Skip to content

app-misc/ca-certificates: Account for certs missing newlines #2667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jepio merged 2 commits into from
Feb 24, 2025
Merged

app-misc/ca-certificates: Account for certs missing newlines #2667

jepio merged 2 commits into from
Feb 24, 2025

Conversation

@jepio
Copy link
Member

@jepio jepio commented Feb 14, 2025

app-misc/ca-certificates: Account for certs missing newlines

Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing.

Issue: flatcar/Flatcar#1601

How to use

Add certificates to /etc/ssl/certs, including one without a trailing newline and then run update-ca-certificates.

Testing done

Tested this in a shell:

#!/bin/bash
set -e

CERTSDIR=certs/
TEMPBUNDLE=temp.pem

f() {
    for f in "${CERTSDIR}"/*.[0-9]; do
        sed '$a\' "${f}"
    done > "${TEMPBUNDLE}"
}

mkdir -p ${CERTSDIR}
pushd ${CERTSDIR}
echo -n cert1 >a.0
echo    cert2 >b.0
echo -n cert3 >c.0
popd

echo "Before:"
echo '---'
cat "${CERTSDIR}"/*.[0-9]
echo '---'

echo "After:"
echo '---'
f
cat "${TEMPBUNDLE}"
echo '---'

Output:

~/certs ~
~
Before:
---
cert1cert2
cert3---
After:
---
cert1
cert2
cert3
---
  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@jepio jepio requested a review from a team February 14, 2025 11:10
chewi
chewi reviewed Feb 14, 2025
View reviewed changes
Copy link
Contributor

@chewi chewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can avoid the for loop if you use sed's --separate option.

@github-actions
Copy link

github-actions bot commented Feb 14, 2025
edited
Loading

Build action triggered: https://github.com/flatcar/scripts/actions/runs/13497438933

jepio added 2 commits February 18, 2025 11:01
@jepio
app-misc/ca-certificates: Account for certs missing newlines
7942cfa 
Concatenating certificates missing newlines naively with cat results in broken
bundle. Fix the issue by using a sed expression that appends a trailing newline
after the lastline if it is missing.

Issue: flatcar/Flatcar#1601
Signed-off-by: Jeremi Piotrowski <[email protected]>
@jepio
changelog: Add entry for update-ca-certificates bugfix
37cf10e 
Signed-off-by: Jeremi Piotrowski <[email protected]>
@jepio jepio force-pushed the ca-certs-missing-newline-fix branch from 372407b to 37cf10e Compare February 18, 2025 10:02
@github-actions github-actions bot mentioned this pull request Feb 22, 2025
Closed
@jepio
Copy link
Member Author

jepio commented Feb 24, 2025

@chewi applied your suggestion.

Tested this using a certificate file with missing newline:

$ sudo bash <<EOF
pushd /etc/ssl/certs
rm Entrust*
wget --no-check-certificate -O entrust_2048_ca.pem https://files.entrust.com/root-certificates/entrust_2048_ca.cer
cat entrust_2048_ca.pem
echo "<<<"
update-ca-certificates | grep entrust
grep -A2 nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= /etc/ssl/certs/ca-certificates.crt
EOF
/etc/ssl/certs /home/core
--2025-02-24 11:55:18--  https://files.entrust.com/root-certificates/entrust_2048_ca.cer
Resolving files.entrust.com... 18.239.36.102, 18.239.36.24, 18.239.36.11, ...
Connecting to files.entrust.com|18.239.36.102|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1500 (1.5K) [application/x-x509-ca-cert]
Saving to: 'entrust_2048_ca.pem'

entrust_2048_ca.pem         100%[===========================================>]   1.46K  --.-KB/s    in 0s

2025-02-24 11:55:18 (811 MB/s) - 'entrust_2048_ca.pem' saved [1500/1500]

-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u
ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp
bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV
BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx
NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3
d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl
MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u
ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL
Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr
hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW
nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi
VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ
KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy
T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT
J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e
nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----<<<
entrust_2048_ca.pem => aee5f10d.0
nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

@jepio jepio merged commit d3c8c8f into main Feb 24, 2025
7 checks passed
jepio added a commit that referenced this pull request Feb 24, 2025
@jepio
Merge pull request #2667 from flatcar/scripts
38339d0 
app-misc/ca-certificates: Account for certs missing newlines

Signed-off-by: Jeremi Piotrowski <[email protected]>
jepio added a commit that referenced this pull request Feb 24, 2025
@jepio
Merge pull request #2667 from flatcar/scripts
fca3b02 
app-misc/ca-certificates: Account for certs missing newlines

Signed-off-by: Jeremi Piotrowski <[email protected]>
jepio added a commit that referenced this pull request Feb 24, 2025
@jepio
Merge pull request #2667 from flatcar/scripts
28bca88 
app-misc/ca-certificates: Account for certs missing newlines

Signed-off-by: Jeremi Piotrowski <[email protected]>
jepio added a commit that referenced this pull request Feb 24, 2025
@jepio
Merge pull request #2667 from flatcar/scripts
242fea3 
app-misc/ca-certificates: Account for certs missing newlines

Signed-off-by: Jeremi Piotrowski <[email protected]>
@jepio jepio deleted the ca-certs-missing-newline-fix branch February 24, 2025 16:09
@jepio jepio mentioned this pull request Feb 24, 2025
Closed
@github-actions github-actions bot mentioned this pull request Mar 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chewi chewi chewi approved these changes

Assignees

No one assigned

Labels

alpha beta lts main stable

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jepio @chewi