Fix flatpak TLS without touching the system CA store

gerrod3 · gerrod3 · commit 89dd0826aa2c · 2026-04-24T14:01:13.000-04:00
Revert the update-ca-trust approach, which regenerated the system CA
bundle and stripped the Pulp cert (p11-kit rejects non-CA certs),
breaking all Python bindings tests.

Instead, configure the OSTree remote's tls-ca-path directly after
flatpak remote-add. This scopes the TLS trust change to the flatpak
remote only, leaving the system CA store and certifi untouched.

Made-with: Cursor
diff --git a/.github/workflows/scripts/post_before_script.sh b/.github/workflows/scripts/post_before_script.sh
@@ -2,10 +2,4 @@ SCENARIOS=("pulp" "performance" "azure" "gcp" "s3" "generate-bindings" "lowerbou
 if [[ " ${SCENARIOS[*]} " =~ " ${TEST} " ]]; then
   # Needed by pulp_container/tests/functional/api/test_flatpak.py:
   cmd_prefix dnf install -yq dbus-daemon flatpak
-
-  # Add the Pulp CA cert to the system trust store inside the container so that
-  # flatpak/OSTree (which uses GLib/GIO) trusts the Pulp registry's TLS certificate.
-  # Using cp + update-ca-trust extract (the standard RHEL9 approach) rather than
-  # "trust anchor", which behaved unexpectedly when given the full CA bundle path.
-  cmd_prefix bash -c "cp /etc/pulp/certs/pulp_webserver.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust extract"
 fi
diff --git a/pulp_container/tests/functional/api/test_flatpak.py b/pulp_container/tests/functional/api/test_flatpak.py
@@ -1,7 +1,9 @@
 """Tests that verify Flatpak support"""
 
+import os
 import pytest
 import subprocess
+from urllib.parse import urlparse
 
 from pulp_container.tests.functional.constants import REGISTRY_V2
 
@@ -17,6 +19,45 @@ def run_flatpak_commands(host):
             "oci+" + host,
         ]
     )
+
+    # OSTree (used by flatpak) verifies TLS against the system CA store, not certifi.
+    # For CI environments using a self-signed cert, configure the remote to trust
+    # the Pulp CA directly rather than relying on system-wide CA trust, which would
+    # interfere with the Python bindings trust setup in script.sh.
+    if urlparse(host).scheme == "https":
+        flatpak_user_repo = os.path.expanduser("~/.local/share/flatpak/repo")
+        ca_cert = "/etc/pulp/certs/pulp_webserver.crt"
+        if os.path.exists(ca_cert):
+            subprocess.run(
+                [
+                    "ostree",
+                    "config",
+                    "--repo",
+                    flatpak_user_repo,
+                    "--group",
+                    'remote "pulptest"',
+                    "set",
+                    "tls-ca-path",
+                    ca_cert,
+                ],
+                check=False,
+            )
+        else:
+            subprocess.run(
+                [
+                    "ostree",
+                    "config",
+                    "--repo",
+                    flatpak_user_repo,
+                    "--group",
+                    'remote "pulptest"',
+                    "set",
+                    "tls-permissive",
+                    "true",
+                ],
+                check=False,
+            )
+
     # See <https://pagure.io/fedora-lorax-templates/c/cc1155372046baa58f9d2cc27a9e5473bf05a3fb>
     # "lorax-embed-flatpaks.tmpl: Run the flatpak-install under dbus-run-session" for the need for
     # dbus-run-session to avoid "error: Cannot autolaunch D-Bus without X11 $DISPLAY":
