search

msys2 / MSYS2-packages

Package scripts for MSYS2.
https://packages.msys2.org
BSD 3-Clause "New" or "Revised" License
1.27k stars 483 forks source link

Pacman does not work properly with our corporate certificate #4523

Open JaFojtik opened 2 months ago

JaFojtik commented 2 months ago

I has been followed all recomendations for using corporace certificates. Unfortunatelly I cannot make pacman working properly.

I have asked our IT department and they give me this certificate: zsc.zip it also does not work. PEMs from Firefox: PEM.zip

One guy from our IT told me that pacman needs corporate certificate to be root signed. This corporate certificate is only self-signed, it does from external company Zscaller and we cannot do anything with it.

$ pacman -Fy widl.exe
error: mingw32: missing required signature
error: mingw64: missing required signature
error: ucrt64: missing required signature
error: clang32: missing required signature
error: clang64: missing required signature
error: msys: missing required signature
:: Synchronizing package databases...
error: failed to synchronize all databases (unable to lock database)

error: database 'clangarm64' is not valid (invalid or corrupted database (PGP signature))
error: database 'mingw32' is not valid (invalid or corrupted database (PGP signature))
error: database 'mingw64' is not valid (invalid or corrupted database (PGP signature))
error: database 'ucrt64' is not valid (invalid or corrupted database (PGP signature))
error: database 'clang32' is not valid (invalid or corrupted database (PGP signature))
error: database 'clang64' is not valid (invalid or corrupted database (PGP signature))
error: database 'msys' is not valid (invalid or corrupted database (PGP signature))

Is it possible to completelly turn off ssl verification?

Biswa96 commented 2 months ago

Does the workaround mentioned here work?

JaFojtik commented 2 months ago

No. Our guy from IT told me that a problem is probably, that pacman rejects corporate self signed certificate. There is no line about corporate self signed and root signed neccessity. I obtain no debug info that a cetrifficate is not accepted.

I have attempted both, certificates extracted from Firefox, and a certificate from our IT.

Lubixxx commented 2 months ago

Hello,

I do not understand the problem. As I think, that ROOT certificate is always self-signed. Is this problem solvable with this SSL inspection in the way?

Thank you.

Here is part of error messages:

$ pacman -Sy :: Synchronizing package databases... clangarm64.db failed to download mingw32.db failed to download mingw64.db failed to download ucrt64.db failed to download clang32.db failed to download error: failed retrieving file 'mingw32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'mingw64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'clang32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain warning: too many errors from mirror.msys2.org, skipping for the remainder of this transaction error: failed retrieving file 'clangarm64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'ucrt64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'mingw64.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'mingw32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'clang32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain warning: too many errors from repo.msys2.org, skipping for the remainder of this transaction

And here is a certificate chain list by openssl s_client:

$ openssl s_client -proxy=127.0.0.1:9001 -connect repo.msys2.org:443 -showcerts Connecting to 127.0.0.1 CONNECTED(00000004) depth=3 C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com verify return:1 depth=2 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=support@zscaler.com verify return:1 depth=1 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t) verify return:1 depth=0 CN=repo.msys2.org verify return:1

