New source install problem with certs
Rainer Müller
raimue at macports.org
Fri Mar 2 13:25:55 PST 2012
On 2012-03-02 17:25 , Joshua Root wrote:
> Unfortunately this doesn't help /usr/bin/svn. I would say this is
> actually a bug/limitation in Apple's svn (or perhaps their OpenSSL) on
> Lion. I can reproduce the issue on 10.7 but not 10.6.
You are right, I can reproduce the problem with /usr/bin/svn.
Maybe this has something to do with the setting ssl-trust-default-ca in
the subversion/servers config? I am not entirely sure if openssl is
aware of any CAs as they are stored in the system keychain only.
Here are some ideas:
a) We could ship a configuration file in
/opt/local/var/macports/home/.subversion/servers which adds the required
certificate chain to the known trusted CAs.
ssl-authority-files = /opt/local/share/macports/macports-svnkey.pem
b) We create a directory
${prefix}/opt/local/var/macports/home/.subversion/auth/ and allow the
macports user to write there. Then one could accept this certificate
permanently with something like this:
sudo -u macports /usr/bin/svn ls \
https://svn.macosforge.org/repository/macports/trunk/dports
Then answer 'p' (permanently) to the question. Note that this will not
be stored in the home directory unless we give the macports user write
permissions.
>From these two options, with a) this would work out of the box and
automatically recognize this certificate. We would need to issue a new
MacPorts release for every certificate update. However, the current
certificate expires in 2014-05-31, so it's rather a question to think
about this on time than a real management issue.
With option b), some more work is required. I doubt anyone would
actually verify the fingerprint, so it does not add any security either.
> We probably masked the problem previously because it used the config in
> the user's home dir, thus picking up that they had previously chosen to
> trust the server's cert.
Yes, I assume that's it exactly.
Rainer
More information about the macports-dev
mailing list