Git 2.29.0 is braking the use of /usr/bin/update-ca-trust

[oergrd]

• [x ] I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.29.0.windows.1
cpu: x86_64
built from commit: add3cebdf89e93784955b34e1c1ffcba308b89cc
sizeof-long: 4
sizeof-size_t: 8
shell-path: /bin/sh

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.18363.1139]

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Editor Option: VIM
Custom Editor Path:
Default Branch Option:
Path Option: Cmd
SSH Option: OpenSSH
Tortoise Option: false
CURL Option: OpenSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Git Pull Behavior Option: Merge
Use Credential Manager: Core
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled
Enable Pseudo Console Support: Disabled

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Git Bash

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

Provided a pem file in /etc/pki/ca-trust/source/anchors/, I'm running
/usr/bin/update-ca-trust

Debuging the issue, I also did run the following:
/usr/bin/p11-kit extract --verbose --format=openssl-bundle --filter=certificates --overwrite --comment /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --verbose --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --verbose --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --verbose --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --verbose --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth /etc/pki/ca-trust/extracted/java/cacerts
/usr/bin/p11-kit extract --verbose --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth /etc/pki/ca-trust/extracted/edk2/cacerts.bin

For futher debugging I did:
/usr/bin/p11-kit.exe list-modules

• What did you expect to occur after running these commands?

Similar to what occurs in Git for windows 2.28.n:
From /usr/bin/update-ca-trust I would expect /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt to be populated with the content of my pem file.

I would expect /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt to be populated from relevant /usr/bin/p11-kit extract commands.

From /usr/bin/p11-kit.exe list-modules I would expect to see p11-kit-trust like in Git for windows 2.28.n:

$ /usr/bin/p11-kit.exe list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized

• What actually happened instead?

/usr/bin/update-ca-trust creates an empty /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.

All of /usr/bin/p11-kit extract commands return p11-kit: no modules containing trust policy are registered

There is no output from $ /usr/bin/p11-kit.exe list-modules

Kind regards

[dscho]

Could you look through the snapshots (the Portable Git edition should be enough to verify this) to see whether you can pinpoint the revision that broke this? And once you found that, could you try to figure out whether there are any missing files that, once copied over from a working version, fix the problem?

I could imagine that git-for-windows/build-extra@45912cf is the commit that broke it; I do not want to revert it wholesale, I want to apply just the minimal change to fix the problem you reported.

[oergrd]

git version 2.28.0.windows.1.56.ge782f50662.20201002162954 (commit e782f50) is working well but git version 2.29.0.rc0.windows.1 (commit 58a43b4) is broken.

Copying over /usr/lib/pkcs11/*.* (p11-kit-client.dll and p11-kit-trust.dll) made it work for me. The same applies to git version 2.29.1.windows.1

[dscho]

Thank you!

Copying over /usr/lib/pkcs11/*.* (p11-kit-client.dll and p11-kit-trust.dll) made it work for me.

Are both needed? I ask because they weigh 923kB and 189kB, respectively, and I would love to save space if possible.

[oergrd]

Honestly I don't know much about p11-kit and these files in particular. In my case, adding just /usr/lib/pkcs11/p11-kit-trust.dll made it work.