diff options
author | Harmen Stoppels <harmenstoppels@gmail.com> | 2021-09-29 18:05:58 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-29 09:05:58 -0700 |
commit | 7fdb879308247c060654a95a9eedfbc628533f01 (patch) | |
tree | de26ab1ae7acb292c3344563f2b92f6654a9b501 | |
parent | 24263c9e9229be85c1a5047a412c16191de7fa73 (diff) | |
download | spack-7fdb879308247c060654a95a9eedfbc628533f01.tar.gz spack-7fdb879308247c060654a95a9eedfbc628533f01.tar.bz2 spack-7fdb879308247c060654a95a9eedfbc628533f01.tar.xz spack-7fdb879308247c060654a95a9eedfbc628533f01.zip |
ca-certificates-mozilla for openssl & curl (#26263)
1. Changes the variant of openssl to `certs=mozilla/system/none` so that
users can pick whether they want Spack or system certs, or if they
don't want certs at all.
2. Keeps the default behavior of openssl to use certs=systems.
3. Changes the curl configuration to not guess the ca path during
config, but rather fall back to whatever the tls provider is
configured with. If we don't do this, curl will still pick up system
certs if it finds them.
As a minor fix, it also adds the build dep `pkgconfig` to curl, since
that's being used during the configure phase to get openssl compilation
flags.
3 files changed, 31 insertions, 4 deletions
diff --git a/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py b/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py index b49ef03cf7..d828d4c5a8 100644 --- a/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py +++ b/var/spack/repos/builtin/packages/ca-certificates-mozilla/package.py @@ -31,9 +31,13 @@ class CaCertificatesMozilla(Package): def url_for_version(self, version): return "https://curl.se/ca/cacert-{0}.pem".format(version) + def setup_dependent_package(self, module, dep_spec): + """Returns the absolute path to the bundled certificates""" + self.spec.pem_path = join_path(self.prefix.share, 'cacert.pem') + # Install the the pem file as share/cacert.pem def install(self, spec, prefix): - share = join_path(self.prefix, 'share') + share = join_path(prefix, 'share') mkdir(share) install("cacert-{0}.pem".format(spec.version), join_path(share, "cacert.pem")) diff --git a/var/spack/repos/builtin/packages/curl/package.py b/var/spack/repos/builtin/packages/curl/package.py index 1db1b0de3e..7b04455e28 100644 --- a/var/spack/repos/builtin/packages/curl/package.py +++ b/var/spack/repos/builtin/packages/curl/package.py @@ -97,6 +97,9 @@ class Curl(AutotoolsPackage): depends_on('libssh', when='+libssh') depends_on('krb5', when='+gssapi') + # curl queries pkgconfig for openssl compilation flags + depends_on('pkgconfig', type='build') + def configure_args(self): spec = self.spec @@ -108,6 +111,9 @@ class Curl(AutotoolsPackage): '--without-libgsasl', '--without-libpsl', '--without-zstd', + '--without-ca-bundle', + '--without-ca-path', + '--with-ca-fallback', ] # https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ diff --git a/var/spack/repos/builtin/packages/openssl/package.py b/var/spack/repos/builtin/packages/openssl/package.py index ef8055f453..f82c2c95b3 100644 --- a/var/spack/repos/builtin/packages/openssl/package.py +++ b/var/spack/repos/builtin/packages/openssl/package.py @@ -78,12 +78,15 @@ class Openssl(Package): # Uses Fake Autotools, should subclass Package version('1.0.1h', sha256='9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093', deprecated=True) version('1.0.1e', sha256='f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3', deprecated=True) - variant('systemcerts', default=True, description='Use system certificates') + variant('certs', default='system', + values=('mozilla', 'system', 'none'), multi=False, + description=('Use certificates from the ca-certificates-mozilla ' + 'package, symlink system certificates, or none')) variant('docs', default=False, description='Install docs and manpages') depends_on('zlib') - depends_on('perl@5.14.0:', type=('build', 'test')) + depends_on('ca-certificates-mozilla', type=('build', 'run'), when='certs=mozilla') @classmethod def determine_version(cls, exe): @@ -148,7 +151,7 @@ class Openssl(Package): # Uses Fake Autotools, should subclass Package @run_after('install') def link_system_certs(self): - if '+systemcerts' not in self.spec: + if self.spec.variants['certs'].value != 'system': return system_dirs = [ @@ -188,6 +191,20 @@ class Openssl(Package): # Uses Fake Autotools, should subclass Package os.rmdir(pkg_certs) os.symlink(sys_certs, pkg_certs) + @run_after('install') + def link_mozilla_certs(self): + if self.spec.variants['certs'].value != 'mozilla': + return + + pkg_dir = join_path(self.prefix, 'etc', 'openssl') + mkdirp(pkg_dir) + + mozilla_pem = self.spec['ca-certificates-mozilla'].pem_path + pkg_cert = join_path(pkg_dir, 'cert.pem') + + if not os.path.exists(pkg_cert): + os.symlink(mozilla_pem, pkg_cert) + def patch(self): if self.spec.satisfies('%nvhpc'): # Remove incompatible preprocessor flags |