Date: Mon, 15 Aug 2022 09:43:51 +0200 From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org> To: Andrea Venturoli <ml@netfence.it> Cc: novel@FreeBSD.org, freebsd-ports@freebsd.org Subject: Re: Again on security/gnutls certificate store Message-ID: <20220815094351.733016bd@FreeBSD.org> In-Reply-To: <cc8a9ae7-b634-11fc-4076-5036ad9948cc@netfence.it> References: <02cb8bc2-8d91-8d58-e764-baab240680bf@netfence.it> <20220813115126.2deda35d@FreeBSD.org> <cc8a9ae7-b634-11fc-4076-5036ad9948cc@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--MP_/JmlyS5qmfq7fvD.sPvJJd4C
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Sun, 14 Aug 2022 17:10:37 +0200 Andrea Venturoli <ml@netfence.it>
wrote:
> On 8/13/22 11:51, T=C4=B3l Coosemans wrote:
>> Try this patch for p11-kit. If it works you can file a bug against
>> p11-kit, because I believe ports are supposed to move away from
>> ca_root_nss.
>>=20
>> --- a/security/p11-kit/Makefile
>> +++ b/security/p11-kit/Makefile
>> @@ -25,7 +25,7 @@ MESON_ARGS=3D -Dbash_completion=3Denabled \
>> -Dlibffi=3Denabled \
>> -Dnls=3Dfalse \
>> -Dtrust_module=3Denabled \
>> - -Dtrust_paths=3D${LOCALBASE}/share/certs/ca-root-nss.crt
>> + -Dtrust_paths=3D/etc/ssl/certs
>> =20
>> OPTIONS_DEFINE=3D DOCS MANPAGES TEST
>> OPTIONS_SUB=3D yes
>=20
> Hello and thanks.
> Unfortunately this does not seem to work.
>=20
> "trust list" now outputs nothing.
> ("Standard" "trust list" of course outputs all certs from ca_root_nss).
>=20
> You are right that, according to the documentation, this should work; I
> have no idea why it doesn't though.
Try this patch instead.
--MP_/JmlyS5qmfq7fvD.sPvJJd4C
Content-Type: text/x-patch
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=p11-kit.patch
diff --git a/security/p11-kit/Makefile b/security/p11-kit/Makefile
index 6c0d4d634505..68ae7d58a122 100644
--- a/security/p11-kit/Makefile
+++ b/security/p11-kit/Makefile
@@ -10,9 +10,7 @@ COMMENT= Library for loading and enumerating of PKCS\#11 modules
LICENSE= BSD3CLAUSE
LICENSE_FILE= ${WRKSRC}/COPYING
-BUILD_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss \
- bash-completion>=0:shells/bash-completion
-RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
+BUILD_DEPENDS= bash-completion>=0:shells/bash-completion
LIB_DEPENDS= libffi.so:devel/libffi \
libtasn1.so:security/libtasn1
@@ -25,7 +23,7 @@ MESON_ARGS= -Dbash_completion=enabled \
-Dlibffi=enabled \
-Dnls=false \
-Dtrust_module=enabled \
- -Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt
+ -Dtrust_paths=${DATADIR}/certs
OPTIONS_DEFINE= DOCS MANPAGES TEST
OPTIONS_SUB= yes
@@ -46,5 +44,8 @@ post-install:
${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
${MV} ${STAGEDIR}${PREFIX}/etc/pkcs11/pkcs11.conf.example ${STAGEDIR}${EXAMPLESDIR}
${RMDIR} ${STAGEDIR}${PREFIX}/etc/pkcs11
+ ${MKDIR} ${STAGEDIR}${DATADIR}/certs
+ ${LN} -s /etc/ssl/certs ${STAGEDIR}${DATADIR}/certs/anchors
+ ${LN} -s /etc/ssl/untrusted ${STAGEDIR}${DATADIR}/certs/blocklist
.include <bsd.port.mk>
diff --git a/security/p11-kit/pkg-plist b/security/p11-kit/pkg-plist
index 7341c822cc7f..dac887134044 100644
--- a/security/p11-kit/pkg-plist
+++ b/security/p11-kit/pkg-plist
@@ -61,5 +61,7 @@ share/bash-completion/completions/trust
%%DOCS%%share/gtk-doc/html/p11-kit/trust.html
%%DOCS%%share/gtk-doc/html/p11-kit/up-insensitive.png
%%DOCS%%share/gtk-doc/html/p11-kit/up.png
+%%DATADIR%%/certs/anchors
+%%DATADIR%%/certs/blocklist
%%DATADIR%%/modules/p11-kit-trust.module
%%EXAMPLESDIR%%/pkcs11.conf.example
--MP_/JmlyS5qmfq7fvD.sPvJJd4C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220815094351.733016bd>