search

flathub / cc.arduino.IDE2

https://flathub.org/apps/details/cc.arduino.IDE2
6 stars 4 forks source link

Failed to verify certificate: x509 #69

Closed franzos closed 9 months ago

franzos commented 9 months ago

Hi, I installed the IDE from Flathub CLI but it's not working as expected. When I launch it, all I get is a loading? window, with the following logs:

2023-11-20T15:19:13.504Z root ERROR Detected an error response during the gRPC core client initialization: code: 3, message: Error downloading index 'https://downloads.arduino.cc/libraries/library_index.tar.bz2': Get "https://downloads.arduino.cc/libraries/library_index.tar.bz2": tls: failed to verify certificate: x509: certificate signed by unknown authority

I've been able to resolve this running like (guix):

SSL_CERT_DIR=/etc/ssl/certs flatpak run cc.arduino.IDE2

Is this an issue with Arduino? It only seems to affect specific Flatpak apps like torbrowser-launcher and this; Other apps that rely on Internet access work smoothly without additional work

SuperNinja-4965 commented 9 months ago

Is your system up to date? Also would you be able to tell me what distribution you are running?

franzos commented 9 months ago

Is your system up to date? Also would you be able to tell me what distribution you are running?

I'm on a GuixSD derivative. The system is up to date; It's a rolling dist, so it should have recent packages.

Linux panther 6.5.11 #1 SMP PREEMPT_DYNAMIC 1 x86_64 GNU/Linux

Anything in particular I should be looking for?

SuperNinja-4965 commented 9 months ago

In an attempt to determine if this is a flatpak specific issue, an issue with your setup/config or an issue with the app would you be able to test the app outside of the flatpak environment (you can download the zip from arduino's website).

franzos commented 9 months ago

That's a good point, thanks!

I started working on this today, but couldn't get it to run yet, so I'll just share what I have till now and will follow-up when I've got more time / if anyone else stumbles over this.

guix shell --container --emulate-fhs \
  glib nss nspr atk cups libdrm gtk+ alsa-lib coreutils \
  -e $'(list (@@ (gnu packages gcc) gcc) "lib")' \
  --preserve='^DISPLAY$' --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
  --preserve='^DBUS_' --expose=/var/run/dbus \
  --expose=/sys/dev --expose=/sys/devices --expose=/dev/dri \
  --network

In this env. the app fails with:

./arduino-ide 
Arduino IDE 2.2.1
Checking for frontend application configuration customizations. Module path: /tmp/arduino-ide_2.2.1_Linux_64bit/resources/app/lib/backend/electron-main.js, destination 'package.json': /tmp/arduino-ide_2.2.1_Linux_64bit/resources/app/package.json
Trace/breakpoint trap
[39:0100/000000.033393:ERROR:zygote_linux.cc(622)] Zygote could not fork: process_type gpu-process numfds 3 child_pid -1
[39:0100/000000.033457:ERROR:zygote_linux.cc(654)] write: Broken pipe (32)

Def. related to the env, not Arduino.

SuperNinja-4965 commented 9 months ago 
[39:0100/000000.033393:ERROR:zygote_linux.cc(622)] Zygote could not fork: process_type gpu-process numfds 3 child_pid -1

If I remember correctly, this error is caused by chromium's sandboxing. Flatpak fixes this by making use of Zypak (https://github.com/refi64/zypak) which is included in the Electron 2 Base App flatpak package. However, if you wish to continue testing this in the sandbox you have created you can disable chromium's sandboxing with --no-sandbox and if it becomes an issue you can also disable GPU sandboxing using --disable-gpu-sandbox. However, disabling the sandboxing isnt advisable and you wont be running the app as natively as possible.

franzos commented 9 months ago

I appreciate your detailed input.

if you wish to continue testing this in the sandbox you have created

Without would be difficult due to non-standard paths like /gnu/store/znx6vjadh4az7fzxz7x649ki9qzqnjp3-glib-2.72.3/lib, which --emulate-fhs is meant to workaround using the sandbox. I will try to figure out if there's a good way to add all the related dependencies to LD_LIBRARY_PATH to run without sandbox.

As for arduino, --no-sandbox doesn't seem to make a difference, but this does away with the gpu related errors, but the application crashes:

$ /arduino-ide --disable-gpu-sandbox          
Arduino IDE 2.2.1
Checking for frontend application configuration customizations. Module path: /tmp/arduino-ide_2.2.1_Linux_64bit/resources/app/lib/backend/electron-main.js, destination 'package.json': /tmp/arduino-ide_2.2.1_Linux_64bit/resources/app/package.json
Trace/breakpoint trap

I tried --log-level=trace but this is all I get; Also played with the dependencies but no difference.

Anyway, totally out of scope of this issue :) I will try a few more things tomorrow.

franzos commented 9 months ago

Ran into this again today; Interestingly SSL_CERT_DIR is already set in the env:

env | grep SSL_CERT_DIR
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs

and /run/current-system/profile/etc/ssl/certs and /etc/ssl/certs are basically identical.

SuperNinja-4965 commented 9 months ago

Ran into this again today; Interestingly SSL_CERT_DIR is already set in the env:

env | grep SSL_CERT_DIR
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs

and /run/current-system/profile/etc/ssl/certs and /etc/ssl/certs are basically identical.

When you say basically identical what is your comparison criteria? Remember these are root certificates that do expire and need updating so could it be the system isn't updating the certs properly?

franzos commented 9 months ago

When you say basically identical what is your comparison criteria?

These are just simlinks, to they are pointing to the same source files; That's why I'm wondering why it would make a difference.

ls -lh /etc/ssl/certs
total 1.3M
...
lrwxrwxrwx 1 root root 104 Jan  1  1970  ANF_Secure_Server_Root_CA.pem -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem
lrwxrwxrwx 1 root root 100 Jan  1  1970  Atos_TrustedRoot_2011.pem -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/Atos_TrustedRoot_2011.pem
lrwxrwxrwx 1 root root 136 Jan  1  1970  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
...
ls -lh /run/current-system/profile/etc/ssl/certs
total 1.3M
...
lrwxrwxrwx 1 root root 104 Jan  1  1970  ANF_Secure_Server_Root_CA.pem -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem
lrwxrwxrwx 1 root root 100 Jan  1  1970  Atos_TrustedRoot_2011.pem -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/Atos_TrustedRoot_2011.pem
lrwxrwxrwx 1 root root 136 Jan  1  1970  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
...

Also tried this now, without luck:

SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs flatpak run cc.arduino.IDE2

So strange!

franzos commented 9 months ago

It looks like the issue has resolved itself with recent updates; I can now run

flatpak run cc.arduino.IDE2

Surely learned a thing or two here. Thanks again!