Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

[Sam Morris]

On Fri, Mar 03, 2023 at 02:43:48PM +, Sam Morris wrote:
> FYI, the file paths in the original bug report are no longer accurate
> for Debian 12 ("bookworm").
> 
>   Old path: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>   New path: /usr/lib/x86_64-linux-gnu/libnssckbi.so
> 
> Commands to divert the original file and replace it with a symlink:
> 
>   # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
>   # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so 
> /usr/lib/x86_64-linux-gnu/libnssckbi.so
> 
> Commands to clean up the old diversion:
> 
>   # dpkg-divert --rename --remove /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>   # dpkg -S /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> ... output should show that this is no longer owned by any package
>   # rm /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

A convenient way to test that the above works (instead of having to
restart your browser) is to use the following tool from the
libnss3-toosl package:

$ vfyserv server.example.com
Connecting to host server.example.com (addr 198.51.100.99) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher AES-256-GCM, 256 secret key bits, 256 key bits, status: 1
   subject DN:
 CN=server.example.com,O=Example private certificate authority
   issuer  DN:
 CN=Certificate Authority,O=Example private certificate authority
   0 cache hits; 0 cache misses, 0 cache not reusable
* Connection 1 read 488 bytes total.

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

[Sam Morris]

On Fri, Mar 03, 2023 at 02:43:48PM +, Sam Morris wrote:
> Commands to divert the original file and replace it with a symlink:
> 
>   # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
>   # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so 
> /usr/lib/x86_64-linux-gnu/libnssckbi.so

Unfortunately this no longer works reliably. Since libnssckbi.so is now
found in /usr/lib/x86_64-linux-gnu, as soon any library package is
installer or upgraded, ldconfig will be run, which will replace
the symlink.

(This is noted in the dpkg-divert man page).

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

[Sam Morris]

On Tue, Jun 27, 2023 at 04:33:06PM +0100, Sam Morris wrote:
> On Fri, Mar 03, 2023 at 02:43:48PM +, Sam Morris wrote:
> > Commands to divert the original file and replace it with a symlink:
> > 
> >   # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
> >   # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so 
> > /usr/lib/x86_64-linux-gnu/libnssckbi.so
> 
> Unfortunately this no longer works reliably. Since libnssckbi.so is now
> found in /usr/lib/x86_64-linux-gnu, as soon any library package is
> installer or upgraded, ldconfig will be run, which will replace
> the symlink.

Workaround: divert libnssckbi.so to a location outside of
/usr/lib/x86_64-linux-gnu, like so:

# dpkg-divert --local --rename --divert 
/usr/lib.x86_64-linux-gnu.libnssckbi.so.diverted --add 
/usr/lib/x86_64-linux-gnu/libnssckbi.so
Adding 'local diversion of /usr/lib/x86_64-linux-gnu/libnssckbi.so to 
/usr/lib.x86_64-linux-gnu.libnssckbi.so.diverted'

Ugly, but now ldconfig will not find the original file and create a
symlink to it based on its SONAME.

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

[Laurent Bigonville]

On Thu, 28 Mar 2013 20:57:01 -0400 Daniel Kahn Gillmor 
 wrote:


> as of 0.17.4, it looks like i can replace
> /usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
> /usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
> libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
> trusted root store as the canonical list of trusted authorities,
> rather than using their own built-in.
>
> I did this with something like:
>
> dpkg-divert --divert /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
/usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
> mv /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig
> ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so

>
> It would be great to have this available to a system administrator
> without having to do this work manually.
>
> Two ways to go about it:
>
> a) the p11-kit binary package could have a postinst script, and based 
on a

> debconf prompt, could decide to make this diversion.
>
> b) we could introduce a new binary package that Depends: on p11-kit
> and unconditionally does this diversion in its postinst script.
>
> I prefer (b), because i think it's simpler to say "if you want this
> behavior, install p11-kit-nssckbi" than to ask admins to
> dpkg-reconfigure or preseed their debconf selections.
>
> If this seems reasonable, i could write a patch to implement it.
> please let me know (and let me know if you have preferences for
> strategy a or b also).
>
> thanks for keeping p11-kit up-to-date in debian -- this is a big step
> forward toward using a well-administered trust store!
>
> Regards,
>
> --dkg

Note that there is also #741005 opened against NSS package

Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

[Daniel Kahn Gillmor]

Package: p11-kit
Version: 0.17.4-1
Severity: wishlist

as of 0.17.4, it looks like i can replace
/usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
/usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
trusted root store as the canonical list of trusted authorities,
rather than using their own built-in.

I did this with something like:

dpkg-divert --divert /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
mv /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so 
/usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so

It would be great to have this available to a system administrator
without having to do this work manually.

Two ways to go about it:

 a) the p11-kit binary package could have a postinst script, and based on a
debconf prompt, could decide to make this diversion.

 b) we could introduce a new binary package that Depends: on p11-kit
and unconditionally does this diversion in its postinst script.

I prefer (b), because i think it's simpler to say "if you want this
behavior, install p11-kit-nssckbi" than to ask admins to
dpkg-reconfigure or preseed their debconf selections.

If this seems reasonable, i could write a patch to implement it.
please let me know (and let me know if you have preferences for
strategy a or b also).

thanks for keeping p11-kit up-to-date in debian -- this is a big step
forward toward using a well-administered trust store!

Regards,

--dkg

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages p11-kit depends on:
ii  libc62.13-38
ii  libp11-kit0  0.17.4-1
ii  libtasn1-6   3.2-1

p11-kit recommends no packages.

p11-kit suggests no packages.

-- debconf-show failed


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org