GNU bug report logs - #49957
[PATCH] gnu: p11-kit: Fix certificate errors from flatpak apps

Previous Next

Package: guix-patches;

Reported by: Andrew Whatson <whatson <at> gmail.com>

Date: Mon, 9 Aug 2021 14:15:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49957 in the body.
You can then email your comments to 49957 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#49957; Package guix-patches. (Mon, 09 Aug 2021 14:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrew Whatson <whatson <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 09 Aug 2021 14:15:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Andrew Whatson <whatson <at> gmail.com>
To: guix-patches <at> gnu.org
Cc: Andrew Whatson <whatson <at> gmail.com>
Subject: [PATCH] gnu: p11-kit: Fix certificate errors from flatpak apps
Date: Tue, 10 Aug 2021 00:14:31 +1000
Flatpak has a soft dependency on p11-kit, which was configured without
knowledge of the system-wide CA certificate store.  This caused some
flatpak apps to fail with ERR_CERT_AUTHORITY_INVALID errors.

* gnu/packages/tls.scm (p11-kit): Configure with
/etc/ssl/certs/ca-certificates.crt as a trusted path.
---
 gnu/packages/tls.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index d98a724b5f..4af95e2798 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -143,7 +143,7 @@ in intelligent transportation networks.")
      `(("libffi" ,libffi)
        ("libtasn1" ,libtasn1)))
     (arguments
-     `(#:configure-flags '("--without-trust-paths")
+     `(#:configure-flags '("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt")
        #:phases (modify-phases %standard-phases
                   (add-before 'check 'prepare-tests
                     (lambda _
-- 
2.32.0





Information forwarded to guix-patches <at> gnu.org:
bug#49957; Package guix-patches. (Tue, 28 Sep 2021 02:27:02 GMT) Full text and rfc822 format available.

Message #8 received at 49957 <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: "49957 <at> debbugs.gnu.org" <49957 <at> debbugs.gnu.org>
Subject: [PATCH] gnu: p11-kit: Fix certificate errors from flatpak apps
Date: Tue, 28 Sep 2021 02:26:22 +0000
Interestingly, I just hit this issue after moving to core-updates-frozen. Not sure what caused it now, p11-kit nor flatpak has changed, but must be something between them.

Unfortunately, this would cause a huge rebuild from what I can tell, so I tried --with-graft and it didn't seem to make a difference. Also, p11-kit is now out of date, with the latest version being 0.24.0.

So, perhaps this could make its way into core-updates-frozen with the upcoming world rebuild coming? https://bugs.gnu.org/50860 Also wanted to note that this change would match what nix does with p11-kit for the same reason.

Open to other suggestions, hoping to not break flatpak in core-updates-frozen.




Information forwarded to guix-patches <at> gnu.org:
bug#49957; Package guix-patches. (Tue, 28 Sep 2021 05:09:02 GMT) Full text and rfc822 format available.

Message #11 received at 49957 <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: "49957 <at> debbugs.gnu.org" <49957 <at> debbugs.gnu.org>
Cc: Andrew Whatson <whatson <at> gmail.com>
Subject: Re: [PATCH] gnu: p11-kit: Fix certificate errors from flatpak apps
Date: Tue, 28 Sep 2021 05:07:54 +0000
For the record, I'm using the beta of Flatpak (installs fine with --with-source transformation), version 1.11.3.

Also, I found a workaround by manually killing the p11-kit server and running a new one that I built with this patch and updated to the latest version. In case this helps anyone, I ran with the parameters Flatpak tries to launch:

p11-kit server --sh -n /run/user/1000/.flatpak-helper/pkcs11-flatpak-#### --provider p11-kit-trust.so "pkcs11:model=p11-kit-trust?write-protected=yes"

where the -n argument #### came from trying to run a Flatpak app and seeing it fail not finding the p11-kit server at that socket. Probably you can do this more easily by forcing Flatpak when it first runs to use the fixed p11-kit version (through a patch in Flatpak or some environment setting? or what the system starts?). But with p11-kit server already running for me, this did the trick for testing.




Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Mon, 25 Oct 2021 19:14:02 GMT) Full text and rfc822 format available.

Notification sent to Andrew Whatson <whatson <at> gmail.com>:
bug acknowledged by developer. (Mon, 25 Oct 2021 19:14:02 GMT) Full text and rfc822 format available.

Message #16 received at 49957-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andrew Whatson <whatson <at> gmail.com>
Cc: John Kehayias <john.kehayias <at> protonmail.com>, 49957-done <at> debbugs.gnu.org
Subject: Re: bug#49957: [PATCH] gnu: p11-kit: Fix certificate errors from
 flatpak apps
Date: Mon, 25 Oct 2021 21:13:42 +0200
Hi,

Andrew Whatson <whatson <at> gmail.com> skribis:

> Flatpak has a soft dependency on p11-kit, which was configured without
> knowledge of the system-wide CA certificate store.  This caused some
> flatpak apps to fail with ERR_CERT_AUTHORITY_INVALID errors.
>
> * gnu/packages/tls.scm (p11-kit): Configure with
> /etc/ssl/certs/ca-certificates.crt as a trusted path.

I pushed a similar fix on ‘master’ based on John’s patch as
b4d29851e412c6f4fea5b2d98160258b9768dee3.

