6

The usual method of adding your own CA certificate to Ubuntu is:

cp cert.pem /usr/local/share/ca-certificates
update-ca-certificates

I'd like to distribute my CA certificate using a Debian package, but /usr/local/ is off-limits to packages (and lintian complains, and the Software Centre denounces my package as a low-quality one). So what's the standard method for doing so using Debian packaging? I tried peeking at ca-certificates-java, but I couldn't make much sense of what it is doing.

muru
  • 197,895
  • 55
  • 485
  • 740
  • What if you install the cert into the application's dir, and then move it to its destined location in the postinst script, in which you also update the certs? – s3lph Nov 16 '14 at 17:13
  • @the_Seppi Possible. But it's like adhering to the letter of the law and not the spirit. And I think there's a trigger for update-ca-certificate, because I have seen apt run it on occasion, which makes me think there's some standard way of adding certificates. – muru Nov 16 '14 at 17:15
  • what are you trying to do exactly ? distribute a self-signed certificate for https ??? – Panther Nov 16 '14 at 17:16
  • @bodhi.zazen yes. It's also used for other things, such as for STARTTLS in LDAP (but that doesn't need it to be in the global store). – muru Nov 16 '14 at 17:17
  • see if this helps - http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu – Panther Nov 16 '14 at 17:18
  • You can try putting your cert in /tmp , write a post-inst script to copy it to /usr/local/share/ca-certificates , then update-ca-certs and delete the /tmp file. I suggest you ask on irc (motu) or on a debian mailing list. – Panther Nov 16 '14 at 17:20
  • @bodhi.zazen Nope (to the SU question). Considering how small this package is, I'd like to keep postinst to the minimum (ideally not using a postinst at all). Your suggestion is the same as the_Seppi's. – muru Nov 16 '14 at 17:22
  • You can always use your .deb as is, even though lintian complains. If you are seriously packaging to be included in the official debian repositories you should contact the debian packaging maintainers as such a package has security implications. – Panther Nov 16 '14 at 17:23
  • @bodhi.zazen No, I am not packaging it for a distro repo. But I'd like to distribute it to students, and ideally they shouldn't be shown a warning like "This package is be low quality." Or have to use dpkg -i. – muru Nov 16 '14 at 17:25
  • If you are simply adding a cert for local use, probably just as easy to write a script and skip packaging. It is basically 3 commands - wget ca-cert , cp ca-cert /usr/local ... ; update-ca-certs – Panther Nov 16 '14 at 17:25
  • neiter dpkg or apt-get will show a warning about low quality packaging, that is what linitian is for. – Panther Nov 16 '14 at 17:26
  • @bodhi.zazen I'd prefer that instructions to students be as simple as possible. (With a package, it's: Download this, double-click, install.) Ubuntu Software Centre will warn about low-quality packages. – muru Nov 16 '14 at 17:29
  • you can (mkdir) and then use /usr/share/ca-certificates/extra/ to clear those errors. – Panther Nov 16 '14 at 17:43
  • @bodhi.zazen by the way, what would be appropriate place for asking this? ubuntu-devel, debian-devel and debian-mentors are all for adding things to the respective distros. Can I ask for help there for something like this? – muru Nov 16 '14 at 17:46
  • I would ask d-mentors , u-devel, and d-devel in order. Many users will be is some or all those channels. – Panther Nov 16 '14 at 17:52

1 Answers1

5

It seems the_Seppi and bodhi.zazen are correct: the only clean way to do this is using a maintainer script to do the deed. From /usr/share/doc/ca-certificates/README.Debian:

How to install local CA certificates
------------------------------------------------------------------

                              ...  If you want to prepare a local
package of your certificates, you should depend on ca-certificates,
install the PEM files into /usr/local/share/ca-certificates/ as above
and call 'update-ca-certificates' in the package's postinst, and should
call 'update-ca-certificates --fresh' in the package's postrm.

An example source package for building a local CA certificate package,
using ca-certificates (>= 20130119) (since it uses triggers) can be
found in /usr/share/doc/ca-certificates/examples/ca-certificates-local/.
The README file in the above directory has step-by-step instructions for
building a local CA certificate package.

The example package has a Makefile which directly installs the file to /usr/local/share/ca-certificates.

However, the Debian policy on installing files in /usr/local is to not do so at all (see section 1.2, chapter 9), either by directly or using a maintainer script.

The compromise that I find acceptable is to use the scripts, and place links instead of copying them. This way an end user can still trace where the stuff in /usr/local/ is coming from.

Instead of calling update-ca-certificates with varying arguments, one should add update-ca-certificates-fresh to the triggers list (as noted in the last paragraph quoted above), allowing the certificates to be processed along with any other pending certificate updates:

echo 'activate update-ca-certificates-fresh' >> debian/package-name.triggers
Community
  • 1
muru
  • 197,895
  • 55
  • 485
  • 740