Skip to content

nixos/security/ca: enable support for compatibility bundles #286857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 11, 2024
Merged

nixos/security/ca: enable support for compatibility bundles #286857

merged 2 commits into from
Feb 11, 2024

Conversation

RaitoBezarius
Copy link
Member

@RaitoBezarius RaitoBezarius commented Feb 7, 2024
edited
Loading

Description of changes

Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle, which will contain no additional trust rules.

Open questions:

  • Add a NixOS test?
  • Make it configurable at the cacert package level to save on space?
  • Document it in the release notes as a highlight?

Depends on nix-community/buildcatrust#4. Depends on stable release of buildcatrust.
Closes #286722.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@RaitoBezarius RaitoBezarius marked this pull request as draft February 7, 2024 01:05
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Feb 7, 2024
@ofborg ofborg bot added the 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. label Feb 7, 2024
@ofborg ofborg bot requested a review from fpletz February 7, 2024 01:32
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Feb 7, 2024
@RaitoBezarius RaitoBezarius marked this pull request as ready for review February 11, 2024 12:55
@RaitoBezarius
buildcatrust: 0.1.3 -> 0.2.1
af70ce2 
https://github.com/lukegb/buildcatrust/releases/tag/v0.2.0
https://github.com/lukegb/buildcatrust/releases/tag/v0.2.1

It contains support for exporting the bundle without additional trust rules.

Signed-off-by: Raito Bezarius <[email protected]>
@github-actions github-actions bot added the 6.topic: python Python is a high-level, general-purpose programming language. label Feb 11, 2024
@RaitoBezarius
Copy link
Member Author

I will retarget staging.

@RaitoBezarius RaitoBezarius marked this pull request as draft February 11, 2024 15:05
@RaitoBezarius RaitoBezarius changed the base branch from master to staging February 11, 2024 15:05
@RaitoBezarius RaitoBezarius marked this pull request as ready for review February 11, 2024 15:06
lukegb
lukegb reviewed Feb 11, 2024
View reviewed changes
@lukegb
Copy link
Contributor

lukegb commented Feb 11, 2024

You missed a reference to enableCompatibleBundle :)

@RaitoBezarius
nixos/security/ca: enable support for compatibility bundles
19159a2 
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <[email protected]>
@RaitoBezarius
Copy link
Member Author

You missed a reference to enableCompatibleBundle :)

"I had one job"

@ofborg ofborg bot requested a review from lukegb February 11, 2024 17:14
@RaitoBezarius RaitoBezarius merged commit d9e7a2a into NixOS:staging Feb 11, 2024
@RaitoBezarius RaitoBezarius deleted the cacerts branch February 11, 2024 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajs124 ajs124 Awaiting requested review from ajs124

@mweinelt mweinelt Awaiting requested review from mweinelt

@fpletz fpletz Awaiting requested review from fpletz

@lukegb lukegb Awaiting requested review from lukegb

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: python Python is a high-level, general-purpose programming language. 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow cacert to output something else than OpenSSL-specific PEM variant
3 participants
@RaitoBezarius @lukegb @mweinelt