From 993300f6ccfbc9cbe628978690fc98eb63365dbd Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 2 Mar 2015 23:04:38 +0100 Subject: system: Create a single-file certificate bundle in /etc/ssl/certs. Suggested by Mark H Weaver . * gnu/system.scm (certificate-bundle): New procedure. (etc-directory): Use it. [profile]: Set 'SSL_CERT_DIR', 'SSL_CERT_FILE', and 'GIT_SSL_CAINFO'. --- gnu/system.scm | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/system.scm b/gnu/system.scm index 1c2c986436..7bcd9b160f 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -409,6 +409,47 @@ (define (emacs-site-directory) (chdir #$output) (symlink #$file "site-start.el"))))) +(define (certificate-bundle certificates) + "Produce a single-file certificate bundle by concatenating the certificates +found in CERTIFICATES' /etc/ssl/certs sub-directory. Single-file bundles are +required by applications such as Git and Lynx." + ;; See + ;; for a discussion. + ;; TODO: Do something similar in user profiles. + + (define build + #~(begin + (use-modules (guix build utils) + (rnrs io ports) + (srfi srfi-26)) + + (define (concatenate-files files result) + "Make RESULT the concatenation of all of FILES." + (define (dump file port) + (display (call-with-input-file file get-string-all) + port) + (newline port)) ;required, see + + (call-with-output-file result + (lambda (port) + (for-each (cut dump <> port) files)))) + + ;; Some file names in the NSS certificates are UTF-8 encoded so + ;; install a UTF-8 locale. + (setenv "LOCPATH" (string-append #$glibc-utf8-locales "/lib/locale")) + (setlocale LC_ALL "en_US.UTF-8") + + (let ((files (find-files #$certificates "\\.pem$")) + (result (string-append #$output "/etc/ssl/certs"))) + (mkdir-p result) + (concatenate-files files + (string-append result + "/ca-certificates.crt"))))) + + (gexp->derivation "certificate-bundle" build + #:modules '((guix build utils)) + #:local-build? #t)) + (define* (etc-directory #:key (locale "C") (timezone "Europe/Paris") (issue "Hello!\n") @@ -432,6 +473,7 @@ (define* (etc-directory #:key (issue (text-file "issue" issue)) (nsswitch (text-file "nsswitch.conf" (name-service-switch->string nss))) + (certs (certificate-bundle x509-certificates)) ;; Startup file for POSIX-compliant login shells, which set system-wide ;; environment variables. @@ -458,6 +500,11 @@ (define* (etc-directory #:key # when /etc/machine-id is missing. Make sure these warnings are non-fatal. export DBUS_FATAL_WARNINGS=0 +# These variables are honored by OpenSSL (libssl) and Git. +export SSL_CERT_DIR=/etc/ssl/certs +export SSL_CERT_FILE=\"$SSL_CERT_DIR/ca-certificates.crt\" +export GIT_SSL_CAINFO=\"$SSL_CERT_FILE\" + # Allow Aspell to find dictionaries installed in the user profile. export ASPELL_CONF=\"dict-dir $HOME/.guix-profile/lib/aspell\" ")) @@ -466,7 +513,7 @@ (define* (etc-directory #:key `(("services" ,#~(string-append #$net-base "/etc/services")) ("protocols" ,#~(string-append #$net-base "/etc/protocols")) ("rpc" ,#~(string-append #$net-base "/etc/rpc")) - ("ssl" ,#~(string-append #$x509-certificates + ("ssl" ,#~(string-append #$certs "/etc/ssl")) ;for OpenSSL & co. ("emacs" ,#~#$emacs) ("pam.d" ,#~#$pam.d) -- cgit v1.2.3