Certificate chain 0 s:CN=repo.msys2.org i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t) a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Apr 14 03:49:13 2024 GMT; NotAfter: Apr 28 03:49:13 2024 GMT -----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgISf12cYOQm5e4t6lmKq7cTudOfMA0GCSqGSIb3DQEBCwUA MIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwM WnNjYWxlciBJbmMuMRUwEwYDVQQLDAxac2NhbGVyIEluYy4xODA2BgNVBAMML1pz Y2FsZXIgSW50ZXJtZWRpYXRlIFJvb3QgQ0EgKHpzY2xvdWQubmV0KSAodCkgMB4X DTI0MDQxNDAzNDkxM1oXDTI0MDQyODAzNDkxM1owGTEXMBUGA1UEAxMOcmVwby5t c3lzMi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLSRMSvrmB C0DiIzdN/a7ZKxrcYMRXJf4COd8tsJgMCq3BXYVJkKCt/FIR62KCCdUiSPGnb0E4 ZBBD7ehnO4riNjoBGKhA9GwW4Qbvoni7G/p96tBwurLggRb0SEUG0crZnnHuWvXW wjwQgeiXk5U06i1cyswKRXB8lSP8eU3grStR3DG3qBSXYJC32FaWd3mPQK4I3k66 t1SxjK/JEriCfS/7ihL2fUQWWIBVwvUorGoHMeKwzZkYfMAUzIm4AAX2WOF4cMM+ p/YGRgdrZZe8JFdfAFxzr2CLcgRbqi8HGG7Fkcu8bbyS2XzZ/DDPAJmz22WS+yEH 4XyQLdOI4RTrAgMBAAGjgZ8wgZwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0RBBIwEIIOcmVwby5tc3lzMi5vcmcwDgYD VR0PAQH/BAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9nYXRld2F5Lnpz Y2xvdWQubmV0L3pzY2FsZXItenNjcmwtLTQtMS5jcmwwDQYJKoZIhvcNAQELBQAD ggEBAEGPan77VlEhSPvKSSAie6VNhwBvg+2OZxWeHVuuFyCQ0rHqbdPzOYEY4x05 +tPE4FPix64Aepd58jd4zvwCP34cUrj8iJ6AexKnYeZCd4Y8S/+dwo0ucVFYT/BL MwBZi5KaB8xK+EWgawod2pw4gdgb5X0/zVI3Yfdt/YPxHBsxCNVer+Y/raVIj3R+ 3iCEZGQ/Ox36kCw5I0VTbR17kPVGvoT0juN+OUc5OeCGiT4y4mcCfVGvtItVSxW2 m2PiAvRCJXgz0mGzXDBrhB2/9Gt1mXGGv1bTJCGbd4UIPuMvnchrOtXDpPU+sEyO EKdeoYgFNvP0B6Q6ijpKYOCkZCU= -----END CERTIFICATE----- 1 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t) i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=support@zscaler.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Apr 14 03:49:13 2024 GMT; NotAfter: Apr 28 03:49:13 2024 GMT -----BEGIN CERTIFICATE----- MIIEOTCCAyGgAwIBAgIEZhtSOTANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEV MBMGA1UECxMMWnNjYWxlciBJbmMuMTMwMQYDVQQDEypac2NhbGVyIEludGVybWVk aWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkxIjAgBgkqhkiG9w0BCQEWE3N1cHBv cnRAenNjYWxlci5jb20wHhcNMjQwNDE0MDM0OTEzWhcNMjQwNDI4MDM0OTEzWjCB ijELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMTgwNgYDVQQDDC9ac2Nh bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkgKHQpIDCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbptFW7eaaWY/b8OBsAoeoJkYKt XhSx40PNv/IaFuWt92A2w6n8VCsV8r3ycyot9Q7ewjRtg8ka0ncQslVO09wju0Bi aYjVIO/Y5AXC5WsoNG0lS6lzuGwQdqQ8teXAxZTBWkDlVYPGp5Ea370+dpdNbwoO 96JcLBJZnDBqkZXypeDaxw6ynjPyAgk8J3sCqQSIhiRf7DTEwwpR3/1dcQB4A7Gm s5HEyu/UfXe/2k90nOh5yCndTxcOB4i8WFABNbXQ9FlWLThbRKsAhD7c4griRAHM LFpt9svpsvXleGsTcDG4SoHbst3uTGi1mXUM8NCiYwcwwsS504v8X9rG0xMCAwEA AaOBhTCBgjAdBgNVHQ4EFgQUNW3Spb+KR1RLjQQrecGQa3oQ6+YwDwYDVR0TAQH/ BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDov L2dhdGV3YXkuenNjbG91ZC5uZXQvY3JsL3pzYy1rZWstLTQtMS5jcmwwDQYJKoZI hvcNAQELBQADggEBAAMlOMp0W5Me81tSHVBjWjvs1yEbVLs/NLcNu3ynCCYh7X1b 0sSJpUhnB8ZAqj71yEb2xNSppbAtx4ZuprxVKiBUE2YPetmEYapHDu71spzkCQ22 Uc30TO7l2w6G0UFybuuym5hKl3jpVzorHBYSE7so6Iclpi1oaUMzIa33aZ4xfMAc KLvoPphYm4FlubVxzeif+mS7DI9r7DcQVGOYGbyTCVh3VeWKvZvKRM+xIU+YBiiw v2hLePOAxp2SnA6v5KBSafCPHU0KlwV0XQO7CxDq5HIbcnlIO06EIHOa9ZIMiS1n SQgFOnz0g7bBU2wnPAVb9lDXfZLrxTvNMRsCot8= -----END CERTIFICATE----- 2 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=support@zscaler.com i:C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 5 05:33:19 2020 GMT; NotAfter: Jun 23 05:33:19 2041 GMT -----BEGIN CERTIFICATE----- MIIEQTCCAymgAwIBAgICAQMwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEVMBMGA1UE ChMMWnNjYWxlciBJbmMuMRUwEwYDVQQLEwxac2NhbGVyIEluYy4xGDAWBgNVBAMT D1pzY2FsZXIgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEB6c2NhbGVy LmNvbTAeFw0yMDA2MDUwNTMzMTlaFw00MTA2MjMwNTMzMTlaMIGpMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEChMMWnNjYWxlciBJbmMu MRUwEwYDVQQLEwxac2NhbGVyIEluYy4xMzAxBgNVBAMTKlpzY2FsZXIgSW50ZXJt ZWRpYXRlIFJvb3QgQ0EgKHpzY2xvdWQubmV0KTEiMCAGCSqGSIb3DQEJARYTc3Vw cG9ydEB6c2NhbGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AL1jJ79rdyq82MQxBd5v0193M0+JE3VZpizKmfseQ5FjuTj6ai4Qhw/G3vL3VXa3 P24/MbfaDn5WPAMp2LmZhF+Mv7WmETbPy1wVi0U2WZKROe9MeQSfXiJi7mtLYluP PHEkOeki2gXM+AXDO+pdY/HVNxYGC3uc37xpPafHzSB1aV4GyTi2L7m4bKlNl3GY 8WWKe1nJUwgZEd+Pa1HxneNvEz8cj7LvZysgXPqnT7MuKXcAWepbGz5jQlPWM4U5 Og0/hn8PEg/4gRwvjBKtUWDlHWNcynjTk6IJM0W2Qx9qUR5BDc/5cNJuh1trl8j/ BLKIPDc9W9o/E7bXgwoFtH8CAwEAAaN5MHcwHQYDVR0OBBYEFBFTWZHscKAsSZ9n 35ET0aF34xauMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH+MDsGA1UdHwQ0MDIw MKAuoCyGKmh0dHA6Ly9nYXRld2F5LnpzY2xvdWQubmV0L2NybC96c2MtaW50LmNy bDANBgkqhkiG9w0BAQsFAAOCAQEAEvJfnZHJUucldbDWSP8WfHPCnzbjbJr1RUtA JZyC7+3kM4wx6TpVZj4Q+Y4/i3ebzDTROhiTe+6iTlcPmRh9Y+7EYQKw53IjGQsG O7jwP3O3iHTzL1dZ9WbCEQ5jR6vNp3YZlv3YkOYNinb+fjvQpFcLS//SAnn0frwT UUxGLewzGpW+KYfkF81ZF7m8ORHxmpYwhowjuLZ/lENZywzSQ44Jh5P6YVRDKq8m 8sfOTS2vZq1dyI41EFD/DLej1XcAJKscuDd4FYBp6BqTTwE0azXWFyPaaNV1QGrP mAbSn8Bw1PBwPZQP0+D4bF60+Qgur6L3jlnh2kCpPTuy6Bqk0w== -----END CERTIFICATE-----

Server certificate subject=CN=repo.msys2.org issuer=C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 3740 bytes and written 412 bytes Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: CFEE67F2BEB534A5B21FD8AC39CBFB2F7C68C592022F10E29E293489A599DDF3 Session-ID-ctx: Master-Key: 0E0C57C351E64C24DDA5471555890FFB5AFB3A870139E140AD663879D7F09278BF534C2FA1B0D930F0CE70C47E0B0C47 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1713184041 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes