Pacman does not work properly with our corporate certificate

[JaFojtik]

I has been followed all recomendations for using corporace certificates. Unfortunatelly I cannot make pacman working properly.

I have asked our IT department and they give me this certificate: zsc.zip it also does not work.
PEMs from Firefox: PEM.zip

One guy from our IT told me that pacman needs corporate certificate to be root signed. This corporate certificate is only self-signed, it does from external company Zscaller and we cannot do anything with it.

$ pacman -Fy widl.exe
error: mingw32: missing required signature
error: mingw64: missing required signature
error: ucrt64: missing required signature
error: clang32: missing required signature
error: clang64: missing required signature
error: msys: missing required signature
:: Synchronizing package databases...
error: failed to synchronize all databases (unable to lock database)

error: database 'clangarm64' is not valid (invalid or corrupted database (PGP signature))
error: database 'mingw32' is not valid (invalid or corrupted database (PGP signature))
error: database 'mingw64' is not valid (invalid or corrupted database (PGP signature))
error: database 'ucrt64' is not valid (invalid or corrupted database (PGP signature))
error: database 'clang32' is not valid (invalid or corrupted database (PGP signature))
error: database 'clang64' is not valid (invalid or corrupted database (PGP signature))
error: database 'msys' is not valid (invalid or corrupted database (PGP signature))

Is it possible to completelly turn off ssl verification?

[Biswa96]

Does the workaround mentioned here work?

[JaFojtik]

No. Our guy from IT told me that a problem is probably, that pacman rejects corporate self signed certificate. There is no line about corporate self signed and root signed neccessity. I obtain no debug info that a cetrifficate is not accepted.

I have attempted both, certificates extracted from Firefox, and a certificate from our IT.

[Lubixxx]

Hello,

I do not understand the problem. As I think, that ROOT certificate is always self-signed.
Is this problem solvable with this SSL inspection in the way?

Thank you.

Here is part of error messages:

$ pacman -Sy
:: Synchronizing package databases...
clangarm64.db failed to download
mingw32.db failed to download
mingw64.db failed to download
ucrt64.db failed to download
clang32.db failed to download
error: failed retrieving file 'mingw32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'mingw64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'clang32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
warning: too many errors from mirror.msys2.org, skipping for the remainder of this transaction
error: failed retrieving file 'clangarm64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'ucrt64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'mingw64.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'mingw32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'clang32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
warning: too many errors from repo.msys2.org, skipping for the remainder of this transaction

---

And here is a certificate chain list by openssl s_client:

$ openssl s_client -proxy=127.0.0.1:9001 -connect repo.msys2.org:443 -showcerts
Connecting to 127.0.0.1
CONNECTED(00000004)
depth=3 C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
verify return:1
depth=2 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=support@zscaler.com
verify return:1
depth=1 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)
verify return:1
depth=0 CN=repo.msys2.org
verify return:1

