Locally extending trusted certificates

Manik Taneja manik at canonical.com
Thu Jan 19 01:00:50 UTC 2017


hi there,

just wanted to follow-up on this query and see if we have a solution to
this problem?

/manik

On Fri, Jan 6, 2017 at 9:17 AM, Loïc Minier <loic.minier at ubuntu.com> wrote:

> Hi,
>
> This question came up in the context of Docker registries with self-signed
> certificates:
> http://askubuntu.com/questions/868268/add-self-signed-certif
> icate-in-ubuntu-core-16-04
> this could be addressed in ways specific to the Docker snap, but I believe
> this touches a larger question: support for extending the list of
> system-trusted certificates.
>
> Our Ubuntu Core images ship with a set of trusted certificates. These are
> inherited from the .deb world where there is a mechanism to locally extend
> the list of trusted certificates (update-ca-certificates). This mechanism
> doesn't work with core images due to read-only directories (and perhaps
> other issues as well).
>
> Here are some possible options to address this:
> 1) fix the update-ca-certificates system to also work on core images; this
> might just be a matter of making some directories bind-mounts to the
> writable space
>
> 2) implement some kind of snapd keystore feature/configs/APIs (much like
> system keystores on mobile OSes); this is likely significant work, but
> opens interesting perspectives in providing new management APIs and a more
> secure implementation. For instance, one could design this to store secrets
> in hw-specific secure stores, or offer mechanisms to roll out new
> certificates/keys via assertions, or to disable some specific CAs
>
> 3) keep the list of system certificates as static and not locally
> configurable; this will likely result in some snaps developing alternate
> keystores
>
> I'm sure there are other options and I'd to hear how people think this
> should best be addressed in the snap/snapd world.
>
> Cheers,
> - Loïc Minier
>
> --
> Snapcraft mailing list
> Snapcraft at lists.snapcraft.io
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/snapcraft
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170118/34a688bd/attachment.html>


More information about the Snapcraft mailing list