curl-ca-bundle: dump CA certs from Keychain #26060
Conversation
|
Notifying maintainers: |
| @@ -352,10 +352,110 @@ subport curl-ca-bundle { | |||
| set ca_bundle_dir ${prefix}/share/curl | |||
| set openssl_dir ${prefix}/etc/openssl | |||
| xinstall -d ${destroot}${ca_bundle_dir} ${destroot}${openssl_dir} | |||
| xinstall -m 644 ${worksrcpath}/lib/ca-bundle.crt ${destroot}${ca_bundle_dir}/curl-ca-bundle.crt | |||
| foreach dst [list mozilla-ca-bundle.crt curl-ca-bundle.crt] { | |||
There was a problem hiding this comment.
mozilla-ca-bundle.crt is the downloaded CAs. curl-ca-bundle.crt serves as the merge file, and should be overridden in activate stage. I duplicate it here in case activate stage is interrupted by the user.
There was a problem hiding this comment.
I have not reviewed the code changes and have no comment on whether these changes are desirable. I'll just say that https://trac.macports.org/ticket/35474 is an alternate suggestion to save each certificate in its own file. That ticket is also where the certsync software originated, and was thought to be a solution to the problem.
|
|
||
| set keychains { | ||
| /Library/Keychains/System.keychain | ||
| /System/Library/Keychains/SystemRootCertificates.keychain |
There was a problem hiding this comment.
Are these paths identical for all macOS versions starting from 10.4?
| set certs [regexp -inline -all -- {-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----} $certs_list] | ||
|
|
||
| ui_debug "Filter valid certificates: not expired, SSL root" | ||
| set checkend_cmd "/usr/bin/openssl x509 -inform pem -checkend 0 -noout" |
There was a problem hiding this comment.
I cannot check right now, but this may fail on older macOS.
curl is a fundamental port, so this should be confirmed prior to merging.
|
|
||
| ui_debug "Filter certificates trusted in keychain" | ||
| file tempfile tmpfile_path /tmp/macports-${name}.txt | ||
| set verify_cmd "/usr/bin/security verify-cert -l -L -c $tmpfile_path -p ssl" |
There was a problem hiding this comment.
Same question: does this work on 10.4+?
Co-authored-by: Ryan Carsten Schmidt <[email protected]>
@ryandesign I have read the trac ticket. It seems to me the key difference between these solutions is not whether split cert into its own file, but what place is used as the trusted source of CA certs:
It doesn't matter we separate each CA cert into its own file or not. Cuz a merged CA bundle is always need, the bundle file is the very file provided to other apps and used by them. (Like specifiying ca for curl using Putting self-signed CAs into a As far as I've known, GUI apps like Charles install self-signed CA into Keychain. |
|
@kencu Ken, could you please confirm if this works on 10.5.8? (I am away from my hardware now.) |
|
What advantage does this approach have over recommending users to install certsync? One potential issue I see with this is that distrusting a CA now requires doing that in two locations (but then again, removing a CA from the Mozilla bundle wasn't something we ever supported in the first place). |
Description
StealBorrow the CA certs handling from Homebrew's ca-certificates: download CA certs from Mozilla, dump CA certs (installed by user) from Keychain, and merge them together.In the intranet of my worksplace, we have internal sites with self-signed certs, thru everyone download and trust a CA. Without change in this PR, i need to add the public key of intranet CA into
curl-ca-bundle.crtevery time it gets updated. And after some investigation, I found the solution from Homebrew and I think it perfect to my situation.I noticed there is a
certsyncpackage, which sync CAs from Keychain. But it only uses CAs from the Keychain. While thecurl-ca-bundlefetches CAs maintained by Mozilla, which is more up-to-update.Anyway, I think highly of this merge strategy and it deserves being mentioned, and made this PR.
The code is a line to line adaption from the ruby code from Homebrew ca-certificates, except the
ui_debugmsg I added and kept here.BTW, since MacPorts is run by user
macportsduring installation, only CA certs in "System Keychains -> System", those CA installed for all users on the computer will be dumped. While, Homebrew is run by current user, the certs get dumped may differ with MacPorts.Type(s)
Tested on
macOS 12.7 21G816 arm64
Command Line Tools 14.2.0.0.1.1668646533
Verification
Have you
port lint --nitpick?sudo port test?sudo port -vst install? (no trace mode enabled)