Skip to content

Run update-ca-certificates as root#466

Merged
JamieMagee merged 1 commit intomainfrom
jamiemagee/update-ca-certificates-root
Jun 24, 2025
Merged

Run update-ca-certificates as root#466
JamieMagee merged 1 commit intomainfrom
jamiemagee/update-ca-certificates-root

Conversation

@JamieMagee
Copy link
Member

@JamieMagee JamieMagee commented Jun 24, 2025

As part of dependabot/dependabot-core#9627, I am seeing failures related to updating the CA certificates for Java when running as the dependabot user:

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
/etc/ca-certificates/update.d/jks-keystore: 14: cannot create /var/lib/ca-certificates-java/pending: Permission denied
E: /etc/ca-certificates/update.d/jks-keystore exited with code 2.
done.

Even when granting those permissions, I start to see issue around permissions running dpkg. It looks like the ca-certificates hook that the ca-certificates-java package installs (jks-keystore) is significantly changed between Ubuntu 22.04 and 24.04:

Ubuntu 22.04 
#!/bin/sh

set -e

# use the locale C.UTF-8
unset LC_ALL
LC_CTYPE=C.UTF-8
export LC_CTYPE

storepass='changeit'
if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

arch=`dpkg --print-architecture`
JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar

nsslib_name()
{
    if dpkg --assert-multi-arch 2>/dev/null; then
        echo "libnss3:${arch}"
    else
        echo "libnss3"
    fi
}

echo ""
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then
    echo "updates of cacerts keystore disabled."
    exit 0
fi

if ! mountpoint -q /proc; then
    echo >&2 "the keytool command requires a mounted proc fs (/proc)."
    exit 1
fi

for jvm in java-7-openjdk-$arch java-7-openjdk \
           oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
           java-8-openjdk-$arch java-8-openjdk \
           oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
           java-9-openjdk-$arch java-9-openjdk \
           oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
           java-10-openjdk-$arch java-10-openjdk \
           oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
           java-11-openjdk-$arch java-11-openjdk \
           oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
    if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
        export JAVA_HOME=/usr/lib/jvm/$jvm
        PATH=$JAVA_HOME/bin:$PATH
    	break
    fi
done

if dpkg-query --version >/dev/null; then
    nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
    nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
    nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
        ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
    fi
    softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1)
    if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then
        ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so
    fi
fi

do_cleanup()
{
    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
    then
        rm -f $nssjdk/libnss3.so
    fi
    if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \
       && [ "$softokn3pkg" != "$nssjdk" ]
    then
        rm -f $nssjdk/libsoftokn3.so
    fi
}

if java -Xmx64m -jar $JAR -storepass "$storepass"; then
    do_cleanup
else
    do_cleanup
    exit 1
fi

echo "done."
Ubuntu 24.04 
#!/bin/sh
set -e

if [ -t 0 ]; then
	echo "This hook script expects the list of PEM files to be added/removed" >&2
	echo "prefixed with '+'/'-' to be piped into stdin." >&2
	exit 1
fi

# record the pending certificate updates for later execution by the
# triggers in ca-certificates-java

mkdir -p /var/lib/ca-certificates-java
cat - >> /var/lib/ca-certificates-java/pending

case "$1" in
	*)
		dpkg-trigger --no-await update-ca-certificates-java
		;;
esac

# if the hook was activated by a manual run of update-ca-certificates
# (and not from a maintainer script), ensure the triggers get processed

if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
	dpkg --triggers-only --pending
fi

I'm not sure that it's possible to run dpkg as a non-superuser. So this change runs update-ca-certificates as root separately to running the rest of the Dependabot commands.

@JamieMagee JamieMagee requested review from a team as code owners June 24, 2025 16:29
jakecoffman
jakecoffman approved these changes Jun 24, 2025
View reviewed changes
Copy link
Member

@jakecoffman jakecoffman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good. We can do some cleanup to the Dockerfiles since we won't need the dependabot user to have write access anymore.

Also before merging the Ubuntu bump we'll need to make this same change in dependabot-action.

@JamieMagee JamieMagee added this pull request to the merge queue Jun 24, 2025
Merged via the queue into main with commit 14750ba Jun 24, 2025
78 checks passed
@JamieMagee JamieMagee deleted the jamiemagee/update-ca-certificates-root branch June 24, 2025 17:28
@JamieMagee JamieMagee mentioned this pull request Jun 24, 2025
Merged
@ByAgenT ByAgenT mentioned this pull request Sep 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakecoffman jakecoffman jakecoffman approved these changes

@ByAgenT ByAgenT ByAgenT approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JamieMagee @jakecoffman @ByAgenT