l...@gnu.org (Ludovic Courtès) writes: > Mark H Weaver <m...@netris.org> skribis: > >> No, it's not worse than it was before. Sorry if I gave that impression. >> The only issue is that we might need to generate a single-file >> certificate bundle for now, because I haven't found a way to get 'git' >> to check certificates on GuixSD without a single-file cert bundle, at >> least not when curl is build with GnuTLS. > > It seems like adding this single-file bundle would be the simplest > short-term option. How would we create that file exactly?
The single-file bundle is just a concatenation of all the individual PEM data, starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----", including those delimiters. The only caveat is that the individual PEM files are not required to have a newline after the "-----END CERTIFICATE-----", but in the single-file cert bundle, we must ensure that the newline is present. See <https://bugs.debian.org/635570>. > Would it be OK to keep it in the nss-certs package? In order to support multiple packages containing CA certs, it would be good to handle creation of the single-file cert bundle in the profile generation code, analogous to our handling of info "dir" files. This would allow us to create additional cert packages (e.g. one for CAcert.org). I think it belongs in the profile generation code for the benefit of users running Guix packages on top of another distro, where they might not have root access. They can simply set GIT_SSL_CAINFO and SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt What do you think? Mark
