Unable to locally verify the issuer's authority. To connect to code.soundsoftware.ac.uk insecurely, use `--no-check-certificate'. !!! Couldn't download 'sonic-visualiser-4.3.tar.gz'. Aborting. * Fetch failed for 'media-sound/sonic-visualiser-4.3', Log file: * '/var/log/portage/media-sound:sonic-visualiser-4.3:20210214-090640.log' ------------------------------------------------------------------- This is an unstable amd64 chroot image at a tinderbox (==build bot) name: 17.1_desktop_plasma_systemd-20210204-145218 ------------------------------------------------------------------- gcc-config -l: [1] x86_64-pc-linux-gnu-7.3.1 [2] x86_64-pc-linux-gnu-10.2.0 * clang version 11.0.1 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm/11/bin /usr/lib/llvm/11 11.0.1 Python 3.8.7 Available Ruby profiles: [1] ruby26 (with Rubygems) [2] ruby27 (with Rubygems) [3] ruby30 (with Rubygems) * Available Rust versions: [1] rust-bin-1.49.0 [2] rust-1.49.0 * The following VMs are available for generation-2: *) AdoptOpenJDK 8.282_p08 [openjdk-bin-8] Available Java Virtual Machines: [1] openjdk-bin-8 system-vm The Glorious Glasgow Haskell Compilation System, version 8.8.4 timestamp(s) of HEAD at this tinderbox image: /var/db/repos/gentoo Sun Feb 14 08:37:45 UTC 2021 emerge -qpvO media-sound/sonic-visualiser [ebuild N ] media-sound/sonic-visualiser-4.3 USE="jack mad ogg portaudio -id3tag -opus -osc -pulseaudio -test"
Created attachment 686640 [details] emerge-info.txt
Created attachment 686643 [details] emerge-history.txt
Created attachment 686646 [details] etc.portage.tar.bz2
Created attachment 686649 [details] media-sound:sonic-visualiser-4.3:20210214-090640.log
i just verified that and it's true that with wget i cannot download it because of the certificate. but i tried to access the website from chrome and chrome trusts this certificate. maybe somebody from the base-system could give an advice? i have no idea what to do about it.
ssl provider does wget use? gnutls or openssl? Please also provide the version.
# equery list wget * Searching for wget ... [IP-] [ ] net-misc/wget-1.21.1:0 # lddtree /usr/bin/wget wget => /usr/bin/wget (interpreter => /lib64/ld-linux-x86-64.so.2) libpcre2-8.so.0 => /usr/lib64/libpcre2-8.so.0 libpthread.so.0 => /lib64/libpthread.so.0 ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 libssl.so.1.1 => /usr/lib64/libssl.so.1.1 libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 libdl.so.2 => /lib64/libdl.so.2 libz.so.1 => /lib64/libz.so.1 libc.so.6 => /lib64/libc.so.6 # equery list openssl * Searching for openssl ... [IP-] [ ] dev-libs/openssl-1.1.1i:0/1.1
tl;dr: this is a server problem, not ours. report it to soundsoftware.ac.uk to fix. we get our cacert store from mozilla (nss). we specifically do not customize it because we are not in the business of vetting CA authorities. check out the top of the ca-certificates ebuild: https://gitweb.gentoo.org/repo/gentoo.git/tree/app-misc/ca-certificates/ca-certificates-20200601.3.60.ebuild?id=d8cbaa62dbf4abc31cc74d2cc12e3d0c7ac9b70a using those tips, download the cert: $ openssl s_client -port 443 -CApath /etc/ssl/certs -host code.soundsoftware.ac.uk </dev/null >server.crt verify error:num=21:unable to verify the first certificate then look at the chain from it: Certificate chain 0 s:jurisdictionC = GB, businessCategory = Government Entity, serialNumber = 1989-08-02, C = GB, ST = Tower Hamlets, L = Bethnal Green, O = Queen Mary University of Lon don, CN = code.soundsoftware.ac.uk i:C = NL, O = QuoVadis Trustlink B.V., CN = QuoVadis Europe EV SSL CA G1 1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3 i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3 nss provides "QuoVadis Root CA 2 G3": $ openssl x509 -hash -text -noout -in /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt | grep Issuer Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3 but the server's cert is signed by "QuoVadis Europe EV SSL CA G1". that's not in our cacert store. which is to be expected -- we don't store intermediates, we only store roots. servers need to provide intermediates itself. as QuoVadis documents: https://knowledge.digicert.com/quovadis/ssl-certificates/ssl-general-topics/quovadis-ssl-general-intermediate-and-root-certificates.html if you google for "QuoVadis Europe EV SSL CA G1" you can find the intermediate: https://au.quovadisglobal.com/Repository/DownloadRootsAndCRL.aspx so try that: $ wget http://trust.quovadisglobal.com/quovadiseuropeevsslcag1.crt $ openssl x509 -inform der -in quovadiseuropeevsslcag1.crt -out quovadiseuropeevsslcag1.pem $ openssl verify -CApath /etc/ssl/certs/ server.crt jurisdictionC = GB, businessCategory = Government Entity, serialNumber = 1989-08-02, C = GB, ST = Tower Hamlets, L = Bethnal Green, O = Queen Mary University of London, CN = code.soundsoftware.ac.uk error 20 at 0 depth lookup: unable to get local issuer certificate error server.crt: verification failed $ openssl verify -CApath /etc/ssl/certs/ -untrusted quovadiseuropeevsslcag1.pem server.crt server.crt: OK