We might as well update the default p11-kit though?  (Somehow I was
assuming it had many dependents, but it only has 80+.)

Thanks,
Ludo’.




Information forwarded to guix-patches <at> gnu.org:
bug#49957; Package guix-patches. (Mon, 25 Oct 2021 19:34:02 GMT) Full text and rfc822 format available.

Message #19 received at 49957-done <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Andrew Whatson <whatson <at> gmail.com>, 49957-done <at> debbugs.gnu.org
Subject: Re: bug#49957: [PATCH] gnu: p11-kit: Fix certificate errors from
 flatpak apps
Date: Mon, 25 Oct 2021 19:33:49 +0000
Hi Ludo’ and Andrew,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Monday, October 25th, 2021 at 3:13 PM, Ludovic Courtès <ludo <at> gnu.org> wrote:

> Hi,
>
> Andrew Whatson whatson <at> gmail.com skribis:
>
> > Flatpak has a soft dependency on p11-kit, which was configured without
> > knowledge of the system-wide CA certificate store. This caused some
> > flatpak apps to fail with ERR_CERT_AUTHORITY_INVALID errors.
> >
> > -   gnu/packages/tls.scm (p11-kit): Configure with
> >     /etc/ssl/certs/ca-certificates.crt as a trusted path.
>
> I pushed a similar fix on ‘master’ based on John’s patch as
> b4d29851e412c6f4fea5b2d98160258b9768dee3.
>
> We might as well update the default p11-kit though? (Somehow I was
> assuming it had many dependents, but it only has 80+.)
>

Flatpak's dependency doesn't show up on a guix refresh --list-dependents p11-kit, as it comes through some other package somehow (I never looked how exactly). But I guess that is more "using" than needing to build against? Wondering if there are some hidden runtime cases to look out for. (Probably more relevant when thinking of changing that configure flag?)

For this bug, the fixes that I wrote did need a cleaning out of previous Flatpaks (checking how you launch Flatpak apps as our previous version put the full store path in .desktop files) as p11-kit gets started in some indirect way. I think via D-Bus and its portal, but the system p11-kit could be used instead of the fixed version. I made sure to remove previous Flatpak installs from my profile and did a restart to be sure. Noting here for completeness.

John




Information forwarded to guix-patches <at> gnu.org:
bug#49957; Package guix-patches. (Wed, 27 Oct 2021 14:28:02 GMT) Full text and rfc822 format available.

Message #22 received at 49957-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: John Kehayias <john.kehayias <at> protonmail.com>
Cc: Andrew Whatson <whatson <at> gmail.com>, 49957-done <at> debbugs.gnu.org
Subject: Re: bug#49957: [PATCH] gnu: p11-kit: Fix certificate errors from
 flatpak apps
Date: Wed, 27 Oct 2021 16:27:43 +0200
Hi,

John Kehayias <john.kehayias <at> protonmail.com> skribis:

> Flatpak's dependency doesn't show up on a guix refresh
> --list-dependents p11-kit, as it comes through some other package
> somehow (I never looked how exactly). But I guess that is more "using"
> than needing to build against? Wondering if there are some hidden
> runtime cases to look out for. (Probably more relevant when thinking
> of changing that configure flag?)

‘guix refresh -l’ doesn’t list all the dependents, only the “contour”:

--8<---------------cut here---------------start------------->8---
$ guix refresh -l p11-kit <at> 0.23
Building the following 40 packages would ensure 81 dependent packages are rebuilt: inxi <at> 3.3.07-1 autofs <at> 5.1.8 network-manager-openvpn <at> 1.8.12 network-manager-vpnc <at> 1.2.6 eolie <at> 0.9.101 gramps <at> 5.1.4 glimpse <at> 0.2.0 openttd <at> 1.11.2 gimp-fourier <at> 0.4.3-2 gimp-resynthesizer <at> 2.0.3 gmic-qt-gimp <at> 2.9.7 rapid-photo-downloader <at> 0.9.18 entangle <at> 3.0 gnome-todo <at> 3.28.1 geary <at> 3.34.1 chatty <at> 0.1.17 shotwell <at> 0.30.12 rhythmbox <at> 3.4.4 gnome-photos <at> 3.34.2 claws-mail <at> 4.0.0 seahorse <at> 3.36.2 network-manager-openconnect <at> 1.2.6 evolution <at> 3.34.2 gnome-music <at> 3.34.5 gnome-tweaks <at> 3.34.1 lxde <at> 0.99.2 caja-extensions <at> 1.24.1 spacefm <at> 1.0.6 xfce <at> 4.16.0 vinagre <at> 3.22.0 liferea <at> 1.13.4 remmina <at> 1.4.20 arc-theme <at> 20201013 gnome-shell-extension-gsconnect <at> 33 numix-gtk-theme <at> 2.6.7 gnome <at> 3.34.5 mate <at> 1.24.1 surf <at> 2.1 midori <at> 9.0 eid-mw <at> 5.0.28
--8<---------------cut here---------------end--------------->8---

To see them all, try this:

  guix graph -t reverse-package p11-kit <at> 0.23 | xdot -

HTH,
Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 25 Nov 2021 12:24:09 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 124 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.