I am trying to build a snapcraft package (core20), but I am encountering errors due to corporate network SSL certificate substitution.
My host machine is configured properly and has company certificates added to all the necessary places, such as /etc/ssl/certs. But when trying to build a snap I am facing issues.
As far as I see it, snapcraft is starting a VM and pulls dependencies, which causes verification error because it doesn't use host certificates. This happens before any environment variables are set from a snapcraft.yaml file, so I can't override it by setting:
- CURL_CA_BUNDLE=""
- GIT_SSL_NO_VERIFY=true .
It also doesn't pull my host ENV, so it doesn't help if I run GIT_SSL_NO_VERIFY=true before snapcraft.
Copying .pem or .crt inside snapcraft.yaml also doesn't help.
organize:
/etc/ssl/certs/company.pem: /etc/ssl/certs/company.pem
Execution:
$snapcraft build --verbose debug --debug
Starting Snapcraft 7.4.3
Launching a VM.
Launched: snap-name
---| pulling packages, non important |---
snapd 2.59.5 from Canonical✓ installed
"snapd" switched to the "latest/stable" channel
core20 20230613 from Canonical✓ installed
"core20" switched to the "latest/stable" channel
snapcraft 7.4.3 from Canonical✓ installed
"snapcraft" switched to the "latest/stable" channel
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Reading package lists... Done
Installing build dependencies: dirmngr gnupg
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
gnupg-l10n gnupg-utils gpg-wks-client gpg-wks-server gpgsm libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkrb5-26-heimdal libksba8 libldap-2.4-2 libldap-common libroken18-heimdal libsasl2-2
libsasl2-modules-db libwind0-heimdal
Suggested packages:
pinentry-gnome3 tor parcimonie xloadimage
Recommended packages:
libsasl2-modules
The following NEW packages will be installed:
dirmngr gnupg gnupg-l10n gnupg-utils gpg-wks-client gpg-wks-server gpgsm libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkrb5-26-heimdal libksba8 libldap-2.4-2 libldap-common libroken18-heimdal
libsasl2-2 libsasl2-modules-db libwind0-heimdal
0 upgraded, 21 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,671 kB of archives.
After this operation, 8,645 kB of additional disk space will be used.
Get:1 http://security.ubuntu.com/ubuntu focal-security/main amd64 libksba8 amd64 1.3.5-2ubuntu0.20.04.2 [95.2 kB]
---| 20 more successful gets |---
Selecting previously unselected package libksba8:amd64.
(Reading database ... 20382 files and directories currently installed.)
Preparing to unpack .../00-libksba8_1.3.5-2ubuntu0.20.04.2_amd64.deb ...
Unpacking libksba8:amd64 (1.3.5-2ubuntu0.20.04.2) ...
---| 20 more successful unpackings |---
Setting up libksba8:amd64 (1.3.5-2ubuntu0.20.04.2) ...
---| More successful setting-up |---
Processing triggers for libc-bin (2.31-0ubuntu9.9) ...
dirmngr set to automatically installed.
gnupg set to automatically installed.
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)
Because this is only needed for an internal build I am perfectly ok with disabling SSL verification, but unfortunately I can't find any information in snapcraft docs about such a flag. Thank you in advance for any advice.
