GNU bug report logs -
#26948
'guix publish' file name decoding is locale-dependent
Previous Next
Full log
View this message in rfc822 format
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
> This problem has been ongoing for some time. It prevents me from using
> things such as "guix lint" or "guix import" (seems to be related to
> certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD)
> would fix it but it hasn't, even after rebooting the system.
>
> It is reminiscent of bug#25200, but there doesn't appear to be any
> dangling symlinks this time around.
>
> The nss-certs package is present in my operating system declaration, and
> the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link
> pointing to /run/current-system/profile/etc/ssl).
>
> SSL_CERT_DIR is set to "/etc/ssl/certs"
> SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt"
>
>
> A couple examples of how things break:
>
> * guix lint
>
> guix lint emacs
> Backtrace:macs <at> 25.2 [cve]...
> 9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&")
> In guix/ui.scm:
> 1257:8 8 (run-guix-command _ . _)
> In srfi/srfi-1.scm:
> 640:9 7 (for-each #<procedure 183c060 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
> 982:4 6 (run-checkers _ _)
> In srfi/srfi-1.scm:
> 640:9 5 (for-each #<procedure 1f252a0 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
> 805:4 4 (check-vulnerabilities _)
> 800:9 3 (_ _)
> In unknown file:
> 2 (force #<promise #<procedure 7f1db4d41f88 at guix/scrip&>)
> In guix/scripts/lint.scm:
> 789:24 1 (_)
> In ice-9/boot-9.scm:
> 837:9 0 (catch srfi-34 #<procedure 7f1db4d4d3a8 at guix/script&> &)
>
> ice-9/boot-9.scm:837:9: In procedure catch:
> ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args `(#<gnutls-error-enum Error while reading file.> set-certificate-credentials-x509-trust-file!)'.
So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is
unreadable for some reason. Could you ‘strace’ it to see exactly which
file cannot be opened and why?
However, I cannot reproduce it with current master:
--8<---------------cut here---------------start------------->8---
$ rm -rf ~/.cache/guix/cve
$ SSL_CERT_FILE=/sdfsfd SSL_CERT_DIR=/sdfs guix lint emacs
gnu/packages/emacs.scm:99:2: emacs <at> 25.2: TLS certificate error: ERROR: X.509 certificate of 'www.gnu.org' could not be verified:
signer-not-found
invalid
guix lint: warning: TLS certificate error: ERROR: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
signer-not-found
invalid
guix lint: warning: assuming no CVE vulnerabilities
--8<---------------cut here---------------end--------------->8---
This is the same story for the other ones.
Essentially, this code from (guix build download):
(define (make-credendials-with-ca-trust-files directory)
"Return certificate credentials with X.509 authority certificates read from
DIRECTORY. Those authority certificates are checked when
'peer-certificate-status' is later called."
(let ((cred (make-certificate-credentials))
(files (or (scandir directory
(lambda (file)
(string-suffix? ".pem" file)))
'())))
(for-each (lambda (file)
(let ((file (string-append directory "/" file)))
;; Protect against dangling symlinks.
(when (file-exists? file)
(set-certificate-credentials-x509-trust-file!
cred file
x509-certificate-format/pem))))
(or files '()))
cred))
seems to select a FILE that passes ‘file-exists?’ but that cannot be
read by ‘set-certificate-credentials-x509-trust-file!’. I think that
can happen with unreadable files (EPERM), though I can’t reproduce it.
The ‘strace’ output should help us figure out what’s going on.
Thanks,
Ludo’.
This bug report was last modified 4 years and 190 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.