From nobody Wed Aug 3 14:50:35 2022 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LyZXw6HJ7z4Xqp4 for ; Wed, 3 Aug 2022 14:50:40 +0000 (UTC) (envelope-from zachary.crownover@gmail.com) Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LyZXv49qyz3mGM; Wed, 3 Aug 2022 14:50:39 +0000 (UTC) (envelope-from zachary.crownover@gmail.com) Received: by mail-pg1-x52c.google.com with SMTP id 12so15344563pga.1; Wed, 03 Aug 2022 07:50:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; bh=PfBtRUhWl+K7qxjrwSotmgp4O8TRE/WIZfrLGXXuNu0=; b=JkGHZDpKVB4SO8Bd5kuywNNQTOH3n8cRP6cghAYwk3tYJBEz47TBepsa5wVKtYAbWQ YPj4HHC2H/73gk22JPDqGGBy7jrbSZrxao5wherwxbsWmUZnebQF7CcW4EwmPkHiarZS 6DmTU4zI3R8QQvVzZv+zXrsFcSLKad+KbpDWYbR5RHWm4XMCc66nM9bats60mW2ald0r 5s4/vnLNrF8HNdVg8qIUfJA7H1XA62YA9wiBfKgF/8E/YPKIeLdeOrmSGXMyTyXIMqda ZBEASQFoHEjxXWAzQqQ+LKLFNlCCjDkgjSaQhbzJmryAeBj3xMw1A8+elTu83DRdRoWW RarQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:date:cc:message-id:references:to; bh=PfBtRUhWl+K7qxjrwSotmgp4O8TRE/WIZfrLGXXuNu0=; b=Si6uENM5032ISkgttbyjv7vzmk98QR+mqdcm9+qEqoD+JE6fYzabD8trQLHc/qq8hr eb+WrBbgjUYy/RR3NhYpxrpBnvEQSy7fdbJXWPawsz9RxvP5B9p70Xzp/9gKr5OC3GpM E1f4XDt3sLKph1+NF+vIKkN7rRqzNqLFdfYt6IXYuaT+09IKgDO5jTc8PForYa/S0T01 klB+3o3FJD9dgtEZ11jnu58r9mZsoll87N6bWolWQ9/YKBDI4bJsROKNQvGs0kpsMmAO OUzx6dKJyn7e0AUINJOIzz44igVt976w2Dq2bLswdUBjAkGQ9anTWf3SWwHrzgXHe5AQ aJyw== X-Gm-Message-State: ACgBeo3H4tkEYeKLzofrJCyfYRZocbL+TSqGUVXg7vq5VwV5caTGdYSl lI0TA7Oc2cLYjLw32eFFVak= X-Google-Smtp-Source: AA6agR7seMXkQivnm1nQ+Rr7fpRpVO5OswpkffH7/vvimdw1rJuOnBZsrmXgqtX7O2Van+awLAPWnA== X-Received: by 2002:a62:cec9:0:b0:52d:414b:c70f with SMTP id y192-20020a62cec9000000b0052d414bc70fmr17473562pfg.20.1659538237807; Wed, 03 Aug 2022 07:50:37 -0700 (PDT) Received: from smtpclient.apple (107-202-146-58.lightspeed.sntcca.sbcglobal.net. [107.202.146.58]) by smtp.gmail.com with ESMTPSA id e2-20020a17090301c200b0016ef05d4110sm2131553plh.108.2022.08.03.07.50.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Aug 2022 07:50:37 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443 Content-Transfer-Encoding: 7bit List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: poudriere overlay: passing down git ENV variables (problem: self signed certificates) From: Zachary Crownover In-Reply-To: <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de> Date: Wed, 3 Aug 2022 07:50:35 -0700 Cc: Michael Gmelin , FreeBSD Ports Message-Id: <519322B9-3AB9-4B83-B516-0F3595DB9E44@gmail.com> References: <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de> To: FreeBSD User X-Mailer: iPhone Mail (19F77) X-Rspamd-Queue-Id: 4LyZXv49qyz3mGM X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=JkGHZDpK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of zachary.crownover@gmail.com designates 2607:f8b0:4864:20::52c as permitted sender) smtp.mailfrom=zachary.crownover@gmail.com X-Spamd-Result: default: False [-3.20 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.987]; NEURAL_HAM_MEDIUM(-0.71)[-0.715]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::52c:from]; TO_DN_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[gmail.com]; TAGGED_FROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Choosing to not verify a certificate defeats the entire point of using the c= ertificate and you may as well not use it at all. The better thing to do is t= rust it. Rather than try to take credit for someone else=E2=80=99s work in c= ompiling a walk through, I=E2=80=99ll simply link a blog post that will give= an example for git. https://jhooq.com/2-ways-to-fix-ssl-certificate-problem-self-signed-certific= ate-in-certificate-chain/#git-clone > On Aug 3, 2022, at 07:29, FreeBSD User wrote: >=20 > =EF=BB=BFAm Wed, 3 Aug 2022 14:27:04 +0200 > Michael Gmelin schrieb: >=20 >>> On Wed, 3 Aug 2022 12:38:26 +0200 >>> FreeBSD User wrote: >>>=20 >>> Hello, >>>=20 >>> I try to acconplish tasks in