[release/8.0] Add support for Chromium Snap cert trust #57257
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I thought this already worked, but it turns out it behaves differently depending on how you launch it. When it is launched as a snap (vs from the command line), it can only access things in its own folder, so it looks in a different NSS DB for trusted certs. Fixing this is as simple as adding one more well-known location to the list.
ghost
added
the
area-commandlinetools
Member
|
This does not cover Chrome or Edge snaps, which AFAICT, do not exist. We'd need to know their folder structures to support them pre-emptively, so those will have to light up in future releases (or we can direct people to use |
Member
|
Looks like whatever fix/quarantine we applied to the E2E tests in |
Member
|
Probably #57153 |
amcasey
added
Servicing-approved
Member
|
Approved over email. |
BrennanConroy
approved these changes
Aug 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #57256 to release/8.0
/cc @amcasey
Add support for Chromium Snap cert trust
This adds one more well-known browser trust store location.
Description
This is a follow-up to #57108. That change didn't properly cover the Snap version of Chromium. When I was testing locally, I was launching Chromium from the command line so I could use
straceto see how it was querying trust. It turns out that running the same exe via the command line is not equivalent to launching it via the GUI - the GUI wraps it in some sort of "confinement" that forces it to use a snap-specific trust database, rather than the one shared by regular Chromium-based browsers.Customer Impact
If you install Chrome or Edge via .deb/.rpm, the dev cert works as expected but, if you install it via snap, it will report localhost as untrusted.
The mitigation is
export DOTNET_DEV_CERTS_NSSDB_PATHS=$HOME/snap/chromium/current/.pki/nssdbRegression?
This functionality hasn't shipped yet.
Risk
We already have a list of well-known folders - this is just one more.
Verification
CTI caught it in manual validation and I validated the fix myself. I'll let them know about the update.
Packaging changes reviewed?