Bug 100994

Summary: Implement a "trust print-config" command
Product: p11-glue Reporter: Kai Engert <kaie>
Component: p11-kitAssignee: Stef Walter <stefw>
Status: NEW --- QA Contact:
Severity: normal    
Priority: medium CC: adamw, ueno
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Kai Engert 2017-05-10 20:28:01 UTC 
The dracut project needs to copy the p11-kit-trust.so, plus all trust input to an initramfs for a mimimal environment, such as installers and for kernel boot. At least installers need web access, and the tool to download from the web might be configured to use p11-kit-trust.so

Because dracut is a cross distribution tool, and because distributions may individually choose the directories they use for input to p11-kit-trust.so, it would be helpful to have a dynamic mechanism provided by p11-kit, that prints the directory names that will be dynamically accessed by p11-kit-trust.so

For example, on Fedora, it could work like this, with the following output:

$ trust print-config
/etc/pki/ca-trust/source
/usr/share/pki/ca-trust-source
Comment 1 Kai Engert 2017-06-23 14:42:08 UTC 
Adam, please let us know if you have thoughts about the priority of this.
Comment 2 Adam Williamson 2017-06-23 18:18:44 UTC 
Well, it just depends on how likely it is that the bodge we put in dracut will break:

        for _dir in $libdirs; do
            [[ -e $_dir/libnssckbi.so ]] || continue
            # this looks for directory-ish strings in the file
            for _p11roots in $(grep -o --binary-files=text "/[[:alpha:]][[:print:]]*" $_dir/libnssckbi.so) ; do
                # the string can be a :-separated list of dirs
                for _p11root in $(echo "$_p11roots" | tr ':' '\n') ; do
                    # check if it's actually a directory (there are
                    # several false positives in the results)
                    [[ -d "$_p11root" ]] || continue
                    # check if it has some specific subdirs that all
                    # p11-kit trust dirs have
                    [[ -d "${_p11root}/anchors" ]] || continue
                    [[ -d "${_p11root}/blacklist" ]] || continue
                    # so now we know it's really a p11-kit trust dir;
                    # install everything in it

If anything changes to break that grep command or the expectation that all trust dirs will have /anchors and /blacklist subdirectories, we're in trouble. So long as those things hold true, it's not *urgent*.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.