From 5122f7f6c97361b3e3a9193cdef23fd4f292c8da Mon Sep 17 00:00:00 2001 From: Christopher Thorn Date: Fri, 9 Aug 2024 11:38:58 -0700 Subject: [PATCH] (PA-6886) Add Digicert to Solaris images The DigiCertGlobalRootG2 is now used by Artifactory and the VMs we're using for Solaris don't contain that cert by default. We for sure update our images to include that, but until that is done we need to make sure to use it. Also, in our case the OpenSSL used on our Solaris VMs is ancient and doesn't support openssl-rehash, so we have to create the sim link ourself. Once we update our images this commit can be reverted. --- CHANGELOG.md | 3 ++ .../platform/defaults/solaris-11-i386.rb | 34 +++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cfeafe5..13efd6c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ This changelog adheres to [Keep a CHANGELOG](https://keepachangelog.com). ## [Unreleased] +### Added +- Add DigiCertGlobalRootG2 cert as part of Solaris default + ## [0.52.0] - 2024-06-03 ### Added - Add Amazon 2 (ARM) platform definition to vanagon diff --git a/lib/vanagon/platform/defaults/solaris-11-i386.rb b/lib/vanagon/platform/defaults/solaris-11-i386.rb index b6f0e6ff..73dcb87b 100644 --- a/lib/vanagon/platform/defaults/solaris-11-i386.rb +++ b/lib/vanagon/platform/defaults/solaris-11-i386.rb @@ -1,9 +1,43 @@ platform "solaris-11-i386" do |plat| + +# Source: https://www.digicert.com/kb/digicert-root-certificates.htm +# Valid until: 15/Jan/2038 +# Serial #: 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5 +# SHA256 Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F +# https://perforce.atlassian.net/browse/RE-16540 for long term fix for this +DigiCertGlobalRootG2 = <<-STRING +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH +MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI +2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx +1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ +q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz +tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ +vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV +5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY +1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 +NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG +Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 +8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe +pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl +MrY= +-----END CERTIFICATE----- +STRING plat.servicedir "/lib/svc/manifest" plat.defaultdir "/lib/svc/method" plat.servicetype "smf" plat.vmpooler_template "solaris-11-x86_64" + plat.provision_with "echo '#{DigiCertGlobalRootG2}'>> /etc/openssl/certs/DigiCertGlobalRootG2.pem" + plat.provision_with 'chmod a+r /etc/openssl/certs/DigiCertGlobalRootG2.pem' + plat.provision_with 'ln -s /etc/openssl/certs/DigiCertGlobalRootG2.pem /etc/openssl/certs/607986c7.0' + plat.provision_with '/usr/sbin/svcadm restart /system/ca-certificates' plat.add_build_repository "http://solaris-11-reposync.delivery.puppetlabs.net:81", "puppetlabs.com" plat.install_build_dependencies_with "pkg install ", " || [[ $? -eq 4 ]]" end