Tiny Core Extensions > TCE Talk
Request for ca-certificates
andyj:
Going down yet another rabbit hole, I added -xv to the scripts and updated tce-setup to trace it. In update-ca-certificates this happens:
--- Code: ---cleanup() {
rm -f "$TEMPBUNDLE"
rm -f "$ADDED"
rm -f "$REMOVED"
}
trap cleanup 0
+ trap cleanup 0
# Helper files. (Some of them are not simple arrays because we spawn
# subshells later on.)
TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
+ TEMPBUNDLE=/usr/local/etc/ssl/certs/ca-certificates.crt.new
ADDED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+ mktemp -p /tmp ca-certificates.tmp.XXXXXX
+ ADDED=/tmp/ca-certificates.tmp.aaaaaa
REMOVED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+ mktemp -p /tmp ca-certificates.tmp.XXXXXX
mktemp: File exists
+ REMOVED=
+ cleanup
+ rm -f /usr/local/etc/ssl/certs/ca-certificates.crt.new
+ rm -f /tmp/ca-certificates.tmp.aaaaaa
+ rm -f
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert.pem
+ ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert.pem
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/ca-bundle.crt
+ ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/ca-bundle.crt
--- End code ---
I see the last two links from the tce.installed/ca-certificates script, but they are red and broken. The script exits because mktemp throws a "file exists" error. Why does this not work from tce-setup, but it does from the CLI?
Rich:
Hi andyj
--- Code: ---+ mktemp -p /tmp ca-certificates.tmp.XXXXXX
+ ADDED=/tmp/ca-certificates.tmp.aaaaaa
--- End code ---
Isn't .XXXXXX supposed to be replaced with a random sequence?
It looks like it's being replaced with .aaaaaa which doesn't look random.
I'm guessing the second time its being called it's returning .aaaaaa again.
No entropy?
andyj:
Apparently my system doesn't have entropy when it starts which is why the script fails, but it does later which is why it works. This brings up a lot of questions, like why isn't there any entropy initially, and why does it have some later.
Rich:
Hi andyj
I noticed something. The 32 bit version of haveged does not have
a tce.installed file. That means it's not started until called after all
extensions have completed loading (bootsync, bootlocal?).
Meanwhile, ca-certificates and openssl do have tce.installed files,
which get executed in the order they were loaded after extensions
have finished loading. So update-ca-certificates gets run before
haveged has even been started.
The 64 bit version of haveged has this for tce.installed:
--- Code: ---#!/bin/sh
haveged 1>/dev/null 2>&1 &
--- End code ---
GNUser:
--- Quote from: andyj on December 09, 2025, 06:40:30 AM ---Apparently my system doesn't have entropy when it starts which is why the script fails, but it does later which is why it works. This brings up a lot of questions, like why isn't there any entropy initially, and why does it have some later.
--- End quote ---
Hi andyj. Since version 5.4 the linux kernel has a haveged-like mechanism for generating entropy, but it does so only after the kernel's random number generator (CRNG) is fully initialized. Maybe your setup needs entropy before the CRNG is initialized?
Take a look here: https://github.com/jirka-h/haveged/blob/master/README.md
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version