Opened 11 years ago
Closed 11 years ago
#39091 closed defect (fixed)
certsync @1.0.1: Does not remove cert.pem when deactivated
Reported by: | larryv (Lawrence Velázquez) | Owned by: | landonf (Landon Fuller) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | 2.1.3 |
Keywords: | Cc: | mf2k (Frank Schima), cooljeanius (Eric Gallager), ryandesign (Ryan Carsten Schmidt), ci42 | |
Port: | certsync |
Description
I'm not sure whether this is intended behavior, or I would have tried fixing it myself. It’s causing issues on the buildbots, though; subsequent attempts to install curl-ca-bundle
fail (e.g., https://build.macports.org/builders/buildports-mtln-x86_64/builds/4697/steps/compile/logs/stdio).
Change History (9)
comment:1 follow-up: 7 Changed 11 years ago by landonf (Landon Fuller)
comment:3 Changed 11 years ago by larryv (Lawrence Velázquez)
Cc: | ryandesign@… added |
---|
comment:4 follow-up: 5 Changed 11 years ago by mf2k (Frank Schima)
How about installing it properly somewhere like in ${prefix}etc/certsync/cert.pem
and add a notes
field suggesting the user copy it manually to ${prefix}etc/openssl/cert.pem
? Having files installed outside of the registry definitely breaks the buildbots. I just saw an error trying to build a totally different port:
http://build.macports.org/builders/buildports-mtln-x86_64/builds/4697
Error: org.macports.activate for port curl-ca-bundle returned: Image error: /opt/local/etc/openssl/cert.pem already exists and does not belong to a registered port. Unable to activate port curl-ca-bundle. Use 'port -f activate curl-ca-bundle' to force the activation.
comment:5 Changed 11 years ago by landonf (Landon Fuller)
Replying to macsforever2000@…:
How about installing it properly somewhere like in
${prefix}etc/certsync/cert.pem
and add anotes
field suggesting the user copy it manually to${prefix}etc/openssl/cert.pem
? Having files installed outside of the registry definitely breaks the buildbots.
The problem is that it's not static data; it's generated based on the certificates actually installed in the OS X keychain(s), which includes both the standard CA certificates Apple ships (and updates), along with any custom local CAs added by the user (eg, internal CAs used for their corporate deployed services).
comment:7 follow-up: 8 Changed 11 years ago by larryv (Lawrence Velázquez)
comment:8 Changed 11 years ago by landonf (Landon Fuller)
comment:9 Changed 11 years ago by landonf (Landon Fuller)
Resolution: | → fixed |
---|---|
Status: | new → closed |
Upon reflection, this seems like a reasonable permanent fix. certsync lays claim to cert.pem as long as it is installed.
Interesting. It is intended behavior, in that the cert.pem file is essentially user-managed data that certsync happens to be willing to update. I'm not sure what the right handling behavior is for this, though. Arguably the problem is that curl-ca-bundle itself ships a cert.pem (since it breaks user's ability to install custom CA certs).
Thoughts on the right solution?