app-misc/ca-certificates: Account for certs missing newlines #2667
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chewi
reviewed
Feb 14, 2025
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/13497438933 |
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
force-pushed
the
ca-certs-missing-newline-fix
branch
from
372407b to
37cf10e
Compare
|
@chewi applied your suggestion. Tested this using a certificate file with missing newline: $ sudo bash <<EOF
pushd /etc/ssl/certs
rm Entrust*
wget --no-check-certificate -O entrust_2048_ca.pem https://files.entrust.com/root-certificates/entrust_2048_ca.cer
cat entrust_2048_ca.pem
echo "<<<"
update-ca-certificates | grep entrust
grep -A2 nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= /etc/ssl/certs/ca-certificates.crt
EOF
/etc/ssl/certs /home/core
--2025-02-24 11:55:18-- https://files.entrust.com/root-certificates/entrust_2048_ca.cer
Resolving files.entrust.com... 18.239.36.102, 18.239.36.24, 18.239.36.11, ...
Connecting to files.entrust.com|18.239.36.102|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1500 (1.5K) [application/x-x509-ca-cert]
Saving to: 'entrust_2048_ca.pem'
entrust_2048_ca.pem 100%[===========================================>] 1.46K --.-KB/s in 0s
2025-02-24 11:55:18 (811 MB/s) - 'entrust_2048_ca.pem' saved [1500/1500]
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u
ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp
bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV
BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx
NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3
d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl
MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u
ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL
Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr
hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW
nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi
VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ
KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy
T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT
J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e
nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----<<<
entrust_2048_ca.pem => aee5f10d.0
nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- |
chewi
approved these changes
Feb 24, 2025
jepio
added a commit
that referenced
this pull request
Feb 24, 2025
app-misc/ca-certificates: Account for certs missing newlines Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
that referenced
this pull request
Feb 24, 2025
app-misc/ca-certificates: Account for certs missing newlines Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
that referenced
this pull request
Feb 24, 2025
app-misc/ca-certificates: Account for certs missing newlines Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
that referenced
this pull request
Feb 24, 2025
app-misc/ca-certificates: Account for certs missing newlines Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
app-misc/ca-certificates: Account for certs missing newlines
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing.
Issue: flatcar/Flatcar#1601
How to use
Add certificates to /etc/ssl/certs, including one without a trailing newline and then run
update-ca-certificates.Testing done
Tested this in a shell:
Output:
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.