Open Informatic opened 2 years ago
webOS 3.8 / K3LP:
This works when dropped into /var/lib/webosbrew/init.d
and made executable:
https://gist.github.com/Informatic/d7bcdd59eac16ffbffd3a5b5c24b4195
Works for WebAppMgr apps, though may need initctl restart WebAppMgr
(or systemd equivalent), since it seems they cache these during startup. Does not work on com.webos.app.browser
at all (probably it has its own store hidden somewhere)
Even though these bindmounts/overlays are propagated down to native app jails, RetroArch seems to not like that setup. Seems like I was mistaken, and RetroArch works fine (just all the downloads were marked as experimental...)
Does not work on
com.webos.app.browser
at all (probably it has its own store hidden somewhere)
Presumably in /media/system/apps/usr/palm/applications/com.webos.app.browser/lib/libnssckbi.so (or any other folder containing libnssckbi.so)
That is indeed the case - certs can be added to read-only nss database via:
certutil -d /etc/pki/nssdb/ -A -t 'C,,' -n CA -i /usr/share/ca-certificates/...
/etc/pki/nssdb
needs to be writable (ie. overlay). WebAppMgr also seems to use that database on webOS 5.x.
Additionally, that directory is missing from native app jail config, and thus, as a quick workaround, it needs to be copied over to a respective jail directory:
cp -r /etc/pki /var/palm/jail/com.webos.app.browser/etc/pki
Some additional info from my own research, in case it's useful: The "sdx" process that runs on the TV gets its CA certificates from /usr/share/ca-certificates/sdp/sdp-ca.pem
, not from the NSS DB or ca-certificates.crt
.
Please read conditions below carefully, and don't delete this part. Invalid issues will be closed.
No apps related to piracy or intellectual property infringement is allowed.
We can't guarantee if the app will be developed by anyone.
We encourage you to develop the app by yourself. This would be a great contribution to webOS homebrew community.
[x] I understand conditions above
[ ] (Optional) I'd like to develop this app by myself
Issue content starts below this line
The case of TLS CA management on webOS is all over the place. Random scripts shared around that mangle our glorious
startup.sh
, and still don't actually work properly.The biggest issue is that just bindmounting over rootfs is not enough for these to apply properly for app jails as well - jailer configuration needs to be adjusted as well, preferably early during boot (or we need a daemon to detect new jails and update certs there as well...)