← Back to team overview

openjdk team mailing list archive

[Bug 1406483] Re: Possible to install (and trigger postinstall) of ca-certificates-java before Java has been installed

 

The fix synced from Debian checks for JDK (or JRE) directories under
/usr/lib/jvm and updates PATH with first found JRE. But it only checks
hardcoded paths with java version up to Java 9. On Impish, ca-
certificates-java package version is 20190909 and it is checks up to
java version 11. So when installing first JDK/JRE newer than 11 the bug
can be reproduced. Could you please reopen this bug?

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1406483

Title:
  Possible to install (and trigger postinstall) of ca-certificates-java
  before Java has been installed

Status in One Hundred Papercuts:
  Fix Released
Status in ca-certificates-java package in Ubuntu:
  Fix Released

Bug description:
  1. Steps to reproduce:
  Depending on which packages you select for installation, it is possible the postinstall and trigger for ca-certificates-java run before Java has been installed. This may be possible to trigger with more combinations, but I've found
  $ sudo apt install maven openjdk-8-jdk
  where the issue is reproducible. Running this on an out-of-the-box system, for instance a VM will trigger the issue.

  See installation.txt for the full output of running this command, but the important section is this one:
  Setting up ca-certificates-java (20140324) ...
  /var/lib/dpkg/info/ca-certificates-java.postinst: line 53: java: command not found
  /var/lib/dpkg/info/ca-certificates-java.postinst: line 66: java: command not found
  done.
  (...)
  Processing triggers for ca-certificates (20141019) ...
  Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d....
  /etc/ca-certificates/update.d/jks-keystore: 82: /etc/ca-certificates/update.d/jks-keystore: java: not found
  E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
  done.
  Setting up openjdk-8-jre-headless:amd64 (8u40~b09-1) ...
  update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
  update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode

  2. Expected behaviour:
  Packages are installed in the correct order so that they can assume their dependencies are present when for instance attempting to run postinstall. (So I don't really know whether this issue is truly caused by ca-certificates-java or by the priority/order of packages assigned by apt or something else.)

  3. Actual behaviour:
  As we see both the postinstall and trigger is attempted run before java has been installed, which results in /etc/ssl/certs/java being an empty directory. Effectively this means Java doesn't know any certificates so for instance creating a connection to an HTTPS-url will fail.

  4. Attempted workaround:
  As a workaround, I figured I could reinstall ca-certificates-java and maybe that would work.
  $ sudo apt install ca-certificates --reinstall
  (...)
  Processing triggers for ca-certificates (20141019) ...
  Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d....
  done.

  While this gives me the cacerts file at /etc/ssl/certs/java/cacerts we can see that it contains no certificates:
  $ keytool -list -keystore /etc/ssl/certs/java/cacerts
  Enter keystore password:

  Keystore type: JKS
  Keystore provider: SUN

  Your keystore contains 0 entries

  (The default keystore password is of course "changeit")

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: ca-certificates-java 20140324
  ProcVersionSignature: Ubuntu 3.16.0-28.38-generic 3.16.7-ckt1
  Uname: Linux 3.16.0-28-generic x86_64
  ApportVersion: 2.15.1-0ubuntu1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Tue Dec 30 10:18:52 2014
  InstallationDate: Installed on 2014-12-19 (10 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141211)
  PackageArchitecture: all
  SourcePackage: ca-certificates-java
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.default.cacerts: [inaccessible: [Errno 13] Permission denied: '/etc/default/cacerts']

To manage notifications about this bug go to:
https://bugs.launchpad.net/hundredpapercuts/+bug/1406483/+subscriptions



References