Symlinks to certificates in buildtools-tarball at /etc/ssl/certs installed with absolute pathes making these sumlinks pointing outside of toolchain to the host system locations.
These locations may not contain some certificates (thus link to the certificate in toolchain is broken) or host system certificate may be revoked by CRL or outdated. Since this change seems non intrusive for target package apply patch for all builds. Cc: XE-Linux <xe-linux-exter...@cisco.com> Signed-off-by: Serhii Popovych <spopo...@cisco.com> --- ...ertificates-Use-relative-paths-when-linki.patch | 38 ++++++++++++++++++++++ .../ca-certificates/ca-certificates_20161130.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch new file mode 100644 index 0000000..8666e30 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch @@ -0,0 +1,38 @@ +From 912e7be8e7151bd4a2feed6d34f927d42b12bb7e Mon Sep 17 00:00:00 2001 +From: Serhii Popovych <spopo...@cisco.com> +Date: Wed, 16 Dec 2015 16:48:03 +0200 +Subject: [PATCH] update-ca-certificates: Use relative paths when linking certs + +Creating links in $ETCCERTSDIR (/etc/ssl/certs) with absolute +path could broke paths to the certificates in toolchains by +pointing to the outside of toolchain root directory. These +absolute paths may not exist in the host system or contain +certificates older than provided within toolchain. + +Use absolute pathes when creating symbolic links to the +certificates to ensure we always pointing to the toolchain +provied certificates. + +Upstream-Status: Pending + +Signed-off-by: Serhii Popovych <spopo...@cisco.com> +--- + sbin/update-ca-certificates | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates +index 3a5ffd3..cb3c1f1 100755 +--- a/sbin/update-ca-certificates ++++ b/sbin/update-ca-certificates +@@ -94,7 +94,7 @@ add() { + -e 's/,/_/g').pem" + if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ] + then +- ln -sf "${CERT##$SYSROOT}" "$PEM" ++ ln -sf "$(echo "${ETCCERTSDIR##$SYSROOT}" | sed -e 's/\/[^/]\+/..\//g')${CERT##$SYSROOT/}" "$PEM" + echo "+$PEM" >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) +-- +2.3.0 + diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb b/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb index 42088b9..e6e17de 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb @@ -17,6 +17,7 @@ SRCREV = "61b70a1007dc269d56881a0d480fc841daacc77c" SRC_URI = "git://anonscm.debian.org/collab-maint/ca-certificates.git \ file://0002-update-ca-certificates-use-SYSROOT.patch \ + file://0003-update-ca-certificates-Use-relative-paths-when-linki.patch \ file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ file://update-ca-certificates-support-Toybox.patch \ file://default-sysroot.patch \ -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core