maintaining ports via poudriere-devel's >>> OVERLAY option. First of all: >>>=20 >>> it is a pain in the a... not having ANY suitable hint how to perform >>> this, a single line like that I found after a couple of hours >>> searching here: https://github.com/decke/ports would have been of >>> help, really. >>>=20 >>> So, I'm facing the all-time-present problem of having my own git >>> server based on HTTPS with self signed certificate. git rejects >>> connecting to those servers in the default configuration setting. >>> Usually, I've to set via git config http.sslVerify false >>> to not verify the certificate.=20 >>> Following the instructions given at https://github.com/decke/ports >>> with my existing poudriere setup incorporating a ports folder, >>> adjusting the URI with the one appropriate for my case, like: >>>=20 >>> env GIT_NO_SSL_VERIFY=3Dtrue poudriere ports -c -U >>> https://myname@my.server.de/git/ports.git -m "git+https" -B master -p >>> ov-freebsd=20 >>>=20 >>> fails with the well known "... problem: self signed certificate". >>>=20 >>> Obviously poudriere is spawning its own environment within git >>> operates (so it seems to me) and is not passing the given environment >>> variable GIT_NO_SSL_VERIFY=3Dtrue down to git. >>>=20 >>> Now, I'm stuck here. I tried, anticpating that the "overlay port's >>> folder" will be located at the same root as my "head" foleder for the >>> port's collection will be rooted at, creating an folder "ov-freebsd" >>> and creating the .git folder and config file with git init --bare >>> ov-freebsd and then manually config this according to the >>> specifications given by the initial poudriere command as seen above - >>> does NOT WORK. It seems git is called to early or never access the >>> given preexisting folder - or I'm wrong in the assumption of the >>> location of the overlay folder. >>>=20 >>> Also, checking out the "personal" git repo at the anticipated correct >>> location and configuring "http.sslVerify false" does not succeed as >>> expected. >>>=20 >>> I guess this problem must be very common amongst those having their >>> own git repository servers backed via a webserver secured via SSL >>> self signed certificates, so I wonder whether there is a solution or >>> not. >>>=20 >>> Can someone enlighten my? How can I pass the specified env varibale >>> down poudriere to git to achive the desired task? Assuming this >>> procedure is correct. If not, what is the proper way to achive that >>> task? >>>=20 >>=20 >> If you read /usr/local/bin/poudriere you see that it filters the >> environment. So neither GIT_NO_SSL_VERIFY will come through, nor HOME >> (which also means that git can't read $HOME/.gitconfig). >>=20 >> The pragmatic solution would be to create a git wrapper script and tell >> poudriere to use it: >>=20 >> cat >/tmp/git_wrap <> #!/bin/sh >> GIT_NO_SSL_VERIFY=3Dtrue git "$@" >> EOF >> chmod 755 /tmp/git_wrap >> echo GIT_CMD=3D/tmp/wrap >>/usr/local/etc/poudriere.conf >>=20 >> Cheers >> Michael >>=20 >=20 > Thank you very much for the quick answer. >=20 > Well, the approach is a bit "hacky", but it works, but I had to replace th= e part "[env] > GIT_NO_SSL_VERIFY=3Dtrue" (which is obviously ineffectice and not working)= with=20 >=20 > git -c http.sslVerify=3Dfalse "$@" >=20 > That written, brings up the question: >=20 > is there a official way to pass down options to git as with "-c"? That wou= ld solve the hacky > wrapper script. >=20 > Many thanks, >=20 > Oliver >=20 > --=20 > O. Hartmann >=20 --Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Cho= osing to not verify a certificate defeats the entire point of using the cert= ificate and you may as well not use it at all. The better thing to do is tru= st it. Rather than try to take credit for someone else=E2=80=99s work in com= piling a walk through, I=E2=80=99ll simply link a blog post that will give a= n example for git.


