Meta+RequestServer: Remove local download of ca-certificates

We haven't required a local copy of the ca-certificates since switching to OpenSSL as the backend for TLS. Remove the script to download the PEM file, and update the tests to use the system's CA certificates.
Author: https://github.com/ADKaster Commit: ffd600a7f5 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5326 Reviewed-by: https://github.com/alimpfard Reviewed-by: https://github.com/gmta ✅
2025-07-31 13:19:05 +00:00 · 2025-07-06 09:11:28 -06:00 · 2025-07-06 09:11:28 -06:00 · ffd600a7f5 · 2025-07-07 07:11:32 +00:00
commit ffd600a7f5
parent 12dd5f0804
12 changed files with 7 additions and 134 deletions
--- a/Meta/CMake/ca_certificates_data.cmake
+++ b/Meta/CMake/ca_certificates_data.cmake
@ -1,28 +0,0 @@
-include(${CMAKE_CURRENT_LIST_DIR}/utils.cmake)
-
-set(CACERT_VERSION "2025-05-20")
-set(CACERT_SHA256 "ab3ee3651977a4178a702b0b828a4ee7b2bbb9127235b0ab740e2e15974bf5db")
-
-set(CACERT_PATH "${LADYBIRD_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem")
-set(CACERT_VERSION_FILE "${CACERT_PATH}/version.txt")
-
-set(CACERT_FILE cacert-${CACERT_VERSION}.pem)
-set(CACERT_URL https://curl.se/ca/${CACERT_FILE})
-set(CACERT_INSTALL_FILE cacert.pem)
-
-if (ENABLE_CACERT_DOWNLOAD)
-    remove_path_if_version_changed("${CACERT_VERSION}" "${CACERT_VERSION_FILE}" "${CACERT_PATH}")
-
-    if (ENABLE_NETWORK_DOWNLOADS)
-        download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}" SHA256 "${CACERT_SHA256}")
-    else()
-        message(STATUS "Skipping download of ${CACERT_URL}, expecting it to have been downloaded to ${CACERT_PATH}")
-    endif()
-
-    if (NOT "${CMAKE_STAGING_PREFIX}" STREQUAL "")
-        set(CACERT_INSTALL_PATH ${CMAKE_STAGING_PREFIX}/etc/${CACERT_INSTALL_FILE})
-    else()
-        set(CACERT_INSTALL_PATH ${CMAKE_CURRENT_BINARY_DIR}/${CACERT_INSTALL_FILE})
-    endif()
-    configure_file(${CACERT_PATH}/${CACERT_FILE} ${CACERT_INSTALL_PATH} COPYONLY)
-endif()
--- a/Meta/CMake/common_options.cmake
+++ b/Meta/CMake/common_options.cmake
@ -25,8 +25,6 @@ ladybird_option(ENABLE_ALL_DEBUG_FACILITIES OFF CACHE BOOL "Enable all noisy deb
 ladybird_option(ENABLE_COMPILETIME_HEADER_CHECK OFF CACHE BOOL "Enable compiletime check that each library header compiles stand-alone")

 ladybird_option(INCLUDE_WASM_SPEC_TESTS OFF CACHE BOOL "Download and include the WebAssembly spec testsuite")
-ladybird_option(INCLUDE_FLAC_SPEC_TESTS OFF CACHE BOOL "Download and include the FLAC spec testsuite")
-ladybird_option(ENABLE_CACERT_DOWNLOAD ON CACHE BOOL "Enable download of cacert.pem at build time")

 ladybird_option(LADYBIRD_CACHE_DIR "${PROJECT_BINARY_DIR}/../caches" CACHE PATH "Location of shared cache of downloaded files")
 ladybird_option(ENABLE_NETWORK_DOWNLOADS ON CACHE BOOL "Allow downloads of required files. If OFF, required files must already be present in LADYBIRD_CACHE_DIR")
--- a/Meta/Lagom/CMakeLists.txt
+++ b/Meta/Lagom/CMakeLists.txt
@ -78,7 +78,6 @@ if (ENABLE_FUZZERS OR CMAKE_CROSSCOMPILING)
    set(BUILD_LAGOM_TOOLS OFF)
 endif()

