No standard TLS CA roots available when p11-kit-server is not running
With an up-to-date org.gnome.Platform//3.34 runtime from Flathub, no TLS certificate authority root certificates seem to be available:
mjog@blanchefort:~/Projects/GNOME/geary-flathub$ flatpak run --share=network org.gnome.Sdk//3.34
[📦 org.gnome.Sdk ~]$ gnutls-cli imap.gmail.com:imaps
Processed 0 CA certificate(s).
Resolving 'imap.gmail.com:imaps'...
Connecting to '2404:6800:4003:c00::6d:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=imap.gmail.com,O=Google LLC,L=Mountain View,ST=California,C=US', issuer `CN=GTS CA 1O1,O=Google Trust Services,C=US', serial 0x00ddb3cfba1c7912fc0800000000131691, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-09-05 20:13:16 UTC', expires `2019-11-28 20:13:16 UTC', pin-sha256="latkoeUfFtOrPY3TEhGGRZE2Q+NjQXpgWP+u+ruBje0="
Public Key ID:
sha1:df9a8bb5b284386db55195d216d053ff581d25ac
sha256:95ab64a1e51f16d3ab3d8dd312118645913643e363417a6058ffaefabb818ded
Public Key PIN:
pin-sha256:latkoeUfFtOrPY3TEhGGRZE2Q+NjQXpgWP+u+ruBje0=
- Certificate[1] info:
- subject `CN=GTS CA 1O1,O=Google Trust Services,C=US', issuer `CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2', serial 0x01e3b49aa18d8aa981256950b8, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-06-15 00:00:42 UTC', expires `2021-12-15 00:00:42 UTC', pin-sha256="YZPgTZ+woNCCCIW3LH2CxQeLzB/1m42QcCTBSdgayjs="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
This is a regression from 3.32, didn't notice it with the nightly runtimes either.
Edited by Michael Catanzaro