Page MenuHomeFreeBSD
Differential D51774

caroot: Generate both trusted and untrusted
ClosedPublic
Actions

Authored by des on Aug 6 2025, 9:48 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Sep 5, 4:53 PM
Unknown Object (File)
Fri, Sep 5, 4:25 PM
Unknown Object (File)
Wed, Sep 3, 7:24 PM
Unknown Object (File)
Tue, Sep 2, 2:30 PM
Unknown Object (File)
Sun, Aug 31, 4:06 PM
Unknown Object (File)
Sun, Aug 31, 11:31 AM
Unknown Object (File)
Sun, Aug 31, 10:12 AM
Unknown Object (File)
Sun, Aug 31, 10:12 AM
View All 26 Files
Subscribers
imp
markj

Details

Reviewers
mandree
allanjude
markj
Group Reviewers
security
Commits
rGb88b0bb784c7: caroot: Generate both trusted and untrusted
Summary

Until now, the untrusted directory has been maintained manually. Modify
the script used to maintain the trusted directory so it can handle both.
While here, clean it up a bit.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 66043
Build 62926: arc lint + arc unit

Event Timeline

des created this revision.Aug 6 2025, 9:48 PM
Herald added a subscriber: imp. · View Herald TranscriptAug 6 2025, 9:48 PM
des requested review of this revision.Aug 6 2025, 9:48 PM
Harbormaster completed remote builds in B66041: Diff 159920.Aug 6 2025, 9:48 PM
des added a child revision: D51775: caroot: Rename script and normalize license.Aug 6 2025, 9:49 PM
des updated this revision to Diff 159924.Aug 6 2025, 10:11 PM

fix find commands

Harbormaster completed remote builds in B66043: Diff 159924.Aug 6 2025, 10:12 PM
markj added a subscriber: markj.Mon, Aug 25, 3:19 PM
markj added inline comments.
secure/caroot/MAca-bundle.pl
96

This appears to be unused.

secure/caroot/untrusted/Makefile
8

Why not cd ${.CURDIR} here as you did in trusted/Makefile?

des updated this revision to Diff 160944.Mon, Aug 25, 3:29 PM

review feedback

Harbormaster completed remote builds in B66508: Diff 160944.Mon, Aug 25, 3:29 PM
des marked 2 inline comments as done.Mon, Aug 25, 3:30 PM
markj added inline comments.Mon, Aug 25, 3:33 PM
secure/caroot/MAca-bundle.pl
141

Isn't the key supposed to be $cka_label."\0".$serial?

des added inline comments.Mon, Aug 25, 7:19 PM
secure/caroot/MAca-bundle.pl
141

It is. I don't know how it got turned around. Than you for catching that.

des updated this revision to Diff 160956.Mon, Aug 25, 7:21 PM

fix label

Harbormaster completed remote builds in B66517: Diff 160956.Mon, Aug 25, 7:21 PM
des marked an inline comment as done.Mon, Aug 25, 7:21 PM
des updated this revision to Diff 160957.Mon, Aug 25, 7:25 PM

avoid using find -printf, which is not backward compatible

Harbormaster completed remote builds in B66518: Diff 160957.Mon, Aug 25, 7:25 PM
des added inline comments.Mon, Aug 25, 7:26 PM
secure/caroot/MAca-bundle.pl
141

this in fact explains why untrusted certs were getting dropped...

des updated this revision to Diff 160958.Mon, Aug 25, 7:35 PM

restore @generated tag

Harbormaster completed remote builds in B66519: Diff 160958.Mon, Aug 25, 7:35 PM
markj accepted this revision.Mon, Aug 25, 7:45 PM
This revision is now accepted and ready to land.Mon, Aug 25, 7:45 PM
mandree requested changes to this revision.Mon, Aug 25, 8:49 PM
mandree added inline comments.
secure/caroot/MAca-bundle.pl
62–64

This seems to lose the "outputdir" option. I understand the semantic change, but it breaks compatibility.
We need to make sure this is documented well, and give the (valid) reason to resolve ambiguity.

250–251

I had added this safety catch after some format change caused us to end up without trusted certs. Do we really want to kill this feature?

This revision now requires changes to proceed.Mon, Aug 25, 8:49 PM
des added inline comments.Mon, Aug 25, 9:11 PM
secure/caroot/MAca-bundle.pl
62–64

This is explained in the commit message. The original script produced only trusted certificates, and the untrusted certificates were maintained manually. This version produces both trusted and untrusted certificates, so the outputdir option is split in two.

250–251

I don't see the point. Remember that this is not user-facing or even part of the build. Immediately after running make updatecerts, I'm going to run git status and then either git add if I'm happy with what I see or git checkout if I'm not.

mandree accepted this revision.Mon, Aug 25, 9:15 PM
This revision is now accepted and ready to land.Mon, Aug 25, 9:15 PM
Closed by commit rGb88b0bb784c7: caroot: Generate both trusted and untrusted (authored by des). · Explain WhyMon, Aug 25, 9:42 PM
This revision was automatically updated to reflect the committed changes.
des added a commit: rGb88b0bb784c7: caroot: Generate both trusted and untrusted.

Revision Contents
Changeset List

PathSize
secure/
caroot/
140 lines
3 lines
trusted/
6 lines
untrusted/
5 lines

Diff 159924

View Options

secure/caroot/MAca-bundle.pl

Loading...
View Options

secure/caroot/Makefile

Loading...
View Options

secure/caroot/trusted/Makefile

Loading...
View Options

secure/caroot/untrusted/Makefile

Loading...