Currently openjdk installs certs into openjdk from /usr/share/ca-certificates but this certs store does not include locally installed certs. /etc/ssl/certs holds the sum of all certs used on the system so best use that.
Made my own openjdk-8.212_p02 and replce the cert path with "${EPREFIX}"/etc/ssl/certs/*.pem seems to work fine.
I'll see what I can do here. Ideally I'd get rid of this conversion script completely if it's possible.
Why did you add new openjdk ebuilds with the old cert path? Could you at least use "${EPREFIX}"/etc/ssl/certs/*.pem until you have figured out something better?
because one will have to re-emerge openjdk or update keystore manually if cert configuration changes if I point it to /etc. currently you are free to update keystore manually, you can create a portage hook that generates certs according to your preference. unsuspecting users should have java that just works. I'm thinking on installing a hook into /etc/ca-certificates/update.d, which will re-generate keystore each time update-ca-certificates is run. that way: 1) users will get custom set of ca-certs in keystore on installation if we point the script to /etc 2) if users update ca cert config, keystore will be updated. win-win
(In reply to Georgy Yakovlev from comment #4) > because one will have to re-emerge openjdk or update keystore manually if > cert configuration changes if I point it to /etc. How so? Or how is this different from todays use of /usr/share/ca-certificates ? > > currently you are free to update keystore manually, you can create a portage > hook that generates certs according to your preference. > > unsuspecting users should have java that just works. Exactly and by using /etc instead you get a few more certs, not only the ones in /usr/share/ca-certificates but the locally installed too. > > I'm thinking on installing a hook into /etc/ca-certificates/update.d, which > will re-generate keystore each time update-ca-certificates is run. While we wait for that, using /etc is better than /usr/share/ca-certificates. That is really my point. > > that way: > 1) users will get custom set of ca-certs in keystore on installation if we > point the script to /etc > 2) if users update ca cert config, keystore will be updated. > win-win
here's initial implementation: https://github.com/gyakovlev/java-dev-overlay if you want to help with testing please install baselayout-java and the new openjdk:8 from overlay. on first installation baselayout-java will generate /etc/ssl/certs/java/cacerts if it does not exist. later, every time ca-certificates are updated ebuild will run update-ca-certificates and /etc/ssl/certs/java/cacerts will be re-populated. also every time user runs update-ca-certificates the hook should generate new keystore with all the certs in system trust. openjdk will just use a symlink /usr/lib/jvm/openjdk-8/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts openjdk:11 comes with it's own bundle in the source. this will be controlled by useflag, something like system-cacerts same will happen to openjdk-bin, those come with bundled certs from adoptopenjdk, I'll remove certs on installation and symlink to /etc/ssl/certs/java/cacerts how does that sound?
what I really need testing is how trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts handles custom-installed certs. with my limited testing it handles it just fine, but I'll appreciate if you give it more testing. trust binary comes from app-crypt/p11-kit and is used by several distros to generate java cacert file.
(In reply to Georgy Yakovlev from comment #7) > what I really need testing is how > trust extract --overwrite --format=java-cacerts --filter=ca-anchors > --purpose server-auth /etc/ssl/certs/java/cacerts > > handles custom-installed certs. > with my limited testing it handles it just fine, but I'll appreciate if you > give it more testing. > > trust binary comes from app-crypt/p11-kit and is used by several distros to > generate java cacert file. This look really great ! Thanks. A bit short for time ATM but I have added /etc/ssl/certs/java/cacerts and created symlinks from openjdk-8 and openjdk-11 in our internal gentoo img. If something breaks I will hear about it but it will take some time(few weeks)
(In reply to Georgy Yakovlev from comment #7) > what I really need testing is how > trust extract --overwrite --format=java-cacerts --filter=ca-anchors > --purpose server-auth /etc/ssl/certs/java/cacerts I see the --purpose server-auth and wonder if this could trip up java clients/webstart ?
(In reply to Joakim Tjernlund from comment #8) > (In reply to Georgy Yakovlev from comment #7) > > what I really need testing is how > > trust extract --overwrite --format=java-cacerts --filter=ca-anchors > > --purpose server-auth /etc/ssl/certs/java/cacerts > > > > handles custom-installed certs. > > with my limited testing it handles it just fine, but I'll appreciate if you > > give it more testing. > > > > trust binary comes from app-crypt/p11-kit and is used by several distros to > > generate java cacert file. > > This look really great ! Thanks. > > A bit short for time ATM but I have added /etc/ssl/certs/java/cacerts > and created symlinks from openjdk-8 and openjdk-11 in our internal gentoo > img. > > If something breaks I will hear about it but it will take some time(few > weeks) Got no complaints from our site so I think this is ready to go into Gentoo proper
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5639d638e79f48967589eaef945193eac8607d28 commit 5639d638e79f48967589eaef945193eac8607d28 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 23:01:27 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:57 +0000 dev-java/openjdk-jre-bin: revbump :11, use system-wide ca-certificates Closes: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../openjdk-jre-bin-11.0.3_p7-r1.ebuild | 97 ++++++++++++++++++++++ 1 file changed, 97 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f38305d6ac41278ef15f3dc7fe73fd9712fc0a4 commit 4f38305d6ac41278ef15f3dc7fe73fd9712fc0a4 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 22:59:18 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:56 +0000 dev-java/openjdk-jre-bin: revbump :8, use system-wide ca-certificates Bug: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../openjdk-jre-bin-8.212_p03-r1.ebuild | 99 ++++++++++++++++++++++ 1 file changed, 99 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058aae49c68c2e4c30961da6c15fa4b95b0b1cde commit 058aae49c68c2e4c30961da6c15fa4b95b0b1cde Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 21:43:21 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:55 +0000 dev-java/openjdk-bin: revbump :11, use system-wide ca-certificates Bug: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../openjdk-bin/openjdk-bin-11.0.3_p7-r1.ebuild | 108 +++++++++++++++++++++ dev-java/openjdk-bin/openjdk-bin-11.0.3_p7.ebuild | 6 +- 2 files changed, 113 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a3bb754abefe828d3266c293035377f2552cc4d commit 7a3bb754abefe828d3266c293035377f2552cc4d Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 21:40:48 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:54 +0000 dev-java/openjdk-bin: revbump :8, use system-wide ca-certificates Bug: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../openjdk-bin/openjdk-bin-8.212_p03-r2.ebuild | 107 +++++++++++++++++++++ 1 file changed, 107 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe8eba2c445f8c2c0b6d1a618c578b5285dfa17d commit fe8eba2c445f8c2c0b6d1a618c578b5285dfa17d Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 21:24:59 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:54 +0000 dev-java/openjdk: revbump :11, use system-wide ca-certificates Bug: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/openjdk-11.0.3_p7-r1.ebuild | 222 +++++++++++++++++++++++++++ 1 file changed, 222 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b901cc7b71e0b6745cb8ee783ba3bcbe45c1b90 commit 8b901cc7b71e0b6745cb8ee783ba3bcbe45c1b90 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 20:58:16 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:53 +0000 dev-java/openjdk: revbump :8, use system-wide ca-certificates Bug: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/openjdk-8.212_p03-r1.ebuild | 241 +++++++++++++++++++++++++++ 1 file changed, 241 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdae1196b3a9e3ee1f597449fc0098fce0229306 commit fdae1196b3a9e3ee1f597449fc0098fce0229306 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2019-05-09 20:51:30 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2019-05-09 23:04:52 +0000 sys-apps/baselayout-java: generate system-wide java keystore keystore is created in etc/ssl/certs/java/cacerts ebuild now installs ca-certificates/update.d snippet which will regenerate certs on every ca-certificates run/update allowing us to have all system certs in java keystore. Bug: https://bugs.gentoo.org/682308 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../baselayout-java-0.1.0-r1.ebuild | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+)
After updating to dev-java/openjdk-8.212_p03-r1 I got: cat /etc/ca-certificates/update.d/java-cacerts #!/bin/sh exec trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth ""/etc/ssl/certs/java/cacerts Notice the extra "" in there, was this intentional ?
yeah, intentional. it's here for possible spaces in prefix path - it will end up quoted. does not affect unprefixed users.