Missing 8-byte hashes for SSL certificates #3
Description
As @erikos found out when we upgraded to flatpak 0.8.2 in Endless, the freedesktop runtime is not installing 8-byte hashes under /etc/ssl/certs, which are used by OpenSSL to look up the certificates, as per http://www.gagravarr.org/writing/openssl-certs/others.shtml. This is a problem because it makes it impossible for flatpak-builder to download sources for modules using the https:// protocol, which forced us to put this workaround in place for now: endlessm/gnome-weather@5f01b2a
We initially were a bit confused because this used to work on previous versions of flatpak (up to 0.8.1), but it seems the difference is this commit, as before that point flatpak would bind mount the host's /etc/ssl/certs contents too, and then the 8-byte hash files would be available inside the sandbox.
Investigating a bit how this files are generated in debian, it seems like those hashes are created by a c_rehash tool that comes with the openssl package, which gets called from update-ca-certicates (from the ca-certificates package)... which is then executed on the debian/postinst script of the ca-certificates package:
#! /bin/sh
# postinst script for ca-certificates
#
# see: dh_installdeb(1)
[...]
case "$1" in
configure)
if [ ! -e /usr/local/share/ca-certificates ]
then
if mkdir /usr/local/share/ca-certificates 2>/dev/null
then
chown root:staff /usr/local/share/ca-certificates
chmod 2775 /usr/local/share/ca-certificates
fi
fi
. /usr/share/debconf/confmodule
db_version 2.0
db_capb multiselect
db_metaget ca-certificates/enable_crts choices
CERTS_AVAILABLE="$RET"
db_get ca-certificates/enable_crts
CERTS_ENABLED="$RET"
# XXX unmark seen for next configuration
db_fset ca-certificates/new_crts seen false
db_stop || true
if test -f /etc/ca-certificates.conf; then
[...]
else
# new file
cat > /etc/ca-certificates.conf <<EOF
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
EOF
(echo $CERTS_ENABLED | tr ',' '\n'; \
echo $CERTS_AVAILABLE | tr ',' '\n') | \
sed -e 's/^[[:space:]]*//' | \
sort | uniq -c | \
sed -e 's/^[[:space:]]*2[[:space:]]*//' \
-e 's/^[[:space:]]*1[[:space:]]*/!/' \
>> /etc/ca-certificates.conf
fi
# update /etc/ssl/certs without running the hooks
# fix bogus symlink to ca-certificates.crt on upgrades; see
# Debian #643667; drop after wheezy
if dpkg --compare-versions "$2" lt-nl 20111025; then
update-ca-certificates --hooksdir "" --fresh
else
update-ca-certificates --hooksdir ""
fi
# deferred update of /etc/ssl/certs including running the hooks
dpkg-trigger --no-await update-ca-certificates
;;
triggered)
for trigger in $2; do
case "$trigger" in
update-ca-certificates)
update-ca-certificates
;;
update-ca-certificates-fresh)
update-ca-certificates --fresh
;;
*)
echo "postinst called with unknown trigger \`$2'">&2
exit 1
;;
esac;
done;
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
[...]
To test this theory, I manually removed all the hashes from my /etc/ssl/certs directory, and then re-run sudo update-ca-certificates --fresh -v manually... and all the hashes were generated again.
So, at this point it seems like the right solution to this problem would be to somehow do something similar to what Debian does at the time of creating the runtime, and generate those 8-byte hashes files inside /etc/ssl/certs, so that they are available inside the sandbox now that flatpak does not mount the hosts's certs directory.
What I'm not that certain of is how exactly that should be achieved so, while I'm happy to work on this if needed, I could use some guidance to at least know where to touch the right things.