Re: Again on security/gnutls certificate store

On Mon, 15 Aug 2022 08:18:36 +0900 Tatsuki Makino
<tatsuki_makino@hotmail.com> wrote:
> Tijl Coosemans wrote on 2022/08/13 18:51:
>> Try this patch for p11-kit.  If it works you can file a bug against
>> p11-kit, because I believe ports are supposed to move away from
>> ca_root_nss.
>> 
>> --- a/security/p11-kit/Makefile
>> +++ b/security/p11-kit/Makefile
>> @@ -25,7 +25,7 @@ MESON_ARGS=   -Dbash_completion=enabled \
>>                 -Dlibffi=enabled \
>>                 -Dnls=false \
>>                 -Dtrust_module=enabled \
>> -               -Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt
>> +               -Dtrust_paths=/etc/ssl/certs
>>  
>>  OPTIONS_DEFINE=                DOCS MANPAGES TEST
>>  OPTIONS_SUB=           yes
> 
> When ./configure
> --with-trust-paths=/usr/local/share/certs/ca-root-nss.crt:/etc/ssl/certs
> is used, TRUST_PATHS is defined as
> "/usr/local/share/certs/ca-root-nss.crt:/etc/ssl/certs" in
> ${WRKSRC}/config.h.
> When meson, TRUST_PATHS is defined in ${WRKSRC}/_build/config.h as
> defined by
> MESON_ARGS=-Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt:/etc/ssl/certs.
> 
> Since these would be the same value, why not just specify multiple
> paths in meson, separated by a colon?

It would be duplication because /etc/ssl/certs contains the same NSS
certificates.

> Also, is there something wrong with omitting ca-root-nss.crt filename,
> since the directories seem to be handled properly?

It turns out directories and files are treated differently.  Files are
automatically marked as trusted.  With directories the certificates have
to be in a subdirectory named "anchors" to be marked trusted.  See
https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html