ca-certificates: fix python3-cryptography woes in certdata2pem.py
authorChristian Lamparter <chunkeey@gmail.com>
Wed, 1 Dec 2021 14:01:23 +0000 (15:01 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Sat, 4 Mar 2023 12:09:12 +0000 (13:09 +0100)
commit23c86d44bcfa00255c32196458b0a47dfa6732d5
treea04104e1f354ac21c6c04fd02bbb73c4a36aa7f1
parentf67f60b809b433c42bc86dad60fbdef0fb866a0a
ca-certificates: fix python3-cryptography woes in certdata2pem.py

This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.

|Traceback (most recent call last):
|  File "certdata2pem.py", line 125, in <module>
|    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1

...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
|  File "/certdata2pem.py", line 31, in <module>
|    from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'

More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."

Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 25bc66eb40ea2c062940778fba601032b2579734)
package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch [new file with mode: 0644]