Locally extending trusted certificates

Loïc Minier loic.minier at ubuntu.com
Fri Jan 6 17:17:26 UTC 2017


This question came up in the context of Docker registries with self-signed
this could be addressed in ways specific to the Docker snap, but I believe
this touches a larger question: support for extending the list of
system-trusted certificates.

Our Ubuntu Core images ship with a set of trusted certificates. These are
inherited from the .deb world where there is a mechanism to locally extend
the list of trusted certificates (update-ca-certificates). This mechanism
doesn't work with core images due to read-only directories (and perhaps
other issues as well).

Here are some possible options to address this:
1) fix the update-ca-certificates system to also work on core images; this
might just be a matter of making some directories bind-mounts to the
writable space

2) implement some kind of snapd keystore feature/configs/APIs (much like
system keystores on mobile OSes); this is likely significant work, but
opens interesting perspectives in providing new management APIs and a more
secure implementation. For instance, one could design this to store secrets
in hw-specific secure stores, or offer mechanisms to roll out new
certificates/keys via assertions, or to disable some specific CAs

3) keep the list of system certificates as static and not locally
configurable; this will likely result in some snaps developing alternate

I'm sure there are other options and I'd to hear how people think this
should best be addressed in the snap/snapd world.

- Loïc Minier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170106/50c35390/attachment.html>

More information about the Snapcraft mailing list