Add support for Chromium Snap cert trust (#57257)

github-actions[bot] · amcasey · web-flow · commit 16374e2c46b0 · 2024-08-12T10:11:55.000-07:00
I thought this already worked, but it turns out it behaves differently depending on how you launch it.  When it is launched as a snap (vs from the command line), it can only access things in its own folder, so it looks in a different NSS DB for trusted certs.  Fixing this is as simple as adding one more well-known location to the list.

Co-authored-by: Andrew Casey &lt;amcasey@users.noreply.github.com&gt;
diff --git a/src/Shared/CertificateGeneration/UnixCertificateManager.cs b/src/Shared/CertificateGeneration/UnixCertificateManager.cs
@@ -476,6 +476,11 @@ private static string GetChromiumNssDb(string homeDirectory)
         return Path.Combine(homeDirectory, ".pki", "nssdb");
     }
 
+    private static string GetChromiumSnapNssDb(string homeDirectory)
+    {
+        return Path.Combine(homeDirectory, "snap", "chromium", "current", ".pki", "nssdb");
+    }
+
     private static string GetFirefoxDirectory(string homeDirectory)
     {
         return Path.Combine(homeDirectory, ".mozilla", "firefox");
@@ -732,13 +737,21 @@ private static List<NssDb> GetNssDbs(string homeDirectory)
             return nssDbs;
         }
 
-        // Chrome, Chromium, Edge, and their respective snaps all use this directory
+        // Chrome, Chromium, and Edge all use this directory
         var chromiumNssDb = GetChromiumNssDb(homeDirectory);
         if (Directory.Exists(chromiumNssDb))
         {
             nssDbs.Add(new NssDb(chromiumNssDb, isFirefox: false));
         }
 
+        // Chromium Snap, when launched under snap confinement, uses this directory
+        // (On Ubuntu, the GUI launcher uses confinement, but the terminal does not)
+        var chromiumSnapNssDb = GetChromiumSnapNssDb(homeDirectory);
+        if (Directory.Exists(chromiumSnapNssDb))
+        {
+            nssDbs.Add(new NssDb(chromiumSnapNssDb, isFirefox: false));
+        }
+
         var firefoxDir = GetFirefoxDirectory(homeDirectory);
         if (Directory.Exists(firefoxDir))
         {

Original file line number	Diff line number	Diff line change
`@@ -476,6 +476,11 @@ private static string GetChromiumNssDb(string homeDirectory)`
`476`	`476`	`return Path.Combine(homeDirectory, ".pki", "nssdb");`
`477`	`477`	`}`
`478`	`478`
	`479`	`+ private static string GetChromiumSnapNssDb(string homeDirectory)`
	`480`	`+ {`
	`481`	`+ return Path.Combine(homeDirectory, "snap", "chromium", "current", ".pki", "nssdb");`
	`482`	`+ }`
	`483`	`+`
`479`	`484`	`private static string GetFirefoxDirectory(string homeDirectory)`
`480`	`485`	`{`
`481`	`486`	`return Path.Combine(homeDirectory, ".mozilla", "firefox");`
`@@ -732,13 +737,21 @@ private static List<NssDb> GetNssDbs(string homeDirectory)`
`732`	`737`	`return nssDbs;`
`733`	`738`	`}`
`734`	`739`
`735`		`- // Chrome, Chromium, Edge, and their respective snaps all use this directory`
	`740`	`+ // Chrome, Chromium, and Edge all use this directory`
`736`	`741`	`var chromiumNssDb = GetChromiumNssDb(homeDirectory);`
`737`	`742`	`if (Directory.Exists(chromiumNssDb))`
`738`	`743`	`{`
`739`	`744`	`nssDbs.Add(new NssDb(chromiumNssDb, isFirefox: false));`
`740`	`745`	`}`
`741`	`746`
	`747`	`+ // Chromium Snap, when launched under snap confinement, uses this directory`
	`748`	`+ // (On Ubuntu, the GUI launcher uses confinement, but the terminal does not)`
	`749`	`+ var chromiumSnapNssDb = GetChromiumSnapNssDb(homeDirectory);`
	`750`	`+ if (Directory.Exists(chromiumSnapNssDb))`
	`751`	`+ {`
	`752`	`+ nssDbs.Add(new NssDb(chromiumSnapNssDb, isFirefox: false));`
	`753`	`+ }`
	`754`	`+`
`742`	`755`	`var firefoxDir = GetFirefoxDirectory(homeDirectory);`
`743`	`756`	`if (Directory.Exists(firefoxDir))`
`744`	`757`	`{`