Draft: Make Firefox, Thunderbird and Chromium trust system root certificate store
This works by making libnssckbi.so consumers like the mentioned applications use p11-kit.
The change consists of two parts:
- A workaround for #704180 p11-kit which unfortunately still does not provide a package which replaces/diverts libnssckbi.so. This can be reverted and replaced with a dependency on such a package as soon as that becomes available.
- The removal of the pre-poulation of
~/.pki/nssdb/in different places as well as policies for Firefox and Thunderbird with the same effect.
Due to the diversion in 1.) the package becomes architecture dependent.
Merge request reports
Activity
assigned to @sunweaver
54 55 net-tools, 55 56 ng-utils, 56 57 openssl, 58 p11-kit-modules, I'd rather add a separate bin:pkg to src:debian-edu-config (e.g. debian-edu-config-libnssckb-provider) and move all p11-kit-modules related logic into there.
However, this will also be a hacky work-around.
How about a much simpler approach, see: https://code.it-zukunft-schule.de/cgit/itzks-systems/tree/etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt
I'd rather add a separate bin:pkg to src:debian-edu-config (e.g. debian-edu-config-libnssckb-provider) and move all p11-kit-modules related logic into there.
However, this will also be a hacky work-around.
It would be a subpackage that actually belongs in p11-kit. There is a branch available with it since 2019 linked from #704180, it just need to be updated and merged.
How about a much simpler approach, see: https://code.it-zukunft-schule.de/cgit/itzks-systems/tree/etc/skel/.mozilla/firefox/debian-edu.default/pkcs11.txt
IMHO it is better to have this configured in one place, system-wide for all consumers of
libnssckbi.so, but I agree that this is a workaround and it would be better if it were a subpackage of p11-kit and even installed on Debian by default, not only DebianEdu (it has been e.g. in Fedora/RHEL since 2013). But your call how you want to go about this? Any way can we get progress on #704180 and #741005?changed this line in version 3 of the diff
62 62 fi 63 63 esac 64 64 65 # remove diversion of libnssckbi.so, workaround until #704180 is resolved 66 remove_libnssckbi_diversion () { 67 dpkg-divert --package debian-edu-config --remove --rename \ 68 --divert /usr/lib/@DEB_HOST_MULTIARCH@_libnssckbi.so_libnss3 \ 69 /usr/lib/@DEB_HOST_MULTIARCH@/libnssckbi.so changed this line in version 3 of the diff
59 59 fi 60 60 fi 61 61 62 63 # add diversion for libnssckbi.so and replaces with p11-kit-trust.so, 64 # workaround until # #704180 is resolved 65 if dpkg --compare-versions "$2" le "2.12.36"; then 66 dpkg-divert --package debian-edu-config --add --rename \ 67 --divert /usr/lib/@DEB_HOST_MULTIARCH@_libnssckbi.so_libnss3 \ 68 /usr/lib/@DEB_HOST_MULTIARCH@/libnssckbi.so changed this line in version 3 of the diff
1 1 #!/usr/bin/make -f 2 2 3 3 DESTDIR=`pwd`/debian/debian-edu-config 4 SUBSTFILES = \ 5 debian/debian-edu-config.preinst \ 6 debian/debian-edu-config.postrm 7 8 debian/%: debian/%.in 9 sed 's/@DEB_HOST_MULTIARCH@/$(DEB_HOST_MULTIARCH)/g' <$< >$@ 1 1 usr/share/debian-edu-config/tools/ldapdump.sh etc/slbackup/pre.d/ldapdump.sh 2 2 etc/debian-edu/www/index.html.nb-no etc/debian-edu/www/index.html.no 3 usr/lib/${DEB_HOST_MULTIARCH}/pkcs11/p11-kit-trust.so usr/lib/${DEB_HOST_MULTIARCH}/libnssckbi.so changed this line in version 3 of the diff
added 15 commits
-
124070c6...01e201ca - 13 commits from branch
master - dda7b262 - Make libnssckbi.so consumers trust system root certificate store
- 4b63838a - Stop adding the DebianEdu root CA to NSS shared database
-
124070c6...01e201ca - 13 commits from branch
added 35 commits
-
4b63838a...1373cfcc - 33 commits from branch
master - 608af78c - Make libnssckbi.so consumers trust system root certificate store
- 909c45c1 - Stop adding the DebianEdu root CA to NSS shared database
-
4b63838a...1373cfcc - 33 commits from branch
