Symlinks to certificates in buildtools-tarball at /etc/ssl/certs
installed with absolute pathes making these sumlinks pointing
outside of toolchain to the host system locations.
These locations may not contain some certificates (thus link to
the certificate in toolchain is broken) or host system
certificate may be revoked by CRL or outdated.
Since this change seems non intrusive for target package apply
patch for all builds.
Cc: XE-Linux <xe-linux-exter...@cisco.com>
Signed-off-by: Serhii Popovych <spopo...@cisco.com>
---
...ertificates-Use-relative-paths-when-linki.patch | 38 ++++++++++++++++++++++
.../ca-certificates/ca-certificates_20161130.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644
meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
diff --git
a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
new file mode 100644
index 0000000..8666e30
--- /dev/null
+++
b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-Use-relative-paths-when-linki.patch
@@ -0,0 +1,38 @@
+From 912e7be8e7151bd4a2feed6d34f927d42b12bb7e Mon Sep 17 00:00:00 2001
+From: Serhii Popovych <spopo...@cisco.com>
+Date: Wed, 16 Dec 2015 16:48:03 +0200
+Subject: [PATCH] update-ca-certificates: Use relative paths when linking certs
+
+Creating links in $ETCCERTSDIR (/etc/ssl/certs) with absolute
+path could broke paths to the certificates in toolchains by
+pointing to the outside of toolchain root directory. These
+absolute paths may not exist in the host system or contain
+certificates older than provided within toolchain.
+
+Use absolute pathes when creating symbolic links to the
+certificates to ensure we always pointing to the toolchain
+provied certificates.
+
+Upstream-Status: Pending
+
+Signed-off-by: Serhii Popovych <spopo...@cisco.com>
+---
+ sbin/update-ca-certificates | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 3a5ffd3..cb3c1f1 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
+@@ -94,7 +94,7 @@ add() {
+ -e 's/,/_/g').pem"
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
+ then
+- ln -sf "${CERT##$SYSROOT}" "$PEM"
++ ln -sf "$(echo "${ETCCERTSDIR##$SYSROOT}" | sed -e
's/\/[^/]\+/..\//g')${CERT##$SYSROOT/}" "$PEM"
+ echo "+$PEM" >> "$ADDED"
+ fi
+ # Add trailing newline to certificate, if it is missing (#635570)
+--
+2.3.0
+
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
b/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
index 42088b9..e6e17de 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20161130.bb
@@ -17,6 +17,7 @@ SRCREV = "61b70a1007dc269d56881a0d480fc841daacc77c"
SRC_URI = "git://anonscm.debian.org/collab-maint/ca-certificates.git \
file://0002-update-ca-certificates-use-SYSROOT.patch \
+
file://0003-update-ca-certificates-Use-relative-paths-when-linki.patch \
file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
file://update-ca-certificates-support-Toybox.patch \
file://default-sysroot.patch \
--
2.7.4
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
