pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: mozilla-rootcerts assumes /etc/ssl/certs

On 03/30, Greg Troxel wrote:
> writes:
> > It is currently useful and intended for people who use non-pkgsrc
> > (builtin) SSL libraries and want to get a set of well-managed CAs.
> >
> > It could probably be smarter, or pkgsrc openssl can be taught to look
> > at system-wide CAs too, if it doesn't.
> > (I feel like for root CA choices, people will likely prefer system-wide
> > settings to be respected by default).
> Good points.
> But I wonder if the right thing is for mozilla-rootcerts to modify
> pkgsrc openssl, if that was depended on at build time, vs system
> openssl, if that was depended on.   More or less, to operate on the
> openssl used by pkgsrc.

Right, and it seems that the security/mozilla-rootcerts Makefile tries
to do something like that already:

  CHECK_BUILTIN.openssl=  yes
  .include "../../security/openssl/"
  CHECK_BUILTIN.openssl=  no
  .if !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
  SSLDIR=         /etc/openssl/certs
  SSLDIR=         ${PKG_SYSCONFDIR}/openssl/certs

SSLDIR will get substituted (by the pkgsrc SUBST framework as configured
in Makefile) in files/ (which is installed as
mozilla-rootcerts) as the SSLDIR variable, and, for the install
subcommand, will extract the individual certificate
files to $destdir$SSLDIR.  That makes sense to me.

But what I don't understand is that also has:


Those don't get substituted with the SUBST framework.  SSLDIR and
others are substituted, but certdir and conffile are *not* substituted,
and that's what I'm asking about.  For's install
subcommand, it writes to $destdir$certdir/ca-certificates.crt.
Since certdir is not substituted, it will *always* write to
/etc/ssl/certs/ca-certificates.crt.  Is that right, and if so, could
someone explain why?

For my setup on macOS Sierra, USE_BUILTIN.openssl=no and
PKG_SYSCONFDIR=/opt/pkg/etc, so I get SSLDIR=/opt/pkg/etc/openssl/certs.
When I run "mozilla-rootcerts install" as suggested in MESSAGE, I get
the .pem files extracted to /opt/pkg/etc/openssl/certs (which makes
sense to me), but (this is the part I don't understand) I also get the
concatenation of those .pem files written to ca-certificates.crt in

I would have expected to see something like this in
instead (with an appropriate SUBST framework substitution for
@PKG_SYSCONFDIR@ configured in the Makefile):


What am I missing about how all this works?



Home | Main Index | Thread Index | Old Index