=== chris14_ is now known as chris14
[10:43] <hwpplayer1> hi people !
[10:44] <hwpplayer1> sarnold: hi
=== crazybyte2 is now known as crazybyte
=== cpaelzer_ is now known as cpaelzer
[17:07] <smoser> hi. I'm wondering if there is an advisable way to solve a problem i'm seeing.
[17:09] <smoser> i have a supplied p7b file that represents a list of to-be-trusted certificate authorities.
[17:09] <smoser> that is intended to be the entire set.
[17:10] <smoser> i can't really avoid ca-certificates getting installed, as it is a dependency (Depends, not just Recommends) of many packages.
[17:11] <smoser> is there a recommended path for acheiving this?  I want to only trust "my" list.
[17:12] <smoser> the thing i'm missing is how i can avoid having an 'apt-get install' or 'upgrade' command adding the Ubuntu certs to the search list.
[17:14] <sdeziel> smoser: I guess that depends on what software you'd like to use your "custom CA root set"? I know postfix for example can be told to use any directory for that
[17:16] <smoser> ideally "all software". basically anything using openssl.
[17:16] <smoser> and, yeah, for things that have other "custom" locations, i understand i would have to address those separately.
[17:27] <sdeziel> smoser: so maybe add your custom CA root set to `/usr/local/share/ca-certificates/`, then run `update-ca-certificates` to distrust the official roots and only keep yours
[17:29] <sdeziel> smoser: maybe you can be creative and use a hook script (`/etc/ca-certificates/update.d`) to do that when updates are pushed?
[17:37] <smoser> yeah, i'd thought about the update.d dir.
[17:38] <smoser> what did you mean "to distrust the offical roots" ? 
[17:38] <smoser> i thought it unioned /usr/share/ca-certificates/ and /usr/local/share/ca-certificates/
[17:41] <smoser> i'd also thought of just dpkg-divert'ing update-ca-certificates, and replacing it with my own.
=== crazybyte2 is now known as crazybyte
[18:40] <sdeziel> smoser: `dpkg-reconconfigure ca-certificates` can ask you for each of the root CAs to trust, by default they are all trusted but you can remove them all if you wish
[18:44] <sdeziel> smoser: I just went on and removed them all and the debconf equivalent seems to be:
[18:44] <sdeziel> root@j:~# debconf-show ca-certificates
[18:44] <sdeziel> * ca-certificates/enable_crts:
[18:45] <sdeziel>   ca-certificates/new_crts:
[18:45] <sdeziel> * ca-certificates/trust_new_crts: ask
[18:45] <sdeziel>   ca-certificates/title:
[18:45] <sdeziel> prior to removing them all from the trusted list, they all appeared in `ca-certificates/enable_crts`
[19:08] <smoser> that just edits /etc/ca-certificates.conf, right?
[19:08] <smoser> so what would you think about
[19:08] <smoser> 1. install package
[19:08] <smoser> 2. sed -i '/^[^#!]/s/^/!/'  /etc/ca-certificates.conf
[19:08] <smoser> 3. printf "%s\t%s\t%s\t%s\n" ca-certificates ca-certificates/enable_crts select no | debconf-set-selections --checkonly
[19:08] <smoser> 4. dpkg-reconfigure ca-certificates --frontend=noninteractive
[19:09] <smoser> ooops. drop the '--checkonly' from set-selections of course.
[19:14] <smoser> bah. '3' should have been:
[19:14] <smoser>  printf "%s\t%s\t%s\t%s\n" ca-certificates ca-certificates/trust_new_crts select no | debconf-set-selections
[19:26] <sdeziel> smoser: ah I didn't know it was simply editing `/etc/ca-certificates.conf` so yeah that looks good except that apparently removing all cert doesn't create an empty `/etc/ssl/certs/ca-certificates.crt`, it remains unaltered with the full CA list
=== hank_ is now known as hank