-include(ca_certificates_data)
 include(lagom_compile_options)

 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
--- a/Meta/WPT.sh
+++ b/Meta/WPT.sh
@ -77,7 +77,6 @@ TEST_WEB_BINARY=${TEST_WEB_BINARY:-"${BUILD_DIR}/bin/test-web"}
 WPT_PROCESSES=${WPT_PROCESSES:-$(get_number_of_processing_units)}
 WPT_CERTIFICATES=(
    "tools/certs/cacert.pem"
-    "${BUILD_DIR}/Lagom/cacert.pem"
 )
 WPT_ARGS=(
    "--binary=${LADYBIRD_BINARY}"
--- a/Meta/gn/secondary/Ladybird/BUILD.gn
+++ b/Meta/gn/secondary/Ladybird/BUILD.gn
@ -154,7 +154,6 @@ executable("ladybird_executable") {
  } else {
    data_deps += [
      ":ladybird_copy_about_pages",
-      ":ladybird_copy_cacert",
      ":ladybird_copy_config_resources",
      ":ladybird_copy_fonts",
      ":ladybird_copy_icons_128x128",
@ -280,8 +279,6 @@ web_templates = [
  "//Base/res/ladybird/templates/version.html",
 ]

-cacert = [ "$root_build_dir/cacert.pem" ]
-
 config_resources = [
  "//Base/res/ladybird/default-config/BrowserContentFilters.txt",
  "//Base/res/ladybird/default-config/bookmarks.json",
@ -341,12 +338,6 @@ if (current_os != "mac") {
        [ "$root_out_dir/share/Lagom/ladybird/templates/{{source_file_part}}" ]
  }

-  copy("ladybird_copy_cacert") {
-    public_deps = [ "//Userland/Libraries/LibTLS:ca_certificates_download" ]
-    sources = cacert
-    outputs = [ "$root_out_dir/share/Lagom/ladybird/{{source_file_part}}" ]
-  }
-
  copy("ladybird_copy_config_resources") {
    sources = config_resources
    outputs = [
@ -495,12 +486,6 @@ if (current_os != "mac") {
        [ "{{bundle_resources_dir}}/ladybird/templates/{{source_file_part}}" ]
  }

-  bundle_data("ladybird_cacert") {
-    public_deps = [ "//Userland/Libraries/LibTLS:ca_certificates_download" ]
-    sources = cacert
-    outputs = [ "{{bundle_resources_dir}}/ladybird/{{source_file_part}}" ]
-  }
-
  bundle_data("ladybird_config_resources") {
    sources = config_resources
    outputs = [
@ -553,7 +538,6 @@ if (current_os != "mac") {
      ":ladybird_bundle_executables",
      ":ladybird_bundle_info_plist",
      ":ladybird_bundle_libs",
-      ":ladybird_cacert",
      ":ladybird_config_resources",
      ":ladybird_fonts",
      ":ladybird_icon",
--- a/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
+++ b/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
@ -1,26 +1,3 @@
-import("//Meta/gn/build/download_cache.gni")
-import("//Meta/gn/build/download_file.gni")
-
-declare_args() {
-  # If true, Download root CA certificate bundle from curl.se
-  # Data will be downloaded to $cache_path/CACERT and used by LibTLS
-  enable_cacert_download = true
-}
-
-cacert_cache = cache_path + "CACERT/"
-
-cacert_version = "2025-05-20"
-
-if (enable_cacert_download) {
-  download_file("ca_certificates_download") {
-    version = cacert_version
-    url = "https://curl.se/ca/cacert-$version.pem"
-    output = "$root_build_dir/cacert.pem"
-    version_file = cacert_cache + "version.txt"
-    sha256 = "ab3ee3651977a4178a702b0b828a4ee7b2bbb9127235b0ab740e2e15974bf5db"
-  }
-}
-
 shared_library("LibTLS") {
  output_name = "tls"
  include_dirs = [ "//Userland/Libraries" ]
@ -36,7 +13,6 @@ shared_library("LibTLS") {
    "TLSv12.cpp",
  ]
  deps = [
-    ":ca_certificates_download",
    "//AK",
    "//Userland/Libraries/LibCore",
    "//Userland/Libraries/LibCrypto",
--- a/Services/RequestServer/main.cpp
+++ b/Services/RequestServer/main.cpp
@ -28,14 +28,6 @@ extern ByteString g_default_certificate_path;

