923756 – app-misc/ca-certificates ebuild can't apply patch to blacklist some certs from mozilla

Bug 923756 - app-misc/ca-certificates ebuild can't apply patch to blacklist some certs from mozilla

Summary: app-misc/ca-certificates ebuild can't apply patch to blacklist some certs fro...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2024-02-04 07:49 UTC by Benstone Zhang
Modified:	2024-04-06 16:26 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch src_prepare to allow user patch from work folder (file_923756.txt,727 bytes, patch) 2024-02-04 07:49 UTC, Benstone Zhang	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benstone Zhang 2024-02-04 07:49:03 UTC

Created attachment 884162 [details, diff]
patch src_prepare to allow user patch from work folder

To blacklist some certs from mozilla, we need to patch file ca-certificates/mozilla/blacklist.txt. Below is a sample patch file.

-----------------------------------
/etc/portage/patches/app-misc/ca-certificates/block_cn_certs.patch 
--- a/ca-certificates/mozilla/blacklist.txt     2023-03-11 16:37:33.000000000 +0800
+++ b/ca-certificates/mozilla/blacklist.txt     2023-12-09 17:40:21.130596943 +0800
@@ -2,5 +2,15 @@
 
 # Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
 "Explicitly Distrust DigiNotar Root CA"
+"CFCA EV ROOT"
+"GDCA TrustAUTH R5 ROOT"
+"UCA Global G2 Root"
+"UCA Extended Validation Root"
+"vTrus ECC Root CA"
+"vTrus Root CA"
+"BJCA Global Root CA1"
+"BJCA Global Root CA2"
+"TrustAsia Global Root CA G3"
+"TrustAsia Global Root CA G4"
 
 # Expired CAs
-----------------------------------

But the current ebuild prevent any patch apply to work folder, because the `default` call happen after `cd "image/${EPREFIX}"`. At that time, the working folder is work/image/${EPREFIX}, and effectively prevent any patch apply to ca-certificates/mozilla. Below is the code cause this issue (with my comments mark with ###benstone):

src_prepare() {
    ###benstone The default call should happen here

    cd "image/${EPREFIX}" || die 

    if ! ${PRECOMPILED} ; then
        mkdir -p usr/sbin || die 
        cp -p "${S}"/${PN}/sbin/update-ca-certificates \
            usr/sbin/ || die 

        if use cacert ; then
            pushd "${S}"/nss-${NSS_VER} >/dev/null || die 
            eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
            popd >/dev/null || die 
        fi  
    fi  

    ###benstone It's too late to apply patch, because the current folder is not work
    default
    eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch

    pushd "${S}/${PN}" >/dev/null || die 
    # We patch out the dep on cryptography as it's not particularly useful
    # for us. Please see the discussion in bug #821706. Not to be removed lightly!
    eapply "${FILESDIR}"/${PN}-20230311.3.89-no-cryptography.patch
    popd >/dev/null || die 

    local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
    sed -i \
        -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
        -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
        usr/sbin/update-ca-certificates || die 
}