-
-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TLS] Add support for platform-specific CA bundles. #76836
Conversation
platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
Outdated
Show resolved
Hide resolved
platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
Outdated
Show resolved
Hide resolved
platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
Outdated
Show resolved
Hide resolved
Thank you for working on this! May I ask to check for "_SYSTEM_CERTS_PATH" in function This would allow to set a path at compile time with higher priority, Is it possible, to get the path Thanks! |
b8e9588
to
8c9f831
Compare
@m4gr3d thanks for the speedy review 🥳 ! I updated the PR with your suggestions.
@cunyx done, thanks 🥳 !
@cunyx I am unsure about this, I see the value for package maintainers but I'm not really sure it's a good solution at large, as it would create an export template only working with a specific distro ( CC @akien-mga , opinions?). |
It's not portable indeed, but might still be worth checking for these use cases:
Personally I don't use the feature in my Fedora and Mageia packages for Godot: https://src.fedoraproject.org/rpms/godot/blob/rawhide/f/godot.spec That being said, the As a reminder, |
BTW when it comes to locating the certs bundle, my distro (Mageia) has these symlinks, I wonder if they're a widespread convention on some other distros so we wouldn't need to hardcode all the distro-specific paths they resolve to?
|
In the long term, would this PR allow for no longer bundling a certificate bundle on most platforms? This would decrease binary size by a non-negligible amount, while also making binaries more future-proof. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Android section looks good!
Thanks for the feedback!
I would argue, those who want the compiled binary to be portable cross distro, If "_SYSTEM_CERTS_PATH" is set to the default ("\n" i think) the check in this Wouldn't this keep portability except builder explicitly opted out by setting The name of this option seems to somehow imply,
It seems you do not unbundle "certs". This is for example needed to load the asset library. Another use case for checking "_SYSTEM_CERTS_PATH" with highest priority
In (an older) openSUSE i see a link from |
@akien-mga @cunyx I added the
@Calinou Yes, I think Windows/macOS/Android could already unbundle them. On linuxbsd it's a bit trickier due to each distro having its own paths so we should probably evaluate if we can cover 99% of the users I guess. The only missing platforms are Web (where we don't need bundling), and iOS/iPadOS/tvOS which as far as I understand does not give developers access to the anchor certificates. |
@Faless
As your coding knowledge is much more superior, i can not offer If i understand the code logic correctly, I'm not sure if in this case it might be better to probe the remaining explicitly listed files nevertheless. This will make it perhaps more robust and portable. But this might be more complex and of course I'm fine with your current solution as well. Thanks! |
Adds a new OS::get_system_ca_certs method which can be implemented by platforms to retrieve the list of trusted CA certificates using OS specific APIs. The function should return the certificates in PEM format, and is currently implemented for Windows/macOS/LinuxBSD(*)/Android. mbedTLS will fall back to bundled certificates when the OS returns no certificates. (*) LinuxBSD does not have a standardized certificates store location. The current implementation will test for common locations and may return an empty string on some distributions (falling back to the bundled certificates).
Ah, I see, no problem, done :). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
Thanks! |
Adds a new OS::get_system_ca_certs method which can be implemented by platforms to retrieve the list of trusted CA certificates using OS specific APIs.
The function should return the certificates in PEM format, and is currently implemented for Windows/macOS/LinuxBSD(*)/Android.
mbedTLS will fall back to bundled certificates when the OS returns no certificates.
(*) LinuxBSD does not have a standardized certificates store location. The current implementation will test for common locations and may return an empty string on some distributions (falling back to the bundled certificates).
Implements godotengine/godot-proposals#2970