 }

-static ErrorOr<ByteString> find_certificates(StringView serenity_resource_root)
-{
-    auto cert_path = ByteString::formatted("{}/ladybird/cacert.pem", serenity_resource_root);
-    if (!FileSystem::exists(cert_path))
-        return Error::from_string_literal("Don't know how to load certs!");
-    return cert_path;
-}
-
 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
    AK::set_rich_debug_enabled(true);
@ -55,10 +47,8 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
    if (wait_for_debugger)
        Core::Process::wait_for_debugger_and_break();

-    // Ensure the certificates are read out here.
-    if (certificates.is_empty())
-        certificates.append(TRY(find_certificates(serenity_resource_root)));
-    else
+    // FIXME: Update RequestServer to support multiple custom root certificates.
+    if (!certificates.is_empty())
        RequestServer::g_default_certificate_path = certificates.first();

    Core::EventLoop event_loop;
--- a/Tests/LibDNS/TestDNSResolver.cpp
+++ b/Tests/LibDNS/TestDNSResolver.cpp
@ -6,7 +6,6 @@

 #include <LibCore/Socket.h>
 #include <LibDNS/Resolver.h>
-#include <LibFileSystem/FileSystem.h>
 #include <LibTLS/TLSv12.h>
 #include <LibTest/TestCase.h>

@ -72,19 +71,6 @@ TEST_CASE(test_tcp)
    EXPECT_EQ(0, loop.exec());
 }

-static StringView ca_certs_file = "./cacert.pem"sv;
-static Optional<ByteString> locate_ca_certs_file()
-{
-    if (FileSystem::exists(ca_certs_file)) {
-        return ca_certs_file;
-    }
-    auto on_target_path = ByteString("/etc/cacert.pem");
-    if (FileSystem::exists(on_target_path)) {
-        return on_target_path;
-    }
-    return {};
-}
-
 TEST_CASE(test_tls)
 {
    Core::EventLoop loop;
@ -93,8 +79,7 @@ TEST_CASE(test_tls)
        [&] -> ErrorOr<DNS::Resolver::SocketResult> {
            Core::SocketAddress addr = { IPv4Address::from_string("1.1.1.1"sv).value(), static_cast<u16>(853) };

-            TLS::Options options;
-            options.root_certificates_path = locate_ca_certs_file();
+            TLS::Options options = {};

            return DNS::Resolver::SocketResult {
                MaybeOwned<Core::Socket>(TRY(TLS::TLSv12::connect(addr, "1.1.1.1", move(options)))),
--- a/Tests/LibTLS/TestTLSHandshake.cpp
+++ b/Tests/LibTLS/TestTLSHandshake.cpp
@ -11,11 +11,9 @@
 #include <LibCore/Timer.h>
 #include <LibCrypto/ASN1/ASN1.h>
 #include <LibCrypto/ASN1/PEM.h>
-#include <LibFileSystem/FileSystem.h>
 #include <LibTLS/TLSv12.h>
 #include <LibTest/TestCase.h>

-static StringView ca_certs_file = "./cacert.pem"sv;
 static int port = 443;

 constexpr auto DEFAULT_SERVER = "www.google.com"sv;
@ -25,24 +23,11 @@ static ByteBuffer operator""_b(char const* string, size_t length)
    return ByteBuffer::copy(string, length).release_value();
 }

-static Optional<ByteString> locate_ca_certs_file()
-{
-    if (FileSystem::exists(ca_certs_file)) {
-        return ca_certs_file;
-    }
-    auto on_target_path = ByteString("/etc/cacert.pem");
-    if (FileSystem::exists(on_target_path)) {
-        return on_target_path;
-    }
-    return {};
-}
-
 TEST_CASE(test_TLS_hello_handshake)
 {
    Core::EventLoop loop;

-    TLS::Options options;
-    options.root_certificates_path = locate_ca_certs_file();
+    TLS::Options options = {};

    auto tls = TRY_OR_FAIL(Core::BufferedSocket<TLS::TLSv12>::create(TRY_OR_FAIL(TLS::TLSv12::connect(DEFAULT_SERVER, port, move(options)))));

