Open kratosok opened 3 years ago
nanonyme
commented
3 years ago Okay, so this is about code-signing certificates, not server trust certificates. I can't immediately think of how to do workaround this in flatpak. We can't really manipulate /etc that much.
kratosok
commented
3 years ago Yea, I don't know on the signing what to do other than approach it from the certificate store angle: "If you still need specific now-removed certificates for Steam games, you should add those certificates to /usr/local/share/ca-certificates and then run update-ca-certificates."
Is there a workaround in that might function in adding those Thawtes certs back in at the flatpak or steam layers?
I've thought about changing the ca-certificates.crt in the steam and flatpak directories, but I'm concerned of breaking things: /vol/SteamLibrary/steamapps/common/SteamLinuxRuntime/scout_0.20201022.1/files/etc/ssl/certs/ca-certificates.crt /vol/SteamLibrary/steamapps/common/SteamLinuxRuntime_soldier/soldier_0.20210126.1/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.freedesktop.Platform/x86_64/19.08/beb2c76da871c6d3b2a2e696869239392d7b5a05e7650c9fe7693cd3fade50fc/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.freedesktop.Platform/x86_64/20.08/bba8b9e2367b0521f9e052298c9e3a9f6f95ba03488453a41534d49d79ee5d14/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.freedesktop.Platform.Compat.i386/x86_64/20.08/ac7446adcfe623bfb3d63b8a01eab4d57eaeca5a03e8dc36d4042fb940a5ffb6/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.gnome.Platform/x86_64/3.36/bb49070cecd109e9195efb0368a44e87c4edb52f665702521b1022be1d68434c/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.gnome.Platform/x86_64/3.38/5b3751eb9186cc8fe8d904602ce66304cf7389d6f764e9f714312b08076923fe/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.gnome.Platform.Compat.i386/x86_64/3.38/6dc899e046d41a7978b7cf0ad418766523d63847620f27007819d82258032afa/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.gnome.Sdk/x86_64/3.38/3065f12f893f5e7c755f1f98c9b676baa140b2e3a948681ff3a02da346ddcfd1/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.gnome.Sdk.Debug/x86_64/3.38/785bced95ec7dc6c63f39aac4719175f248b1f919f89354abeda2d4c29cb6ddb/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.kde.Platform/x86_64/5.14/36fc25152954e8954a1a7411f849e7270c8655b00b1af01032c70af482419d34/files/etc/ssl/certs/ca-certificates.crt /lib/flatpak/runtime/org.kde.Platform/x86_64/5.15/35f0da737e7ccce5a0fc9b4b0800cee2915dba066ddc0eae5d77ee30e49a780a/files/etc/ssl/certs/ca-certificates.crt
nanonyme
commented
3 years ago Basically a specific file here is cryptographically signed. Trust is based on installed root CA. Now that it's gone, that file's signature is invalid and your game will no longer function. I don't really know a good solution.
Game information Elder Scrolls Online and Origin/Mass Effect: Andromeda
Distribution name and version where applicable Fedora 33, Fedora Silverblue, Parrot OS
Flatpak info Flatpak 1.10.1 flatpak --gl-drivers default host
Problem description Certain games failing to fully launch (Elder Scrolls Online and Origin/Mass Effect:Andromeda) This seems to be related to Thawte SSL certs failing auditing and being removed from Distros as trusted certs:
https://bugs.gentoo.org/727262 https://www.reddit.com/r/debian/comments/hwdht8/how_to_add_3_missing_certificate_to_debian/ https://www.thawte.com/roots/
Because this actually is at the Host level and flatpak has its own filesystem layers it seems like this might be fixable in the flatpak in an easier fashion. I found as a test, that if I copied the certificates.crt from Manjaro and was able to launch (see attached) ca-certificates.crt.txt But ideally I wouldn't want the untrusted certs usable by the rest of the host system.
Does this issue reproduce with native Steam Yes