Opened 11 years ago

Closed 11 years ago

#39091 closed defect (fixed)

certsync @1.0.1: Does not remove cert.pem when deactivated

Reported by: larryv (Lawrence Velázquez) Owned by: landonf (Landon Fuller)
Priority: Normal Milestone:
Component: ports Version: 2.1.3
Keywords: Cc: mf2k (Frank Schima), cooljeanius (Eric Gallager), ryandesign (Ryan Carsten Schmidt), ci42
Port: certsync

Description

I'm not sure whether this is intended behavior, or I would have tried fixing it myself. It’s causing issues on the buildbots, though; subsequent attempts to install curl-ca-bundle fail (e.g., https://build.macports.org/builders/buildports-mtln-x86_64/builds/4697/steps/compile/logs/stdio).

Change History (9)

comment:1 Changed 11 years ago by landonf (Landon Fuller)

Interesting. It is intended behavior, in that the cert.pem file is essentially user-managed data that certsync happens to be willing to update. I'm not sure what the right handling behavior is for this, though. Arguably the problem is that curl-ca-bundle itself ships a cert.pem (since it breaks user's ability to install custom CA certs).

Thoughts on the right solution?

comment:2 Changed 11 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:3 Changed 11 years ago by larryv (Lawrence Velázquez)

Cc: ryandesign@… added

comment:4 Changed 11 years ago by mf2k (Frank Schima)

How about installing it properly somewhere like in ${prefix}etc/certsync/cert.pem and add a notes field suggesting the user copy it manually to ${prefix}etc/openssl/cert.pem? Having files installed outside of the registry definitely breaks the buildbots. I just saw an error trying to build a totally different port:

http://build.macports.org/builders/buildports-mtln-x86_64/builds/4697 

Error: org.macports.activate for port curl-ca-bundle returned: Image error: /opt/local/etc/openssl/cert.pem already exists and does not belong to a registered port.  Unable to activate port curl-ca-bundle. Use 'port -f activate curl-ca-bundle' to force the activation.

comment:5 in reply to:  4 Changed 11 years ago by landonf (Landon Fuller)

Replying to macsforever2000@…:

How about installing it properly somewhere like in ${prefix}etc/certsync/cert.pem and add a notes field suggesting the user copy it manually to ${prefix}etc/openssl/cert.pem? Having files installed outside of the registry definitely breaks the buildbots.

The problem is that it's not static data; it's generated based on the certificates actually installed in the OS X keychain(s), which includes both the standard CA certificates Apple ships (and updates), along with any custom local CAs added by the user (eg, internal CAs used for their corporate deployed services).

comment:6 Changed 11 years ago by ci42

Cc: ciserlohn@… added

Cc Me!

comment:7 in reply to:  1 ; Changed 11 years ago by larryv (Lawrence Velázquez)

Replying to landonf@…:

Thoughts on the right solution?

It’s safe to say that—as of right now, at least—the certsync port should clear out cert.pem when it’s deactivated, if only out of politeness. I’ve made this change in r106025.

comment:8 in reply to:  7 Changed 11 years ago by landonf (Landon Fuller)

Replying to larryv@…:

It’s safe to say that—as of right now, at least—the certsync port should clear out cert.pem when it’s deactivated, if only out of politeness. I’ve made this change in r106025.

Works for me. Thanks!

comment:9 Changed 11 years ago by landonf (Landon Fuller)

Resolution: fixed
Status: newclosed

Upon reflection, this seems like a reasonable permanent fix. certsync lays claim to cert.pem as long as it is installed.

Note: See TracTickets for help on using tickets.