[yocto] [mono][msbuild][nuget] Building c# application for mono

Tue Oct 2 02:11:03 PDT 2018

On 10/01/2018 04:50 PM, Alberto Spin wrote:
> I’m trying to build my c# application for mono with yocto, by using 
> nuget and msbuild.
> 
> I encountered several problems:
> 
> MsBuild:
> 
>   * During the build of msbuild the cibuild.sh script is invoked. This
>     script uses the tool ‘curl‘ to download the msbuild.zip form
>     Microsoft. This action failes with a certificate error because there
>     are no certificates present. I fixed this issue with a bbappend
>     script for msbuild which contains:
> 
> DEPENDS += "ca-certificates"

I submitted a similar patch last week:

https://lists.yoctoproject.org/pipermail/yocto/2018-September/042661.html

Note that adding the ca-certificates dependency wasn't enough for me. 
The curl recipe builds curl with:

--with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt

For curl-native that expands to something like:

$HOME/yocto/build/tmp/work/x86_64-linux/curl-native/7.58.0-r0/recipe-sysroot-native/etc/ssl/certs/ca-certificates.crt

But if "rm_work" is enabled, this directory is gone by the time you're 
building msbuild, and it still fails. It should point to the msbuild 
native sysroot instead. I did that with the CURL_CA_BUNDLE env variable.

> Nuget:
> 
>   * When trying to restore the packages for my c# application, the
>     execution of Nuget fails because it has no certificates.
>   * Apparently NuGet is using the mono certificate store, because it
>     fails to detect the certificates present in:
>       /recipe-sysroot-native/etc/ssl/certs
>   * I also verified that the mono certificate store is empty by issuing
>     the command: certmgr -list -c Trust
> 
> I tried to extend the recipe that builds my c# application with a 
> do_configure task, in which I’m trying to synchronize the mono 
> certificate store with the ca-certifates.crt.
> 
>                  cert-sync ${sysconfdir}/ssl/certs/ca-certificates.crt
> 
> But the cert-sync tool somehow wants to use a path outside my build 
> environment /usr/share/.mono, which fails with an access denied error.
> 
> Can anybody help me to get past this problem?

I encountered the same problem. I did workaround it with the --user 
parameter:

cert-sync --user ${sysconfdir}/ssl/certs/ca-certificates.crt

As you can see from my commit message, it works, but it's not perfect:

"Install the CA certificates for mono

Mono uses its own CA certificate store. By default it is empty, which 
causes nuget to fail when trying do download packages over https.

This is a very ugly hack. Ideally the CA certificates should be packaged 
separately and installed system-wide. But unfortunately the cert-sync 
tool (or the other mono tools) use hardcoded directory paths and thus 
don't support cross environments. Even with the --user option, the 
certificates are installed on the host system, and not the yocto native 
sysroot. Not really great, but at least it works."

If you find a better solution, I'm interested to hear about that!

Jef