From 0d78d0f09c10f5c7a25ac2ab4da4197913cd3321 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Mon, 18 Nov 2019 10:32:26 +0100
Subject: download: Load *.crt certificate bundles when *.pem files are
 missing.

Fixes <https://bugs.gnu.org/38254>.

* guix/build/download.scm (make-credendials-with-ca-trust-files): Look
for *.crt files under DIRECTORY when *.pem files cannot be found.
---
 guix/build/download.scm | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'guix')

diff --git a/guix/build/download.scm b/guix/build/download.scm
index a4c91550a6..141ef409d6 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -187,10 +187,13 @@ name decoding bug described at
 DIRECTORY.  Those authority certificates are checked when
 'peer-certificate-status' is later called."
   (let ((cred  (make-certificate-credentials))
-        (files (or (scandir directory
-                            (lambda (file)
-                              (string-suffix? ".pem" file)))
-                   '())))
+        (files (match (scandir directory (cut string-suffix? ".pem" <>))
+                 ((or #f ())
+                  ;; Some distros provide nothing but bundles (*.crt) under
+                  ;; /etc/ssl/certs, so look for them.
+                  (or (scandir directory (cut string-suffix? ".crt" <>))
+                      '()))
+                 (pem pem))))
     (for-each (lambda (file)
                 (let ((file (string-append directory "/" file)))
                   ;; Protect against dangling symlinks.
@@ -198,7 +201,7 @@ DIRECTORY.  Those authority certificates are checked when
                     (set-certificate-credentials-x509-trust-file!*
                      cred file
                      x509-certificate-format/pem))))
-              (or files '()))
+              files)
     cred))
 
 (define (peer-certificate session)
-- 
cgit v1.2.3