Bug 923756

Summary:	app-misc/ca-certificates ebuild can't apply patch to blacklist some certs from mozilla
Product:	Gentoo Linux	Reporter:	Benstone Zhang <benstonezhang>
Component:	Current packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	gentoo, jstein
Priority:	Normal	Keywords:	PATCH
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	patch src_prepare to allow user patch from work folder

Description Benstone Zhang 2024-02-04 07:49:03 UTC

Created attachment 884162 [details, diff]
patch src_prepare to allow user patch from work folder

To blacklist some certs from mozilla, we need to patch file ca-certificates/mozilla/blacklist.txt. Below is a sample patch file.

-----------------------------------
/etc/portage/patches/app-misc/ca-certificates/block_cn_certs.patch 
--- a/ca-certificates/mozilla/blacklist.txt     2023-03-11 16:37:33.000000000 +0800
+++ b/ca-certificates/mozilla/blacklist.txt     2023-12-09 17:40:21.130596943 +0800
@@ -2,5 +2,15 @@
 
 # Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
 "Explicitly Distrust DigiNotar Root CA"
+"CFCA EV ROOT"
+"GDCA TrustAUTH R5 ROOT"
+"UCA Global G2 Root"
+"UCA Extended Validation Root"
+"vTrus ECC Root CA"
+"vTrus Root CA"
+"BJCA Global Root CA1"
+"BJCA Global Root CA2"
+"TrustAsia Global Root CA G3"
+"TrustAsia Global Root CA G4"
 
 # Expired CAs
-----------------------------------

But the current ebuild prevent any patch apply to work folder, because the `default` call happen after `cd "image/${EPREFIX}"`. At that time, the working folder is work/image/${EPREFIX}, and effectively prevent any patch apply to ca-certificates/mozilla. Below is the code cause this issue (with my comments mark with ###benstone):

src_prepare() {
    ###benstone The default call should happen here

    cd "image/${EPREFIX}" || die 

    if ! ${PRECOMPILED} ; then
        mkdir -p usr/sbin || die 
        cp -p "${S}"/${PN}/sbin/update-ca-certificates \
            usr/sbin/ || die 

        if use cacert ; then
            pushd "${S}"/nss-${NSS_VER} >/dev/null || die 
            eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
            popd >/dev/null || die 
        fi  
    fi  

    ###benstone It's too late to apply patch, because the current folder is not work
    default
    eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch

    pushd "${S}/${PN}" >/dev/null || die 
    # We patch out the dep on cryptography as it's not particularly useful
    # for us. Please see the discussion in bug #821706. Not to be removed lightly!
    eapply "${FILESDIR}"/${PN}-20230311.3.89-no-cryptography.patch
    popd >/dev/null || die 

    local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
    sed -i \
        -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
        -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
        usr/sbin/update-ca-certificates || die 
}