tuf: resolve https repo source TLS paths against import base#466
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Fixes TLS certificate/key file resolution for AkHttpsRepoSource so relative tls_*_path values from the [import] block are resolved against config.import.base_path (instead of the process CWD), matching how other [import] consumers behave and preventing libcurl/OpenSSL failures when the files can’t be found.
Changes:
- Update the local TLS file-reading helper to resolve
utils::BasedPathagainst an explicit base directory. - Pass
config.import.base_pathwhen readingtls_cacert_path,tls_clientcert_path, andtls_pkey_path(both PKCS#11-enabled and non-PKCS#11 builds).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
detsch
approved these changes
May 25, 2026
The local readFileIfExists helper in AkHttpsRepoSource called
based_path.get("") which discards the import base path, so
relative tls_cacert_path / tls_clientcert_path / tls_pkey_path
values from the [import] block resolve to bare filenames in the
process CWD. The files are not found, an empty string is written
to libcurl's temp cert file, and TLS fails with curl error 58
"Problem with the local SSL certificate" and OpenSSL
"PEM routines::no start line".
Pass config.import.base_path through to the helper so paths
resolve the same way every other consumer of [import] handles
them.
While in this block, also fix the tls_pkey selection in the
BUILD_P11 branch: it was gated on config.tls.cert_source but
should be on config.tls.pkey_source. Mixed configurations (cert
from file with key from PKCS#11, or vice versa) would otherwise
pick the wrong source and pass an empty key/id downstream.
No change for users who already supply absolute paths and run
with cert_source == pkey_source.
Signed-off-by: Tyler Baker <tyler.baker@oss.qualcomm.com>
detsch
force-pushed
the
fix-https-import-base-path
branch
from
9531ccd to
fd395b4
Compare
Member
|
Merge was blocked due to missing GPG signature. Added mine on Tyler's commit. Will merge once tests pass. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The local readFileIfExists helper in AkHttpsRepoSource called based_path.get("") which discards the import base path, so relative tls_cacert_path / tls_clientcert_path / tls_pkey_path values from the [import] block resolve to bare filenames in the process CWD. The files are not found, an empty string is written to libcurl's temp cert file, and TLS fails with curl error 58 "Problem with the local SSL certificate" and OpenSSL "PEM routines::no start line".
Pass config.import.base_path through to the helper so paths resolve the same way every other consumer of [import] handles them.
No change for users who already supply absolute paths.
Re-filed from #463 with the source branch moved into this repository so CI runs (per the reviewer comment on #463).