[Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt

Martin Bark martin at barkynet.com
Mon Jun 18 09:51:34 UTC 2018 

Thomas,

On 17 June 2018 at 20:25, Thomas Petazzoni <thomas.petazzoni at bootlin.com> wrote:
> Hello,
>
> On Sat, 16 Jun 2018 23:05:59 +0100, Martin Bark wrote:
>> Currently c_rehash mistakenly hashes the certificates bundle
>> certificates.crt resulting in ${TAGET_DIR}/etc/ssl/certs/128805a3.0
>> incorrectly linking to ca-certificates.crt when it should be linked to
>> EE_Certification_Centre_Root_CA_2.pem
>
> I can't reproduce this issue here:
>
> output/target$ ls -l etc/ssl/certs/128805a3.0
> lrwxrwxrwx 1 thomas thomas 35 Jun 17 20:58 etc/ssl/certs/128805a3.0 -> EE_Certification_Centre_Root_CA.pem

Did you check other hashes under etc/ssl/certs/ ? Check for any hashes
that link to ca-certificates.crt. I suspect you have a different hash
pointing to ca-certificates.

>
> Also, during the review, you said that you noticed this problem when
> comparing the /etc/ssl/certs generated by Buildroot with the one
> available in Ubuntu.

The ca-certificates package in Buildroot is based on the Debian
package.  Buildroot currently uses version 20180409 which is the same
as currently used by Ubuntu 18.04 and Debian sid hence the contents of
etc/ssl/certs should match.

>
> On Fedora, it looks just like this:
>
> $ ls -l /etc/ssl/certs/
> total 4
> lrwxrwxrwx 1 root root   49 May 18 13:21 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> lrwxrwxrwx 1 root root   55 May 18 13:21 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> -rw-r--r-- 1 root root 2516 Apr  3 13:18 Makefile
>
> So it really doesn't look like what Buildroot produces. But I'm not
> familiar at all with those certificates.

The Red Hat based distros and Arch Linux organise their certificates
slightly differently.  You will not be able to do an exact comparison
but in the end they achieve the same results as Debian, Ubuntu and
Buildroot.

Thanks

Martin

>
> Peter, since you've reviewed the previous iteration of this patch
> series, perhaps you can take care of merging it ?
>
> Thanks!
>
> Thomas Petazzoni
> --
> Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
> Embedded Linux and Kernel engineering
> https://bootlin.com

More information about the buildroot mailing list