Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 Aug 2022 16:28:55 +0200
From:      FreeBSD User <freebsd@walstatt-de.de>
To:        Michael Gmelin <grembo@freebsd.org>
Cc:        FreeBSD Ports <freebsd-ports@freebsd.org>
Subject:   Re: poudriere overlay: passing down git ENV variables (problem: self signed certificates)
Message-ID:  <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de>
In-Reply-To: <20220803142704.4745d118.grembo@freebsd.org>
References:  <20220803123853.760e9543@thor.intern.walstatt.dynvpn.de> <20220803142704.4745d118.grembo@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Am Wed, 3 Aug 2022 14:27:04 +0200
Michael Gmelin <grembo@freebsd.org> schrieb:

> On Wed, 3 Aug 2022 12:38:26 +0200
> FreeBSD User <freebsd@walstatt-de.de> wrote:
> 
> > Hello,
> > 
> > I try to acconplish tasks in maintaining ports via poudriere-devel's
> > OVERLAY option. First of all:
> > 
> > it is a pain in the a... not having ANY suitable hint how to perform
> > this, a single line like that I found after a couple of hours
> > searching here: https://github.com/decke/ports would have been of
> > help, really.
> > 
> > So, I'm facing the all-time-present problem of having my own git
> > server based on HTTPS with self signed certificate. git rejects
> > connecting to those servers in the default configuration setting.
> > Usually, I've to set via git config http.sslVerify false
> > to not verify the certificate. 
> > Following the instructions given at https://github.com/decke/ports
> > with my existing poudriere setup incorporating a ports folder,
> > adjusting the URI with the one appropriate for my case, like:
> > 
> > env GIT_NO_SSL_VERIFY=true poudriere ports -c -U
> > https://myname@my.server.de/git/ports.git -m "git+https" -B master -p
> > ov-freebsd 
> > 
> > fails with the well known "... problem: self signed certificate".
> > 
> > Obviously poudriere is spawning its own environment within git
> > operates (so it seems to me) and is not passing the given environment
> > variable  GIT_NO_SSL_VERIFY=true  down to git.
> > 
> > Now, I'm stuck here. I tried, anticpating that the "overlay port's
> > folder" will be located at the same root as my "head" foleder for the
> > port's collection will be rooted at, creating an folder "ov-freebsd"
> > and creating the .git folder and config file with git init --bare
> > ov-freebsd and then manually config this according to the
> > specifications given by the initial poudriere command as seen above -
> > does NOT WORK. It seems git is called to early or never access the
> > given preexisting folder - or I'm wrong in the assumption of the
> > location of the overlay folder.
> > 
> > Also, checking out the "personal" git repo at the anticipated correct
> > location and configuring "http.sslVerify false" does not succeed as
> > expected.
> > 
> > I guess this problem must be very common amongst those having their
> > own git repository servers backed via a webserver secured via SSL
> > self signed certificates, so I wonder whether there is a solution or
> > not.
> > 
> > Can someone enlighten my? How can I pass the specified env varibale
> > down poudriere to git to achive the desired task? Assuming this
> > procedure is correct. If not, what is the proper way to achive that
> > task?
> >   
> 
> If you read /usr/local/bin/poudriere you see that it filters the
> environment. So neither GIT_NO_SSL_VERIFY will come through, nor HOME
> (which also means that git can't read $HOME/.gitconfig).
> 
> The pragmatic solution would be to create a git wrapper script and tell
> poudriere to use it:
> 
> cat >/tmp/git_wrap <<EOF
> #!/bin/sh
> GIT_NO_SSL_VERIFY=true git "$@"
> EOF
> chmod 755 /tmp/git_wrap
> echo GIT_CMD=/tmp/wrap >>/usr/local/etc/poudriere.conf
> 
> Cheers
> Michael
> 

Thank you very much for the quick answer.

Well, the approach is a bit "hacky", but it works, but I had to replace the part "[env]
GIT_NO_SSL_VERIFY=true" (which is obviously ineffectice and not working) with 

git -c http.sslVerify=false "$@"

That written, brings up the question:

is there a official way to pass down options to git as with "-c"? That would solve the hacky
wrapper script.

Many thanks,

Oliver

-- 
O. Hartmann



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220803162922.396e8f25>