if you look at the certificate bundle the server sends, it looks like they tried to do the right thing, but made a mistake and included the wrong intermediate. hard to fault them when QuoVadis has a ton of certs with very similar names. but it is a misconfigured in their server that we can't really workaround :). the certificate bundle has: ### the server certificate ### 0 s:jurisdictionC = GB, businessCategory = Government Entity, serialNumber = 1989-08-02, C = GB, ST = Tower Hamlets, L = Bethnal Green, O = Queen Mary University of Lon don, CN = code.soundsoftware.ac.uk i:C = NL, O = QuoVadis Trustlink B.V., CN = QuoVadis Europe EV SSL CA G1 ### an intermediate cert, but not the one needed ### 1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3 i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3 note that the server certificate is signed by: C = NL, O = QuoVadis Trustlink B.V., CN = QuoVadis Europe EV SSL CA G1 but the intermediate certificate is the unrelated: C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3 when really they wanted the one i linked earlier: http://trust.quovadisglobal.com/quovadiseuropeevsslcag1.crt
for future devs, i've documented this debugging process in the wiki: https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
The homepage https://www.sonicvisualiser.org/download.html lists the following github link for the sources: https://github.com/sonic-visualiser/sonic-visualiser It has the releases https://github.com/sonic-visualiser/sonic-visualiser/releases and 4.3 is among them. Maybe it is better to switch the ebuild to get the release from github?
thank you all! will switch it to github...
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f812d70ce93e87ebcf335658e1fadba4b2f5735c commit f812d70ce93e87ebcf335658e1fadba4b2f5735c Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-02-19 12:26:20 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-02-19 12:26:32 +0000 media-sound/sonic-visualiser: updated src_uri, added homepage, updated metadata Package-Manager: Portage-3.0.14, Repoman-3.0.2 Closes: https://bugs.gentoo.org/770451 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-sound/sonic-visualiser/Manifest | 2 +- media-sound/sonic-visualiser/metadata.xml | 3 +++ media-sound/sonic-visualiser/sonic-visualiser-4.3.ebuild | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-)
That alone didn't work. The source archive was downloded but the prepare phase failed: >>> Emerging (4 of 4) media-sound/sonic-visualiser-4.3::gentoo * sonic-visualiser-4.3.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking sonic-visualiser-4.3.tar.gz to /var/tmp/portage/media-sound/sonic-visualiser-4.3/work >>> Source unpacked in /var/tmp/portage/media-sound/sonic-visualiser-4.3/work * ERROR: media-sound/sonic-visualiser-4.3::gentoo failed (prepare phase): * The source directory '/var/tmp/portage/media-sound/sonic-visualiser-4.3/work/sonic-visualiser-4.3' doesn't exist The source directory has a non-standard name: /var/tmp/portage/media-sound/sonic-visualiser-4.3/work/sonic-visualiser-sv_v4.3
yes, just noticed that... but even if i fix the path, it fails later with this during config phase: Run-time dependency fftw3 found: YES 3.3.9 Run-time dependency fftw3f found: YES 3.3.9 Run-time dependency sndfile found: YES 1.0.31 Run-time dependency samplerate found: YES 0.2.1 Run-time dependency rubberband found: YES 1.8.2 Run-time dependency sord-0 found: YES 0.16.8 Run-time dependency serd-0 found: YES 0.30.10 Run-time dependency capnp found: YES 0.8.0 Run-time dependency lrdf found: YES 0.5.0 Run-time dependency alsa found: YES 1.2.4 Run-time dependency id3tag found: YES 0.15.1b Run-time dependency jack found: YES 1.9.17 Run-time dependency mad found: YES 0.15.1b Run-time dependency oggz found: YES 1.1.1 Run-time dependency fishsound found: YES 1.0.0 Run-time dependency opusfile found: YES 0.12 Run-time dependency liblo found: YES 0.31 Run-time dependency portaudio-2.0 found: YES 19 Run-time dependency libpulse found: YES 13.0 meson.build:447:0: ERROR: Include dir bqvec does not exist. so it seems the sources are not the same as those from the upstream website...
The github version of the sources misses a lot of "vendored" libraries that are present in the SoundSoftware sources and there is no procedure to vendor them during build.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5599953aa2f72a50e60d6c8a5081bd6370896e81 commit 5599953aa2f72a50e60d6c8a5081bd6370896e81 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-02-19 17:24:31 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-02-19 17:24:51 +0000 media-sound/sonic-visualiser: reverted back to the original tarball i copied the tarball to my devspace to work around the issue Bug: https://bugs.gentoo.org/770451 Closes: https://bugs.gentoo.org/771609 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-sound/sonic-visualiser/Manifest | 2 +- media-sound/sonic-visualiser/sonic-visualiser-4.3.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
