The problem motivating this patch may be the same that motivated a hack of
mine which I never
cleaned up for submit: at least in some early warrior versions curl was
attempting to use cacerts
from the host.
This is a hand-edited copypaste and may not apply cleanly, but you should
get the idea: make it
so curl-native uses its own certs and not the host ones.
commit fde6fcfaae0021d33e917cae81581dbfdb6618de
Author: Yann Dirson <y...@blade-group.com>
Date: Mon Jun 24 18:18:06 2019 +0200
curl-native: use a wrapper script to locate cacert
diff --git a/meta-blade/recipes-support/curl/curl_%.bbappend
b/meta-blade/recipes-support/curl/curl_%.bbappend
index 01b203e..650a764 100644
--- a/meta-blade/recipes-support/curl/curl_%.bbappend
+++ b/meta-blade/recipes-support/curl/curl_%.bbappend
@@ -1,3 +1,20 @@
+# install a wrapper script to locate cacert
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "file://curl.in"
+
+do_install_append_class-native () {
+ mv ${D}${bindir}/curl ${D}${bindir}/curl.real
+ sed s:@STAGING@:${STAGING_DIR_NATIVE}: < ${WORKDIR}/curl.in >
${D}${bindir}/curl
+ chmod 755 ${D}${bindir}/curl
+}
+
+FILES_${BPN}-native += "${bindir}/curl.real"
diff --git a/meta-blade/recipes-support/curl/files/curl.in
b/meta-blade/recipes-support/curl/files/curl.in
new file mode 100644
index 0000000..cfb4456
--- /dev/null
+++ b/meta-blade/recipes-support/curl/files/curl.in
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec $0.real --cacert @STAGING@/etc/ssl/certs/ca-certificates.crt "$@"
Le lun. 6 avr. 2020 à 22:36, Jim Broadus <jbroa...@xevo.com> a écrit :
> On 4/6/20 5:00 AM, Richard Purdie wrote:
> > On Sun, 2020-04-05 at 23:00 -0700, Jim Broadus wrote:
> >> Add a CA_BUNDLE variable to set the built-in CA bundle location. By
> default,
> >> don't set anything for curl-native since that target's sysconfdir is a
> >> location in the recipe's native sysroot directory.
> >>
> >> Signed-off-by: Jim Broadus <jbroa...@xevo.com>
> >
> > That is a huge change in behaviour with potentially quite serious side
> > effects. As far as I remember we deliberately make our native utils
> > self contained rather than relying on the host system (which may or may
> > not have cert files).
> >
> > We point at sysconfdir in the native case since we install ca-
> > certificates there if I remember correctly?
> >
> > Cheers,
> >
> > Richard
> >
>
> Hi Richard. Currently, I don't see the certs installed in the native
> sysroot, so maybe this was broken recently. If that was the intended
> behavior, I can look for a fix for that instead.
>
> Thanks,
> Jim
>
>
>
--
Yann Dirson <y...@blade-group.com>
Blade / Shadow -- http://shadow.tech
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#137085):
https://lists.openembedded.org/g/openembedded-core/message/137085
Mute This Topic: https://lists.openembedded.org/mt/72806047/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
