mirror of
https://git.yoctoproject.org/poky-contrib
synced 2025-05-08 15:42:17 +08:00
buildtools-tarball: Make buildtools respects host CA certificates
To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 8a7ec52e9b35654bee48cd948c6c34c63db3e265) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Changqing Li
Richard Purdie
parent
f4d8e84fd9
commit
8dcd0f73eb
@ -1,9 +1,24 @@
|
||||
export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
|
||||
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
|
||||
export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
|
||||
fi
|
||||
export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
|
||||
export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
|
||||
|
||||
# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
|
||||
# CAFILE/CAPATH is auto-deteced when source buildtools
|
||||
if [ -z "$SSL_CERT_FILE" ]; then
|
||||
if [ -n "$CAFILE" ];then
|
||||
export SSL_CERT_FILE="$CAFILE"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$SSL_CERT_DIR" ]; then
|
||||
if [ -n "$CAPATH" ];then
|
||||
export SSL_CERT_DIR="$CAPATH"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
|
||||
fi
|
||||
fi
|
||||
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
|
||||
|
||||
@ -80,14 +80,35 @@ create_sdk_files:append () {
|
||||
toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
|
||||
|
||||
cat >> $script <<EOF
|
||||
# Detect host ca file/path, export for envfile to use
|
||||
# /etc/ssl/certs/ca-certificates.crt Debian systems
|
||||
# /etc/pki/tls/certs/ca-bundle.crt Fedora systems
|
||||
# /etc/ssl/ca-bundle.pem Suse systems
|
||||
export CAFILE
|
||||
export CAPATH
|
||||
for a in /etc/ssl/certs/ca-certificates.crt \
|
||||
/etc/pki/tls/certs/ca-bundle.crt \
|
||||
/etc/ssl/ca-bundle.pem ; do
|
||||
if test -f "\$a"; then
|
||||
CAFILE="\$a"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
a="/etc/ssl/certs"
|
||||
if test -d "\$a" && ls "\$a"/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].0 >/dev/null 2>/dev/null; then
|
||||
CAPATH="\$a"
|
||||
fi
|
||||
|
||||
if [ -d "\$OECORE_NATIVE_SYSROOT/environment-setup.d" ]; then
|
||||
for envfile in \$OECORE_NATIVE_SYSROOT/environment-setup.d/*.sh; do
|
||||
. \$envfile
|
||||
done
|
||||
fi
|
||||
|
||||
# We have to unset this else it can confuse oe-selftest and other tools
|
||||
# which may also use the overlapping namespace.
|
||||
unset OECORE_NATIVE_SYSROOT
|
||||
unset OECORE_NATIVE_SYSROOT CAFILE CAPATH
|
||||
EOF
|
||||
|
||||
if [ "${SDKMACHINE}" = "i686" ]; then
|
||||
|
||||
@ -1,4 +1,19 @@
|
||||
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO"
|
||||
# Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools
|
||||
# CAFILE/CAPATH is auto-deteced when source buildtools
|
||||
if [ -z "$GIT_SSL_CAINFO" ]; then
|
||||
if [ -n "$CAFILE" ];then
|
||||
export GIT_SSL_CAINFO="$CAFILE"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$GIT_SSL_CAPATH" ]; then
|
||||
if [ -n "$CAPATH" ];then
|
||||
export GIT_SSL_CAPATH="$CAPATH"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
|
||||
fi
|
||||
fi
|
||||
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO GIT_SSL_CAPATH"
|
||||
|
||||
@ -1,4 +1,11 @@
|
||||
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
|
||||
# Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools
|
||||
# CAFILE/CAPATH is auto-deteced when source buildtools
|
||||
if [ -z "$REQUESTS_CA_BUNDLE" ]; then
|
||||
if [ -n "$CAFILE" ];then
|
||||
export REQUESTS_CA_BUNDLE="$CAFILE"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
|
||||
fi
|
||||
fi
|
||||
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
|
||||
|
||||
@ -1,4 +1,19 @@
|
||||
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} CURL_CA_BUNDLE"
|
||||
# Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools
|
||||
# CAFILE/CAPATH is auto-deteced when source buildtools
|
||||
if [ -z "$CURL_CA_PATH" ]; then
|
||||
if [ -n "$CAFILE" ];then
|
||||
export CURL_CA_BUNDLE="$CAFILE"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$CURL_CA_PATH" ]; then
|
||||
if [ -n "$CAPATH" ];then
|
||||
export CURL_CA_PATH="$CAPATH"
|
||||
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
|
||||
export CURL_CA_PATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
|
||||
fi
|
||||
fi
|
||||
|
||||
export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} CURL_CA_BUNDLE CURL_CA_PATH"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user