--- a/UI/cmake/AndroidExtras.cmake
+++ b/UI/cmake/AndroidExtras.cmake
@ -22,12 +22,6 @@ copy_res_folder(fonts)
 copy_res_folder(icons)
 copy_res_folder(emoji)
 copy_res_folder(themes)
-add_custom_target(copy-certs
-    COMMAND ${CMAKE_COMMAND} -E copy_if_different
-        "${Lagom_BINARY_DIR}/cacert.pem"
-        "asset-bundle/res/ladybird/cacert.pem"
-)
-add_dependencies(archive-assets copy-certs)
 add_custom_target(copy-assets COMMAND ${CMAKE_COMMAND} -E copy_if_different ladybird-assets.tar "${CMAKE_SOURCE_DIR}/UI/Android/src/main/assets/")
 add_dependencies(copy-assets archive-assets)
 add_dependencies(ladybird copy-assets)
--- a/UI/cmake/ResourceFiles.cmake
+++ b/UI/cmake/ResourceFiles.cmake
@ -103,11 +103,6 @@ set(CONFIG_RESOURCES
 )
 list(TRANSFORM CONFIG_RESOURCES PREPEND "${LADYBIRD_SOURCE_DIR}/Base/res/ladybird/default-config/")

-set(DOWNLOADED_RESOURCES
-    cacert.pem
-)
-list(TRANSFORM DOWNLOADED_RESOURCES PREPEND "${Lagom_BINARY_DIR}/")
-
 function(copy_resource_set subdir)
    cmake_parse_arguments(PARSE_ARGV 1 "COPY" "" "TARGET;DESTINATION" "RESOURCES")
    set(inputs ${COPY_RESOURCES})
@ -192,10 +187,6 @@ function(copy_resources_to_build base_directory bundle_target)
        DESTINATION ${base_directory} TARGET ${bundle_target}
    )

-    copy_resource_set(ladybird RESOURCES ${DOWNLOADED_RESOURCES}
-        DESTINATION ${base_directory} TARGET ${bundle_target}
-    )
-
    add_dependencies(${bundle_target} "${bundle_target}_build_resource_files")
 endfunction()

@ -209,5 +200,4 @@ function(install_ladybird_resources destination component)
    install(FILES ${ABOUT_PAGES} DESTINATION "${destination}/ladybird/about-pages" COMPONENT ${component})
    install(FILES ${WEB_TEMPLATES} DESTINATION "${destination}/ladybird/templates" COMPONENT ${component})
    install(FILES ${CONFIG_RESOURCES} DESTINATION "${destination}/ladybird/default-config" COMPONENT ${component})
-    install(FILES ${DOWNLOADED_RESOURCES} DESTINATION "${destination}/ladybird" COMPONENT ${component})
 endfunction()
--- a/Utilities/dns.cpp
+++ b/Utilities/dns.cpp
@ -25,7 +25,7 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
    bool dnssec = false;

    Core::ArgsParser args_parser;
-    args_parser.add_option(cert_path, "Path to the CA certificate file", "ca-certs", 'C', "file");
+    args_parser.add_option(cert_path, "Path to a root CA certificate file", "ca-certs", 'C', "file");
    args_parser.add_option(server_address, "The address of the DNS server to query", "server", 's', "addr");
    args_parser.add_option(use_tls, "Use TLS to connect to the server", "tls", 0);
    args_parser.add_option(dnssec, "Validate DNSSEC records locally", "dnssec", 0);
@ -78,7 +78,8 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
            auto make_resolver = [&](Core::SocketAddress const& address) -> ErrorOr<DNS::Resolver::SocketResult> {
                if (use_tls) {
                    TLS::Options options;
-                    options.root_certificates_path = cert_path;
+                    if (!cert_path.is_empty())
+                        options.root_certificates_path = cert_path;

                    auto tls = TRY(TLS::TLSv12::connect(address, server_address, move(options)));
                    return DNS::Resolver::SocketResult { move(tls), DNS::Resolver::ConnectionMode::TCP };