(Apologies if you get this twice - I wasn't subscribed to wine-devel on this account, and apparently it didn't get moderated through.)
Folks, I'm hoping for feedback on how to get CA certificates into Wine's registry. We'll need them in order to verify signatures on things. A number of apps depend on this [1].
We have a few choices: 1. Include them in a .inf file and install them with wine. There are two problems with this that I see: Signatures are opaque (asn.1 encoded) and thus hard to verify, and there's a potential maintenance hassle. It's by far the simplest though.
2. We search for certificates installed locally and import them into the registry. The trouble with this is that different distros, and even different versions of the same distro, install them in different locations. There are also usually several potential sources on the same machine, installed by different apps, and it's not clear which certs are meant to be trusted and which are not. (For example, there are several "example" certs installed on my system, and I can identify them as such, but a tool would not be able to tell the difference.) We could write a script that checks in several likely locations, but that seems dangerous: one of those locations might inadvertently be world-writable, so an attacker could possibly put untrustworthy certificates there. 2.a. We write a tool to import local certs, but make you specify the path. Ugly, but punts the problem to the user.
3. We do what the distros do: get the certificates from Mozilla's CVS, and munge them into the right format. (Google for mkcabundle.pl) This is similar to what we do for the unicode tables, but it does introduce a dependency on CVS (or perhaps wget from a web CVS front end.)
I suppose I should mention there's another option: 4. We don't load certs in Wine at all, and don't implement certificate chain verification, but dynamically load openssl or gnutls and ask them to do it for us. I don't think this is simpler than the alternatives, as I've already put a fair amount of work into crypt32, but if none of the other options is acceptable I can look into it.
I'd very much appreciate feedback on which option seems the best, or, most likely to get committed ;) Thanks, --Juan
[1] Here's a partial list - there are more: Bug 5423, AOL AIM won't install, http://bugs.winehq.org/show_bug.cgi?id=5423 Bug 7892, iTunes startup, http://bugs.winehq.org/show_bug.cgi?id=7892 Bug 8870, Outlook can't open signed messages, http://bugs.winehq.org/show_bug.cgi?id=8870