Bug#823590: ca-certificates: Having changed the keystore password (for server's security reaosons), update crashes

Luca Capello luca.capello at unige.ch
Thu Apr 2 14:27:25 BST 2020 

tags 823590 - important + wishlist
found 823590 20190405
thanks

Hi there,

On Fri, 04 May 2018 22:58:16 +0200, Emmanuel Bourg wrote:
> Why are you changing the password of a keystore holding the public keys
> of the certification authorities? There is nothing secret inside.

Not speaking for Guillaume, but the Debian package explicitly supports
this configuration, for more than 10 years now:
```
root at harlock:~# zless /usr/share/doc/ca-certificates-java/changelog.gz 
[...]
ca-certificates-java (20081022) unstable; urgency=low

  * debian/jks-keystore.hook:
    - Don't stop after first error during the update. LP: #244412.
      Closes: #489748.
    - Call keytool with -noprompt.
  * On initial install, add locally added certificates. LP: #244410.
    Closes: #489748.
  * Install /etc/default/cacerts to set options:
    - storepass, holding the password for the keystore.
    - updates, to enable/disable updates of the keystore.
  * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587.

 -- Matthias Klose <doko at ubuntu.com>  Wed, 22 Oct 2008 20:51:24 +0200
[...]
root at harlock:~# ls -ld /etc/default/cacerts 
-rw------- 1 root root 384 Apr  2 14:03 /etc/default/cacerts
root at harlock:~# cat /etc/default/cacerts 
# defaults for ca-certificates-java

# The password which is used to protect the integrity of the keystore.
# storepass must be at least 6 characters long. It must be provided to
# all commands that access the keystore contents.
# Only change this if adding private certificates.
#storepass=''

# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts
cacerts_updates=yes
root at harlock:~# 
```

Never mind, what Guillaume experienced is the expected behavior, the
fact that Guillaume would have liked a prompt for the password is a
wishlist feature, bug updated accordingly.

BTW, this is still true on buster as well, bug updated accordingly),
thanks to Pierre Deshayes here at unige.ch for the notice.

Thx, bye,
Luca

-- 
Dr. Luca Capello
Ingénieur HPC
Division du Système et des Technologies de l'Information et de la Communication
Université de Genève | 24 rue Général-Dufour
Tél +41 22 379 72 42 | Bureau 151
https://hpc-community.unige.ch
mailto:luca.capello at unige.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200402/33ee7d80/attachment.sig>

More information about the pkg-java-maintainers mailing list