FS#50076 - [archboot] Missing ca-certificates bundle

Attached to Project: Arch Linux
Opened by Alif (alive4ever) - Sunday, 17 July 2016, 09:59 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 26 August 2016, 19:49 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
archboot iso includes links web browser to browse the web in text mode.

However, this is insecure, because the browser doesn't know a set of trusted ca-certificates, so that it always ask for approval when visiting https websites.

There should be an additional initcpio hooks to install ca-bundle so that links will have a set of trusted root certificates. The ca bundle should be placed on /etc/ssl/cert.pem. It may be necessary to add ca-certificates as archboot dependency.


Additional info:
* package version(s): archboot 2016-05
* config and/or log files etc.


Steps to reproduce:
Download archboot iso (or build your own archboot iso using default config)
Boot the iso.
When the iso boots, press enter and exit the installer.
In the command line prompt, type 'links' to launch the browser.
Open any https website (shortcut g), for example https://wiki.archlinux.org
An annoying untrusted certificate prompt will be displayed because archboot lacks trusted ca bundle.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Friday, 26 August 2016, 19:49 GMT
Reason for closing:  Fixed
Additional comments about closing:  on trunk in arch_base
Comment by Alif (alive4ever) - Sunday, 17 July 2016, 10:44 GMT
This is a simple ca-certificate hook to symlink /etc/ssl/cert.pem to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
Comment by Alif (alive4ever) - Sunday, 17 July 2016, 10:50 GMT
Lacking a trusted CA bundle also causes downloader app such as curl, wget, and pacman to throw an error when interacting with https server.
Comment by Alif (alive4ever) - Sunday, 17 July 2016, 13:34 GMT
The above initcpio patch isn't complete. Here is a revised patch to also symlink /etc/ca-certificates/extracted/tls-ca-bundle.pem to /etc/ssl/certs/ca-certificates.crt so that curl won't complain about missing certificate.

Loading...