diff options
author | Ludovic Courtès <ludo@gnu.org> | 2015-03-02 23:04:38 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2015-03-02 23:05:13 +0100 |
commit | 993300f6ccfbc9cbe628978690fc98eb63365dbd (patch) | |
tree | a1ffc7478c83e7406fd9221adc1579c681904498 /gnu/system.scm | |
parent | e979e6dd523acaa2a089f1b8f44e34c1e5b7d32d (diff) | |
download | patches-993300f6ccfbc9cbe628978690fc98eb63365dbd.tar patches-993300f6ccfbc9cbe628978690fc98eb63365dbd.tar.gz |
system: Create a single-file certificate bundle in /etc/ssl/certs.
Suggested by Mark H Weaver <mhw@netris.org>.
* gnu/system.scm (certificate-bundle): New procedure.
(etc-directory): Use it.
[profile]: Set 'SSL_CERT_DIR', 'SSL_CERT_FILE', and 'GIT_SSL_CAINFO'.
Diffstat (limited to 'gnu/system.scm')
-rw-r--r-- | gnu/system.scm | 49 |
1 files changed, 48 insertions, 1 deletions
diff --git a/gnu/system.scm b/gnu/system.scm index 1c2c986436..7bcd9b160f 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -409,6 +409,47 @@ settings for 'guix.el' to work out-of-the-box." (chdir #$output) (symlink #$file "site-start.el"))))) +(define (certificate-bundle certificates) + "Produce a single-file certificate bundle by concatenating the certificates +found in CERTIFICATES' /etc/ssl/certs sub-directory. Single-file bundles are +required by applications such as Git and Lynx." + ;; See <http://lists.gnu.org/archive/html/guix-devel/2015-02/msg00429.html> + ;; for a discussion. + ;; TODO: Do something similar in user profiles. + + (define build + #~(begin + (use-modules (guix build utils) + (rnrs io ports) + (srfi srfi-26)) + + (define (concatenate-files files result) + "Make RESULT the concatenation of all of FILES." + (define (dump file port) + (display (call-with-input-file file get-string-all) + port) + (newline port)) ;required, see <https://bugs.debian.org/635570> + + (call-with-output-file result + (lambda (port) + (for-each (cut dump <> port) files)))) + + ;; Some file names in the NSS certificates are UTF-8 encoded so + ;; install a UTF-8 locale. + (setenv "LOCPATH" (string-append #$glibc-utf8-locales "/lib/locale")) + (setlocale LC_ALL "en_US.UTF-8") + + (let ((files (find-files #$certificates "\\.pem$")) + (result (string-append #$output "/etc/ssl/certs"))) + (mkdir-p result) + (concatenate-files files + (string-append result + "/ca-certificates.crt"))))) + + (gexp->derivation "certificate-bundle" build + #:modules '((guix build utils)) + #:local-build? #t)) + (define* (etc-directory #:key (locale "C") (timezone "Europe/Paris") (issue "Hello!\n") @@ -432,6 +473,7 @@ settings for 'guix.el' to work out-of-the-box." (issue (text-file "issue" issue)) (nsswitch (text-file "nsswitch.conf" (name-service-switch->string nss))) + (certs (certificate-bundle x509-certificates)) ;; Startup file for POSIX-compliant login shells, which set system-wide ;; environment variables. @@ -458,6 +500,11 @@ export EMACSLOADPATH=:/etc/emacs # when /etc/machine-id is missing. Make sure these warnings are non-fatal. export DBUS_FATAL_WARNINGS=0 +# These variables are honored by OpenSSL (libssl) and Git. +export SSL_CERT_DIR=/etc/ssl/certs +export SSL_CERT_FILE=\"$SSL_CERT_DIR/ca-certificates.crt\" +export GIT_SSL_CAINFO=\"$SSL_CERT_FILE\" + # Allow Aspell to find dictionaries installed in the user profile. export ASPELL_CONF=\"dict-dir $HOME/.guix-profile/lib/aspell\" ")) @@ -466,7 +513,7 @@ export ASPELL_CONF=\"dict-dir $HOME/.guix-profile/lib/aspell\" `(("services" ,#~(string-append #$net-base "/etc/services")) ("protocols" ,#~(string-append #$net-base "/etc/protocols")) ("rpc" ,#~(string-append #$net-base "/etc/rpc")) - ("ssl" ,#~(string-append #$x509-certificates + ("ssl" ,#~(string-append #$certs "/etc/ssl")) ;for OpenSSL & co. ("emacs" ,#~#$emacs) ("pam.d" ,#~#$pam.d) |