diff --git a/package/debian/build-deb.sh b/package/debian/build-deb.sh index 5c8e8d304f..01f40c2bf4 100755 --- a/package/debian/build-deb.sh +++ b/package/debian/build-deb.sh @@ -105,12 +105,17 @@ export PYTHONPATH="${KINDRED_CREATE_HOME}/lib/python3.11:${KINDRED_CREATE_HOME}/ export XDG_DATA_DIRS="${KINDRED_CREATE_HOME}/share:${XDG_DATA_DIRS:-/usr/share}" export GI_TYPELIB_PATH="${KINDRED_CREATE_HOME}/lib/girepository-1.0:${GI_TYPELIB_PATH:-}" -# XKB keyboard configuration - use bundled data to avoid hardcoded CI paths in libxkbcommon -export XKB_CONFIG_ROOT="${KINDRED_CREATE_HOME}/share/X11/xkb" - -# Fontconfig - use bundled configuration -export FONTCONFIG_FILE="${KINDRED_CREATE_HOME}/etc/fonts/fonts.conf" -export FONTCONFIG_PATH="${KINDRED_CREATE_HOME}/etc/fonts" +# Use system CA certificates so bundled Python trusts internal CAs (e.g. FreeIPA) +# The bundled openssl has a hardcoded cafile from the build environment which +# does not exist on the target system. +if [ -z "${SSL_CERT_FILE:-}" ]; then + for ca in /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt; do + if [ -f "$ca" ]; then + export SSL_CERT_FILE="$ca" + break + fi + done +fi # Try different binary names (FreeCAD or freecad depending on build) if [ -x "${KINDRED_CREATE_HOME}/bin/FreeCAD" ]; then @@ -131,6 +136,16 @@ export LD_LIBRARY_PATH="${KINDRED_CREATE_HOME}/lib:${LD_LIBRARY_PATH:-}" export PYTHONHOME="${KINDRED_CREATE_HOME}" export PYTHONPATH="${KINDRED_CREATE_HOME}/lib/python3.11:${KINDRED_CREATE_HOME}/lib/python3.11/site-packages:${PYTHONPATH:-}" +# Use system CA certificates (see kindred-create wrapper for details) +if [ -z "${SSL_CERT_FILE:-}" ]; then + for ca in /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt; do + if [ -f "$ca" ]; then + export SSL_CERT_FILE="$ca" + break + fi + done +fi + # Try different binary names (FreeCADCmd or freecadcmd depending on build) if [ -x "${KINDRED_CREATE_HOME}/bin/FreeCADCmd" ]; then exec "${KINDRED_CREATE_HOME}/bin/FreeCADCmd" "$@"