Bug#949976: p11-kit 0.23.19 breaks p11 certificate trust in Flatpak runtimes that have 0.23.18 or older

Simon McVittie smcv at debian.org
Wed Jan 29 12:36:32 GMT 2020

Control: retitle -1 p11-kit 0.23.19 breaks p11 certificate trust in Flatpak runtimes that have 0.23.18 or older

On Mon, 27 Jan 2020 at 22:09:34 +0100, Vincent Bernat wrote:
> Upgarding p11-kit to 0.23.19 breaks many Flatpaks, including Steam and
> Spotify. It seems Flatpak is using p11-kit-remote and the on-wire
> format was updated, but the details are a bit fuzzy. This can be
> solved by downgrading to in testing.

More specifically, it breaks certificate trust in libraries and
applications inside the runtime if they are linked to p11-kit older
than 0.23.19. In particular this affects anything that uses GNUTLS,
notably the GNOME stack.

The maintainers of the freedesktop-sdk (org.freedesktop.Platform) base
Flatpak runtime seem to be addressing this by upgrading the version
inside the runtime to p11-kit 0.23.19, which means this will not be
reproducible with newer versions of that runtime, or runtimes like
org.gnome.Platform that are based on it. However, it would (I think)
continue to be a problem for Flatpak runtimes based on other sources of
packages, for example based on Debian 10.

For context, if you don't know Flatpak: it's an app containerization
framework, which runs a user-facing app like Steam or Spotify in a
container. The container's /usr is a "runtime" chosen to match the app,
which can be any distribution, but is usually based on a reference runtime
called "org.freedesktop.Platform" provided by the freedesktop-sdk project.
To make the app work, various things from the host system, like the X11,
Wayland, D-Bus and PulseAudio sockets, are made available inside the
container, either unrestricted or via a filtering proxy. One of the aspects
of the host system that is injected into the container is p11-kit's idea
of the certificates that ought to be trusted.

The structure of what's going on is:

- Outside the container, Flatpak runs the equivalent of:

    p11-kit server --sh -n SOME_PATH --provider p11-kit-trust.so "pkcs11:model=p11-kit-trust?write-protected=yes"

- Flatpak makes the socket SOME_PATH available inside the container it creates

- Inside the container, Flatpak writes out
  /etc/pkcs11/modules/p11-kit-trust.module containing:

    # This overrides the runtime p11-kit-trusted module with a client one talking to the trust module on the host
    module: p11-kit-client.so

- The result should be that the p11-kit-client.so module provided by the
  container runtime talks to the server provided by the host system.

- However, in fact p11-kit-client.so 0.23.18 or older fails to communicate
  with "p11-kit server" 0.23.19 or newer.

Short-term reproducer:

- Have Flathub as a Flatpak remote, for example:

    flatpak --user remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

- Have a Flatpak runtime that does not have p11-kit >= 0.23.19,
  for example at the time of writing this one doesn't:

    flatpak --user install flathub org.freedesktop.Platform//18.08

  (In the version I tested, `/etc/os-release` inside the runtime says
  it's version 18.08.39.)

- Get an interactive prompt in a container with networking enabled:

    flatpak run --command=bash --share=network org.freedesktop.Platform//18.08

- In the container, curl https://example.com

- In the container, gnutls-cli -p 443 example.com

Expected result:

- curl successfully validates example.com's cert
- gnutls-cli successfully validates example.com's cert

Actual result:

- curl successfully validates example.com's cert
- gnutls-cli *does not* successfully validate example.com's cert:
   "Status: The certificate is NOT trusted. The certificate issuer is unknown."

I hope this explanation helps. Please report a flatpak bug (upstream or
in Debian) if there is something that Flatpak needs to do differently to
make this work better.


More information about the Pkg-gnutls-maint mailing list