mirror of https://github.com/docker/cli.git
58 lines
2.1 KiB
Plaintext
58 lines
2.1 KiB
Plaintext
## OSX Builds Now Use GClient ##
|
|
|
|
We recommend that you use GClient to build on OSX. Please follow the
|
|
instructions in the [main readme](README.md) file.
|
|
|
|
## Trusted root certificates ##
|
|
|
|
The CT code requires a set of trusted root certificates in order to:
|
|
1. Validate outbound HTTPS connections
|
|
2. (In the case of the log-server) decide whether to accept a certificate
|
|
chain for inclusion.
|
|
|
|
On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains
|
|
Apple-provided patches which intercept failed chain validations and re-attempts
|
|
them using roots obtained from the system keychain. Since we use a much more
|
|
recent (and unpatched) version of OpenSSL this behaviour is unsupported and so
|
|
a PEM file containing the trusted root certs must be used.
|
|
|
|
## Specifying root certificates to be used
|
|
|
|
To use a certificate PEM bundle file with the CT C++ code, the following
|
|
methods may be used:
|
|
|
|
### For verifying outbound HTTPS connections:
|
|
|
|
Either set the
|
|
`--trusted_roots_certs' flag, or the `SSL_CERT_FILE` environment variable, to
|
|
point to the location of the PEM file containing the root certificates to be
|
|
used to verify the outbound HTTPS connection.
|
|
|
|
### Incoming inclusion requests (ct-server only)
|
|
|
|
Set the `--trusted_cert_file` flag to point to the location of the PEM file
|
|
containing the set of root certificates whose chains should be accepted for
|
|
inclusion into the log.
|
|
|
|
## Sources of trusted roots
|
|
|
|
Obviously the choice of root certificates to trust for outbound HTTPS
|
|
connections and incoming inclusion requests are a matter of operating policy,
|
|
but it is often useful to have a set of common roots for testing and
|
|
development at the very least.
|
|
|
|
While OSX ships with a set of common trusted roots, they are not directly
|
|
available to OpenSSL and must be exported from the keychain first. This can be
|
|
achieved with the following command:
|
|
|
|
```bash
|
|
security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
|
|
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem
|
|
```
|
|
|
|
## Deprecated Build Process ##
|
|
|
|
This may be out of date and is not guaranteed to work.
|
|
|
|
gtest: install from source.
|