UB
Universal Blue10mo ago
JeremyGraeme

So investigating the steam flatpak

So investigating the steam flatpak xplane plane activation issues I'm running into, and I think I have a TLS/Handshake style bug. Or something in the realm of certs. If I recall correctly, flatpak gets its certs from system, correct? Do we potentially have not all of the root certs?
14 Replies
bsherman
bsherman10mo ago
we have all the same certs as Silverblue proper... I'm sorry I haven't tracked any earlier messages about this topic. Is the problem present on Silverblue as well as Universal Blue based images?
JeremyGraeme
JeremyGraeme10mo ago
I don't know, havent' really checked into that aspect. Last time I tried rebasing straight across to silverblue was unpleasant. Comparing between bazzite-arch and bluefin, though, I do notice we're missing some .. like 
```
Sectigo_Public_Server_Authentication_Root_E46.pem
Sectigo_Public_Server_Authentication_Root_R46.pem
```
Sectigo_Public_Server_Authentication_Root_E46.pem
Sectigo_Public_Server_Authentication_Root_R46.pem
which for one of the planes I'm trying in xplane is where the authentication server is at xcrafts.b-cdn.net Or rather the cert for it.
bsherman
bsherman10mo ago
interesting... which image is missing the cert?
JeremyGraeme
JeremyGraeme10mo ago
bluefin-dx-nvidia
bsherman
bsherman10mo ago
can you see which RPM package owns that file?
JeremyGraeme
JeremyGraeme10mo ago
I can't see any that own it. It's not in ca-certificates Seems to have been added in here *Wed Oct 04 2023 Robert Relyea <[email protected]> 2023.2.62_v7.0.401-2 fedora 39 seems to be on version .60 of the file
bsherman
bsherman10mo ago
i'm missing something... the pem file is present but not owned by an RPM?
JeremyGraeme
JeremyGraeme10mo ago
The PEM file is not present in fedora 39 It's present in FC 40, though arch has had it forever bazzite-arch OCI has it present
bsherman
bsherman10mo ago
ah! i missed "bazzite-arch" and just saw bazzite
JeremyGraeme
JeremyGraeme10mo ago
It's in ca-certificates 2023.2.62 but not ca-certificates 2023.2.60 which is what FC39 is on
bsherman
bsherman10mo ago
that's pretty interesting
JeremyGraeme
JeremyGraeme10mo ago
Sadly overlaying is unhappy 
error: Could not depsolve transaction; 1 problem detected:
 Problem: cannot install both ca-certificates-2023.2.62_v7.0.401-4.fc40.noarch from @commandline and ca-certificates-2023.2.60_v7.0.306-2.fc39.noarch from @System
  - conflicting requests
error: Could not depsolve transaction; 1 problem detected:
 Problem: cannot install both ca-certificates-2023.2.62_v7.0.401-4.fc40.noarch from @commandline and ca-certificates-2023.2.60_v7.0.306-2.fc39.noarch from @System
  - conflicting requests
So I guess what I'm curious about is if there's a way to add certs so that flatpak picks them up
bsherman
bsherman10mo ago
JeremyGraeme
JeremyGraeme10mo ago
I think there may be a way with update-ca-trust and moving the certs to /etc/pki/ca-trust/source/anchors Though this may be an incorrect rabbithole anyway. All I have found for sure is when I turn off networking when trying to fly a DRM'd plane that has already been authorized, the plane works, and that when I leave networking on, something in the call home messes things up with a bad get_ssl_peer And with a different plane, it seems to have TLS / handshake errors
Want results from more Discord servers?
Add your server