On Aug 3, 2022, at 07:= 29, FreeBSD User <freebsd@walstatt-de.de> wrote:

<= /div>
=EF=BB=BFAm Wed, 3 Aug= 2022 14:27:04 +0200
Michael Gmelin <grembo@freebsd.org&g= t; schrieb:

On We= d, 3 Aug 2022 12:38:26 +0200
FreeBSD User <freebsd@walstatt-de.de> wrote:

Hello,
=
I try to acconplish tasks in maintaining ports via poudriere-dev= el's
OVERLAY option. First of all:
=

it is a pain in the a... not having ANY suitable hint how to pe= rform
this, a single line like that I found after a couple= of hours
searching here: https://github.com/decke/ports w= ould have been of
help, really.
<= br>
So, I'm facing the all-time-present problem of having my own git<= /span>
server based on HTTPS with self signed certificate. git re= jects
connecting to those servers in the default configura= tion setting.
=
Usually, I've to set via git config http.ssl= Verify false
<= blockquote type=3D"cite">to not verify the certificate.
<= span>Following the instructions given at https://github.com/decke/ports
with my existing poudriere setup incorporating a ports folder,<= /span>
adjusting the URI with the one appropriate for my case, li= ke:

env GIT_NO_SSL_VERIFY=3Dtrue poudrier= e ports -c -U
=
https://myname@my.server.de/git/ports.git -m= "git+https" -B master -p
ov-freebsd

fails with the well known "... problem: self signed certifi= cate".

Obviously poudriere is spawning i= ts own environment within git
operates (so it seems to me)= and is not passing the given environment
variable  G= IT_NO_SSL_VERIFY=3Dtrue  down to git.

Now, I'm stuck here. I tried, anticpating that the "overlay port's
folder" will be located at the same root as my "head" foleder f= or the
port's collection will be rooted at, creating an fo= lder "ov-freebsd"
and creating the .git folder and config f= ile with git init --bare
ov-freebsd and then manually conf= ig this according to the
specifications given by the initi= al poudriere command as seen above -
does NOT WORK. It see= ms git is called to early or never access the
given preexi= sting folder - or I'm wrong in the assumption of the
=
locat= ion of the overlay folder.

Also, checki= ng out the "personal" git repo at the anticipated correct
= location and configuring "http.sslVerify false" does not succeed as
expected.

<= blockquote type=3D"cite">
I guess this proble= m must be very common amongst those having their
own git r= epository servers backed via a webserver secured via SSL
s= elf signed certificates, so I wonder whether there is a solution or
not.

Can someone enlighten my= ? How can I pass the specified env varibale
down poudriere= to git to achive the desired task? Assuming this
procedur= e is correct. If not, what is the proper way to achive that
task?


I= f you read /usr/local/bin/poudriere you see that it filters the
environment. So neither GIT_NO_SS= L_VERIFY will come through, nor HOME
(which also means that git can't read $HOME/.gitconfig).

=
The pragmatic solution would be to create a g= it wrapper script and tell
= poudriere to use it:
=
cat >/tmp/g= it_wrap <<EOF
#= !/bin/sh
GIT_NO_SSL_V= ERIFY=3Dtrue git "$@"
EOF
chmod 755 /tmp/g= it_wrap
echo GIT_CMD=3D= /tmp/wrap >>/usr/local/etc/poudriere.conf

Cheers
Michael=


Thank you very much for the quick answer.<= br>
Well, the approach is a bit "hacky", but it works,= but I had to replace the part "[env]
GIT_NO_SSL_VERIFY=3Dtr= ue" (which is obviously ineffectice and not working) with
<= /span>
git -c http.sslVerify=3Dfalse "$@"
That written, brings up the question:

is there a official way to pass down options to git as with "-c"? That wo= uld solve the hacky
wrapper script.
<= br>Many thanks,

Oliver

--
O. Hartmann
= --Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443--