fi
		17	fi
		18
		19	export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO GIT_SSL_CAPATH"


diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh index c7faec127d..492177a9c3 100644 --- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh +++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
@@ -1,4 +1,11 @@
1	if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then	1	# Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools
2	export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"	2	# CAFILE/CAPATH is auto-deteced when source buildtools
3	export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"	3	if [ -z "$REQUESTS_CA_BUNDLE" ]; then
		4	if [ -n "$CAFILE" ];then
		5	export REQUESTS_CA_BUNDLE="$CAFILE"
		6	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
		7	export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
		8	fi
4	fi	9	fi
		10
		11	export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"