msys2
update-ca-trust doesn't work for openssl
It's not possible to add a new certificate to the trust stores like it should be:
- add new ca cert in PEM format to
/etc/pki/ca-trust/source/anchors/ - run
update-ca-trust - every application that uses the system trust stores should now see the new ca cert
The problem is that the legacy trust stores used by openssl are not symlinked to the system trust stores but copied at install time in the PKGBUILD.
# for OpenSSL and static ca-certificates consumers
mkdir -p ${pkgdir}/usr/ssl/certs
cp -f ${pkgdir}/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ${pkgdir}/usr/ssl/certs/ca-bundle.crt
cp -f ${pkgdir}/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ${pkgdir}/usr/ssl/cert.pem
cp -f ${pkgdir}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt ${pkgdir}/usr/ssl/certs/ca-bundle.trust.crt
An this is duplicated in the install script ca-certificates.install
mkdir -p usr/ssl/certs
cp -f $DEST/pem/tls-ca-bundle.pem usr/ssl/certs/ca-bundle.crt
cp -f $DEST/pem/tls-ca-bundle.pem usr/ssl/cert.pem
cp -f $DEST/openssl/ca-bundle.trust.crt usr/ssl/certs/ca-bundle.trust.crt
I think the section in PKGBUILD should be replaced by sympelinks and the whole install-script replaced by a call to update-ca-trust.
The following can be either used as a workaround and a pattern for the fix in PKGBUILD:
rm -f /usr/ssl/certs/ca-bundle.{,trust.}crt
rm -f /usr/ssl/cert.pem
ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /usr/ssl/certs/ca-bundle.crt
ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /usr/ssl/cert.pem
ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /usr/ssl/certs/ca-bundle.trust.crt
MSYS2 don’t support symlinks by default, instead ln command create deep copy of files
Ahh yes, you are right. But then the copy of the legacy files has to be added to the update-ca-trust.
After thinking more about the problem I have found this:
- the install-script is necessary to include all certificates that are installed in the system independently from
ca-certificates - copy has to be used instead of symbolic links because they are not generally supported in msys2 -- if they are supported, they require elevated rights and this would break the update if running in a normal shell
update-ca-trustcannot be used in the install script, because it uses absolute paths and it is best practice to use relative paths in the install-script (relative to the install root), so the install- and update-scripts are really a copy of the commands inupdate-ca-trustbut using relative paths- the copy of the legacy files should be added to
update-ca-trustand commented accordingly
The install- and update-script like it is now ensures that all certificates that p11-kit considers are used when building the cert stores; this includes the user installed ones in /etc/pki/ca-trust/source/ the additional copy (that substitutes the not available symlinks) of the legacy files in update-ca-trust will ensure this behaviour even when adding or updating user certs without (re)installing the ca-certificates package.
As symbolic links are not supported, the fix here is to patch update-ca-trust to add the following lines to the end:
cp -f $DEST/pem/tls-ca-bundle.pem /usr/ssl/certs/ca-bundle.crt
cp -f $DEST/pem/tls-ca-bundle.pem /usr/ssl/cert.pem
cp -f $DEST/openssl/ca-bundle.trust.crt /usr/ssl/certs/ca-bundle.trust.crt
I made a PR on the back of the comments of @kolewu above. https://github.com/msys2/MSYS2-packages/pull/2601
This issue fixed for MSYS2 environment or the package but at least not for the UCRT64 environments, see https://github.com/msys2/MINGW-packages/issues/25088
