So investigating the steam flatpak
So investigating the steam flatpak xplane plane activation issues I'm running into, and I think I have a TLS/Handshake style bug. Or something in the realm of certs. If I recall correctly, flatpak gets its certs from system, correct? Do we potentially have not all of the root certs?
14 Replies
we have all the same certs as Silverblue proper...
I'm sorry I haven't tracked any earlier messages about this topic.
Is the problem present on Silverblue as well as Universal Blue based images?
I don't know, havent' really checked into that aspect. Last time I tried rebasing straight across to silverblue was unpleasant.
Comparing between bazzite-arch and bluefin, though, I do notice we're missing some .. like
which for one of the planes I'm trying in xplane is where the authentication server is at xcrafts.b-cdn.net
Or rather the cert for it.
interesting... which image is missing the cert?
bluefin-dx-nvidia
can you see which RPM package owns that file?
I can't see any that own it. It's not in ca-certificates
Seems to have been added in here *Wed Oct 04 2023 Robert Relyea <[email protected]> 2023.2.62_v7.0.401-2
fedora 39 seems to be on version .60 of the file
i'm missing something... the pem file is present but not owned by an RPM?
The PEM file is not present in fedora 39
It's present in FC 40, though arch has had it forever
bazzite-arch OCI has it present
ah! i missed "bazzite-arch" and just saw bazzite
It's in ca-certificates 2023.2.62 but not ca-certificates 2023.2.60 which is what FC39 is on
that's pretty interesting
Sadly overlaying is unhappy
So I guess what I'm curious about is if there's a way to add certs so that flatpak picks them up
i see what you mean here: https://packages.fedoraproject.org/pkgs/ca-certificates/ca-certificates/fedora-rawhide.html
I think there may be a way with update-ca-trust and moving the certs to /etc/pki/ca-trust/source/anchors
Though this may be an incorrect rabbithole anyway. All I have found for sure is when I turn off networking when trying to fly a DRM'd plane that has already been authorized, the plane works, and that when I leave networking on, something in the call home messes things up with a bad get_ssl_peer
And with a different plane, it seems to have TLS / handshake errors