FS#65284 : Flatpak apps cannot use system certificates

FS#65284 - Flatpak apps cannot use system certificates

Attached to Project: Arch Linux
Opened by Georgi Mitsov (Elemag) - Monday, 27 January 2020, 09:06 GMT
Last edited by Antonio Rojas (arojas) - Thursday, 30 January 2020, 13:25 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	14 whoami (whoami) (2020-01-31) Oliver Lantwin (olantwin) (2020-01-29) Joshua Rubin (joshuarubin) (2020-01-28) Kiril Vladimiroff (Vladimiroff) (2020-01-28) Peter Petrov (onestone) (2020-01-28) Krzysztof Warzecha (hiciu) (2020-01-28) Stephan Gross (sgross) (2020-01-28) Ronaldo Vieira Lobato (ronaldolobato) (2020-01-28) John Ledbetter (ledbettj) (2020-01-27) tinywrkb (tinywrkb) (2020-01-27) Kevin (prurigro) (2020-01-27) Josef Schabasser (Mr_nUUb) (2020-01-27) Delete this account please. (JMGuisadoG) (2020-01-27) Julien Girardin (Zempashi) (2020-01-27)
Private	No

Details

Description:
After the upgrade of nss & p11-kit, flatpak applications cannot use the system certificates, resulting in no connectivity to any HTTPS service.

Downgrading the following packages works around the problem:
p11-kit (0.23.19-1 => 0.23.18.1-2)
ca-certificates-utils (20181109-3 => 20181109-2)
ca-certificates-mozilla (3.49.2-1 => 3.49.1-1)
nss (3.49.2-1 => 3.49.1-1)

Flatpak certs are linked from /usr/share/ca-certifcates/mozilla
while the system certs are from /etc/ca-certificates/extracted/cadir

Downgrading only ca-certificates-utils and ca-certificates-mozilla does not fix the problem.

Additional info:
* package version(s)
core/ca-certificates-mozilla 3.49.2-1
core/ca-certificates-utils 20181109-3
core/nss 3.49.2-1
core/p11-kit 0.23.19-1

* config and/or log files etc.
flatpak run --deve --comand=bash com.skype.Client # executes bash in the sandbox
gnutls-cli google.com # results in certificate error

* link to upstream bug report, if any
Should be a packaging bug

Steps to reproduce:
Try to use the flatpak version of Slack, Skype or Spotify. Any other flatpak app that relies on systemwide certificates would fail as well

This task depends upon

Closed by Antonio Rojas (arojas)
Thursday, 30 January 2020, 13:25 GMT
Reason for closing: Fixed

Comment by Georgi Mitsov (Elemag) - Monday, 27 January 2020, 21:55 GMT

After all, looks like it's an upstream issue in flatpak caused by libnss:
https://github.com/flathub/com.valvesoftware.Steam/issues/526,
https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/2247

as discussed in the Arch forums here: https://bbs.archlinux.org/viewtopic.php?id=252390

Comment by Kevin (prurigro) - Tuesday, 28 January 2020, 19:37 GMT

Looks like the PR was merged https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/2255

Comment by Ronaldo Vieira Lobato (ronaldolobato) - Wednesday, 29 January 2020, 22:16 GMT

p11-kit 0.23.20-2 in testing solves the issue

Comment by tinywrkb (tinywrkb) - Wednesday, 29 January 2020, 23:40 GMT

Same here, I confirm that p11-kit 0.23.20-2 solves this for me.

Comment by Kevin (prurigro) - Thursday, 30 January 2020, 06:39 GMT

I can also confirm this-- I think this issue can be closed

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#65284 - Flatpak apps cannot use system certificates

Details

Loading...