-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dart pub get on a VM gives TLS error #4448
Comments
Hmm no clue what happens here. Can you try running: https://github.com/dart-lang/pub-dev/blob/master/app/bin/tools/check_domain_access.dart and post the output? That will hopefully give us more information about your network. |
Hi thanks for having a look, here’s the output of running it
|
I guess there is some issue with the setup of the certificates on the machine... @jonasfj can you make sense of this?
|
@sigurdm thanks for having a look, here are the results curl -v -L https://pub.dev/api/packages/retry
curl -v -L https://pub.dev/api/archives/retry-3.1.2.tar.gz
|
Do you have any self signed certificates installed in You could try: Especially, if you're running on a network where the admin has installed custom certificates on your machine. I don't recall exactly how this works. If Dart loads from system certificates or if it just has a built-in list of certificates. You could try |
also try downloading an SDK from: exact it and use it to, see if there it's an issue with your package manager. I would guess that your package manager just downloads the Dart SDK from the prebuilt tarballs, since it's not easy to get the SDK building. |
note: if we find out what the issue is here, it'd be great to add a section to: @samirbilalmemon What kind of network are you on? Are you sitting at home? or on a corporate network that may have all sorts of security software causing issues. |
Thanks for the response. I do not think I have any self signed certificates installed. This is a VM running on the iphone in the UTM SE app made from the arm64 generic image at archlinuxarm.org My network is my home network so I do not have an admin at like a corporate or school setting. I have tested trying to download sdk archives and extracting them instead of the pacman from ArchLinux and they also result in the same. No security software or firewall settings have been messed around with, other than running the necessary pacman-key --init and pacman-key --populate archlinuxarm and pacman -Syu the system is pretty much a fresh install. I will test |
You runnign a VM on your iphone, I'd call that unique environment 🤣 Not sure why or how that would cause certificate issues, but could be that the VM doesn't have raw socket access, so maybe the hypervisor is doing man-in-the-middle on all connections. Which for TLS connections will cause issues, unless a custom certificate is installed. I'm just guessing. |
I just tested the --roots-certs-file argument and it still results in a TLS error trying to find package ... I find it pretty interesting how wget and curl and openssl commands are able to work with TLS connections to pub.dev. Does dart pub get have more strict security rules then curl and wget and openssl commands? |
So it's a different TLS stack. My bet is that it's got to do with certificates, or something else funny that the hypervisor is doing when it's forwarding traffic. |
I see, I would be happy to try out any suggestions you guys might have to get it to work. Currently the only way I got packages to work in my environment was using wget to download them and then extracting them to the cache folder and then pointing to them in my pubspec.yaml but unfortunately given the number of dependencies packages can have it is just not feasible to do the manual labor. |
What does your setup look like? Could you aot-compile the dart binary so that it can run without access to the pub cache? |
When you ask what my setup looks like, what information are you looking for? The image used to install Arch Linux? The commands done after the install? The model of the iPhone? Or like what information? I do not know what aot-compile is and how to do it so I will look it up now and figure out what that means. |
I looked up what aot-compile is and yes I have use dart compile exe command successfully on this environment to compile into standalone binary that does not need dependencies. |
You could try another distro / architecture combination, to see if it's related to the hypervisor. Though this is a bit of a shot in the dark. It could be that BoringSSL uses different instructions that behaves differently when emulated with the hypervisor you have. So trying a different architecture might yield a different result. You can also see if there are other system certificate lists somewhere on the machine. Augment the |
I have tried the unnoficial dart-musl with alpine linux and it also yielded TLS error. How do I augment the I will test running the |
Here’s the result, the output has changed compared to the initial run without dart —root-certs-file=/etc/ssl/certs/ca-certificates.crt check_domain_access.dart
|
So there is the possibility this is some sort of weird certificate thing, specifically that this issue is happening because Dart comes with its own set of built-in certificates (I don't actually remember it does, but I think it does). It's also possible that this is some interaction between the VM special instructions or other thing that causes the certificate verification to fail. Basically, it could be a buggy VM. It might be wise to see if it's possible to reproduce this issue with chrome inside VM? Or if a differnet architecture for the VM has the same issue? Or if the same VM on a differnet machine has the same issue? To be fair: I suspect that running a linux VM on iOS is an edge case, and it certainly at-least plausible that such VM has bugs. |
Hmm, this is weird the original stack trace says:
Just wondering if it could be something like: utmapp/UTM#4924 Though I'm not sure how a bug in the VM would cause TLS errors. |
The above tests happened on QEMU 7.2. It seems an update to the app was released 4 days ago. I went ahead and updated it and tested changing the CPU to the older 6.2 and the latest 9.1 and neither of them fix the TLS error. I am not sure if I should keep testing the different QEMU cpu available in the app or not. |
Can reproduce this in another setting, what are the minimal reproduction instructions. Say we start from an empty VM image. For the record, it might also be worth searching for similar issues in the Dart SDK. THis isn't really a pub specific issue. |
I usually prefer manually installing the image on archlinux arm website but to do it quickly right now I downloaded a fresh arch lnux prebuilt VM from UTM gallery and then used |
Environment
dart --version
): 3.5.3 from pacman -Sy dartArch Linux ARM64
Linux 6.12.1-1-aarch64-ARCH
Problem
Running dart pub get results in a TLS error. However running openssl and curl commands with detailed output result in no TLS errors. Able to download as well using wget without error. It’s a mystery why dart pub get doesn’t work even though all other commands do.
I have provided the outputs to curl -v, openssl s_client -connect and dart pub get below. If needed I can attach output of working wget to download a package too.
curl -v https://pub.dev
openssl s_client -connect pub.dev:443
pub_log.txt
The text was updated successfully, but these errors were encountered: