From nobody Wed Aug 3 15:56:15 2022 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lyc1D4pJ8z4Y11k for ; Wed, 3 Aug 2022 15:56:48 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp6.goneo.de (smtp6.goneo.de [85.220.129.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lyc1C3wjNz3svl; Wed, 3 Aug 2022 15:56:47 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from hub2.goneo.de (hub2.goneo.de [IPv6:2001:1640:5::8:53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp6.goneo.de (Postfix) with ESMTPS id 4D86510A32EB; Wed, 3 Aug 2022 17:56:46 +0200 (CEST) Received: from hub2.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPS id 1535210A1E86; Wed, 3 Aug 2022 17:56:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1659542204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Hqgay3Jgf8g785ceUVloCtmaSLVkJpcgLuQCm1c2eHs=; b=PXqYCP35BsXmhcuALaXEoaY4+DSyAw74zMOOm3CIYX/hSepzu4uMXgf25lPFe/qsQy5J2z Y2zCNTliHLRpi37OiKGrWmI65CPeWTsRdju7AQtX0LqjiRL2g+sO0/c9obOQ16SKoLyoL8 0b9x/GfnBcbAZNRIspGJHP4Ayjbt8tgRcL2dUvB26sQNWSZiTNf8Ox4+lDXucTDSIJ7YCK 2GkGuj9ZKNRhw+b5EN0cqpjWWRbV+4bv4c9U5WVHbrxJ6cN7s8zB7/gxRgeQpT+FPeDb18 /sEcmSC/X0DEjvf2iWb266a6w0mgabZ2dR8gOXz8Ebyk5N3aFJwLOISi+5M21A== Received: from thor.intern.walstatt.dynvpn.de (dynamic-077-013-184-212.77.13.pool.telefonica.de [77.13.184.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPSA id 00CFB10A32FA; Wed, 3 Aug 2022 17:56:42 +0200 (CEST) Date: Wed, 3 Aug 2022 17:56:15 +0200 From: FreeBSD User To: Zachary Crownover Cc: Michael Gmelin , FreeBSD Ports Subject: Re: poudriere overlay: passing down git ENV variables (problem: self signed certificates) Message-ID: <20220803175642.7d110ca1@thor.intern.walstatt.dynvpn.de> In-Reply-To: <519322B9-3AB9-4B83-B516-0F3595DB9E44@gmail.com> References: <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de> <519322B9-3AB9-4B83-B516-0F3595DB9E44@gmail.com> Organization: walstatt-de.de List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-UID: 593bb6 X-Rspamd-UID: 3aafc0 X-Rspamd-Queue-Id: 4Lyc1C3wjNz3svl X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=PXqYCP35; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.31) smtp.mailfrom=freebsd@walstatt-de.de X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[85.220.129.31:from]; TO_DN_ALL(0.00)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; DKIM_TRACE(0.00)[walstatt-de.de:+]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org]; FREEMAIL_TO(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[walstatt-de.de]; TAGGED_RCPT(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_VIA_SMTP_AUTH(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Am Wed, 3 Aug 2022 07:50:35 -0700 Zachary Crownover schrieb: > Choosing to not verify a certificate defeats the entire point of using th= e certificate and > you may as well not use it at all. The better thing to do is trust it. Ra= ther than try to > take credit for someone else=E2=80=99s work in compiling a walk through, = I=E2=80=99ll simply link a blog > post that will give an example for git. >=20 > https://jhooq.com/2-ways-to-fix-ssl-certificate-problem-self-signed-certi= ficate-in-certificate-chain/#git-clone >=20 > > On Aug 3, 2022, at 07:29, FreeBSD User wrote: > >=20 > > =EF=BB=BFAm Wed, 3 Aug 2022 14:27:04 +0200 > > Michael Gmelin schrieb: > > =20 > >>> On Wed, 3 Aug 2022 12:38:26 +0200 > >>> FreeBSD User wrote: > >>>=20 > >>> Hello, > >>>=20 > >>> I try to acconplish tasks in maintaining ports via poudriere-devel's > >>> OVERLAY option. First of all: > >>>=20 > >>> it is a pain in the a... not having ANY suitable hint how to perform > >>> this, a single line like that I found after a couple of hours > >>> searching here: https://github.com/decke/ports would have been of > >>> help, really. > >>>=20 > >>> So, I'm facing the all-time-present problem of having my own git > >>> server based on HTTPS with self signed certificate. git rejects > >>> connecting to those servers in the default configuration setting. > >>> Usually, I've to set via git config http.sslVerify false > >>> to not verify the certificate.=20 > >>> Following the instructions given at https://github.com/decke/ports > >>> with my existing poudriere setup incorporating a ports folder, > >>> adjusting the URI with the one appropriate for my case, like: > >>>=20 > >>> env GIT_NO_SSL_VERIFY=3Dtrue poudriere ports -c -U > >>> https://myname@my.server.de/git/ports.git -m "git+https" -B master -p > >>> ov-freebsd=20 > >>>=20 > >>> fails with the well known "... problem: self signed certificate". > >>>=20 > >>> Obviously poudriere is spawning its own environment within git > >>> operates (so it seems to me) and is not passing the given environment > >>> variable GIT_NO_SSL_VERIFY=3Dtrue down to git. > >>>=20 > >>> Now, I'm stuck here. I tried, anticpating that the "overlay port's > >>> folder" will be located at the same root as my "head" foleder for the > >>> port's collection will be rooted at, creating an folder "ov-freebsd" > >>> and creating the .git folder and config file with git init --bare > >>> ov-freebsd and then manually config this according to the > >>> specifications given by the initial poudriere command as seen above - > >>> does NOT WORK. It seems git is called to early or never access the > >>> given preexisting folder - or I'm wrong in the assumption of the > >>> location of the overlay folder. > >>>=20 > >>> Also, checking out the "personal" git repo at the anticipated correct > >>> location and configuring "http.sslVerify false" does not succeed as > >>> expected. > >>>=20 > >>> I guess this problem must be very common amongst those having their > >>> own git repository servers backed via a webserver secured via SSL > >>> self signed certificates, so I wonder whether there is a solution or > >>> not. > >>>=20 > >>> Can someone enlighten my? How can I pass the specified env varibale > >>> down poudriere to git to achive the desired task? Assuming this > >>> procedure is correct. If not, what is the proper way to achive that > >>> task? > >>> =20 > >>=20 > >> If you read /usr/local/bin/poudriere you see that it filters the > >> environment. So neither GIT_NO_SSL_VERIFY will come through, nor HOME > >> (which also means that git can't read $HOME/.gitconfig). > >>=20 > >> The pragmatic solution would be to create a git wrapper script and tell > >> poudriere to use it: > >>=20 > >> cat >/tmp/git_wrap < >> #!/bin/sh > >> GIT_NO_SSL_VERIFY=3Dtrue git "$@" > >> EOF > >> chmod 755 /tmp/git_wrap > >> echo GIT_CMD=3D/tmp/wrap >>/usr/local/etc/poudriere.conf > >>=20 > >> Cheers > >> Michael > >> =20 > >=20 > > Thank you very much for the quick answer. > >=20 > > Well, the approach is a bit "hacky", but it works, but I had to replace= the part "[env] > > GIT_NO_SSL_VERIFY=3Dtrue" (which is obviously ineffectice and not worki= ng) with=20 > >=20 > > git -c http.sslVerify=3Dfalse "$@" > >=20 > > That written, brings up the question: > >=20 > > is there a official way to pass down options to git as with "-c"? That = would solve the > > hacky wrapper script. > >=20 > > Many thanks, > >=20 > > Oliver > >=20 > > --=20 > > O. Hartmann > > =20 Thank you very much for this hint. It solves several problems with SSL cert= ifivates I faced with for several sites. According to my initial problem and Michale Gmelin's answer, the problem pe= rsists: The initial git call from within poudriere seems to ignore even the ~/.gitc= onfig (HOME is not respected) and usually, when performing some initial pulls with git, I have= to provide git the proper configuration at the command line via git's "-c' option, for instanc= e -c http.proxy=3D""" in some cases or "-c http.sslVeridy=3Dfalse" as shown in the initial questi= on. When using the wrapper script as suggested with git enriched with the prope= r -c options, within the git overlay folder the folder .git contains THEn "config" which = can be configured accordingly and without hazards. The real pain is that poudriere seems not to provide any method to pass som= e "-c options" down to git - or I do not know them. The documentation is a horror and it is har= d for me to find explanations/definitions of such top level env variables like the suggested= "GIT_CMD" referred to by Michael Gmelin. I guess there might be an opportunity to find some "G= IT_CMD_OPTIONS" variable with is expanded to what follows "-c" ... but this is looking into= the magic sphere ... Kind regards, Oliver --=20 O. Hartmann