Codebase list golang-github-google-certificate-transparency / lintian-fixes/main README.MacOS
lintian-fixes/main

Tree @lintian-fixes/main (Download .tar.gz)

README.MacOS @lintian-fixes/mainraw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
## OSX Builds Now Use GClient ##

We recommend that you use GClient to build on OSX. Please follow the 
instructions in the [main readme](README.md) file.

## Trusted root certificates ##

The CT code requires a set of trusted root certificates in order to:
   1. Validate outbound HTTPS connections
   2. (In the case of the log-server) decide whether to accept a certificate
      chain for inclusion.

On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains
Apple-provided patches which intercept failed chain validations and re-attempts
them using roots obtained from the system keychain. Since we use a much more
recent (and unpatched) version of OpenSSL this behaviour is unsupported and so
a PEM file containing the trusted root certs must be used.

## Specifying root certificates to be used

To use a certificate PEM bundle file with the CT C++ code, the following
methods may be used:

### For verifying outbound HTTPS connections:

Either set the
`--trusted_roots_certs' flag, or the `SSL_CERT_FILE` environment variable, to
point to the location of the PEM file containing the root certificates to be
used to verify the outbound HTTPS connection.

### Incoming inclusion requests (ct-server only)

Set the `--trusted_cert_file` flag to point to the location of the PEM file
containing the set of root certificates whose chains should be accepted for
inclusion into the log.

## Sources of trusted roots

Obviously the choice of root certificates to trust for outbound HTTPS
connections and incoming inclusion requests are a matter of operating policy,
but it is often useful to have a set of common roots for testing and
development at the very least.

While OSX ships with a set of common trusted roots, they are not directly
available to OpenSSL and must be exported from the keychain first.  This can be
achieved with the following command:

```bash
security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem
```

## Deprecated Build Process ##

This may be out of date and is not guaranteed to work.

gtest: install from source.