Re: git: 81d8827ad875 - main - certctl: Reimplement in C

Thu, 14 Aug 2025 03:00:10 -0700 

On 14 Aug 2025, at 0:25, Dag-Erling Smørgrav wrote:

The branch main has been updated by des:
URL: https://cgit.FreeBSD.org/src/commit/?id=81d8827ad8752e35411204541f1f09df1481e417 

commit 81d8827ad8752e35411204541f1f09df1481e417
Author:     Dag-Erling Smørgrav <d...@freebsd.org>
AuthorDate: 2025-08-13 22:25:27 +0000
Commit:     Dag-Erling Smørgrav <d...@freebsd.org>
CommitDate: 2025-08-13 22:25:27 +0000

    certctl: Reimplement in C

    Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a 
      whole is not replaced atomically, but each file within it is.
* We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal 
      form.
* We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate.
* The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether 
      ca_root_nss is installed.
* The DISTBASE concept has been dropped; the same effect can be achieved 
      by adjusting DESTDIR.

    * We now also have rudimentary tests.

    Reviewed by:    kevans
    Differential Revision:  https://reviews.freebsd.org/D42320


I’m seeing errors like this during bricoler test runs now:
/usr/home/kp/bricoler/freebsd-src-regression-suite-vm-image/image.amd64.amd64-METALOG.mtree:38358: error: word too long to fit buffer (max 10 characters)
Those are all lines with absolute paths (e.g. /etc/ssl/cert.pem rather than ./etc/ssl/cert.pem). This hack seems to fix things for me, but I’m nowhere near familiar enough with the relevant build bits to say for sure if that’s right or not: 

        diff --git a/usr.sbin/certctl/certctl.c b/usr.sbin/certctl/certctl.c
        index 365870167aeb..336a49830a3d 100644
        --- a/usr.sbin/certctl/certctl.c
        +++ b/usr.sbin/certctl/certctl.c
@@ -490,7 +490,7 @@ write_certs(const char *dir, struct cert_tree *tree) 
                        }
                        /* emit metalog */
                        if (mlf != NULL) {
        -                       fprintf(mlf, "%s/%s type=file "
        +                       fprintf(mlf, "./%s/%s type=file "
                                    "uname=%s gname=%s mode=%#o size=%ld\n",
                                    unexpand_path(dir), path,
                                    uname, gname, mode, ftell(f));
@@ -561,7 +561,7 @@ write_bundle(const char *dir, const char *file, struct cert_tree *tree) 
                }
                if (ret == 0 && mlf != NULL) {
                        fprintf(mlf,
- "%s/%s type=file uname=%s gname=%s mode=%#o size=%ld\n", + "./%s/%s type=file uname=%s gname=%s mode=%#o size=%ld\n", unexpand_path(dir), file, uname, gname, mode, ftell(f)); 
                }
                fclose(f);

—
Kristof

Reply via email to