Certificate chain
0 s:CN=repo.msys2.org
i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 14 03:49:13 2024 GMT; NotAfter: Apr 28 03:49:13 2024 GMT
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgISf12cYOQm5e4t6lmKq7cTudOfMA0GCSqGSIb3DQEBCwUA
MIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwM
WnNjYWxlciBJbmMuMRUwEwYDVQQLDAxac2NhbGVyIEluYy4xODA2BgNVBAMML1pz
Y2FsZXIgSW50ZXJtZWRpYXRlIFJvb3QgQ0EgKHpzY2xvdWQubmV0KSAodCkgMB4X
DTI0MDQxNDAzNDkxM1oXDTI0MDQyODAzNDkxM1owGTEXMBUGA1UEAxMOcmVwby5t
c3lzMi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLSRMSvrmB
C0DiIzdN/a7ZKxrcYMRXJf4COd8tsJgMCq3BXYVJkKCt/FIR62KCCdUiSPGnb0E4
ZBBD7ehnO4riNjoBGKhA9GwW4Qbvoni7G/p96tBwurLggRb0SEUG0crZnnHuWvXW
wjwQgeiXk5U06i1cyswKRXB8lSP8eU3grStR3DG3qBSXYJC32FaWd3mPQK4I3k66
t1SxjK/JEriCfS/7ihL2fUQWWIBVwvUorGoHMeKwzZkYfMAUzIm4AAX2WOF4cMM+
p/YGRgdrZZe8JFdfAFxzr2CLcgRbqi8HGG7Fkcu8bbyS2XzZ/DDPAJmz22WS+yEH
4XyQLdOI4RTrAgMBAAGjgZ8wgZwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0RBBIwEIIOcmVwby5tc3lzMi5vcmcwDgYD
VR0PAQH/BAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9nYXRld2F5Lnpz
Y2xvdWQubmV0L3pzY2FsZXItenNjcmwtLTQtMS5jcmwwDQYJKoZIhvcNAQELBQAD
ggEBAEGPan77VlEhSPvKSSAie6VNhwBvg+2OZxWeHVuuFyCQ0rHqbdPzOYEY4x05
+tPE4FPix64Aepd58jd4zvwCP34cUrj8iJ6AexKnYeZCd4Y8S/+dwo0ucVFYT/BL
MwBZi5KaB8xK+EWgawod2pw4gdgb5X0/zVI3Yfdt/YPxHBsxCNVer+Y/raVIj3R+
3iCEZGQ/Ox36kCw5I0VTbR17kPVGvoT0juN+OUc5OeCGiT4y4mcCfVGvtItVSxW2
m2PiAvRCJXgz0mGzXDBrhB2/9Gt1mXGGv1bTJCGbd4UIPuMvnchrOtXDpPU+sEyO
EKdeoYgFNvP0B6Q6ijpKYOCkZCU=
-----END CERTIFICATE-----
1 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)
i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=support@zscaler.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 14 03:49:13 2024 GMT; NotAfter: Apr 28 03:49:13 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEOTCCAyGgAwIBAgIEZhtSOTANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEV
MBMGA1UECxMMWnNjYWxlciBJbmMuMTMwMQYDVQQDEypac2NhbGVyIEludGVybWVk
aWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkxIjAgBgkqhkiG9w0BCQEWE3N1cHBv
cnRAenNjYWxlci5jb20wHhcNMjQwNDE0MDM0OTEzWhcNMjQwNDI4MDM0OTEzWjCB
ijELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMTgwNgYDVQQDDC9ac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkgKHQpIDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbptFW7eaaWY/b8OBsAoeoJkYKt
XhSx40PNv/IaFuWt92A2w6n8VCsV8r3ycyot9Q7ewjRtg8ka0ncQslVO09wju0Bi
aYjVIO/Y5AXC5WsoNG0lS6lzuGwQdqQ8teXAxZTBWkDlVYPGp5Ea370+dpdNbwoO
96JcLBJZnDBqkZXypeDaxw6ynjPyAgk8J3sCqQSIhiRf7DTEwwpR3/1dcQB4A7Gm
s5HEyu/UfXe/2k90nOh5yCndTxcOB4i8WFABNbXQ9FlWLThbRKsAhD7c4griRAHM
LFpt9svpsvXleGsTcDG4SoHbst3uTGi1mXUM8NCiYwcwwsS504v8X9rG0xMCAwEA
AaOBhTCBgjAdBgNVHQ4EFgQUNW3Spb+KR1RLjQQrecGQa3oQ6+YwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDov
L2dhdGV3YXkuenNjbG91ZC5uZXQvY3JsL3pzYy1rZWstLTQtMS5jcmwwDQYJKoZI
hvcNAQELBQADggEBAAMlOMp0W5Me81tSHVBjWjvs1yEbVLs/NLcNu3ynCCYh7X1b
0sSJpUhnB8ZAqj71yEb2xNSppbAtx4ZuprxVKiBUE2YPetmEYapHDu71spzkCQ22
Uc30TO7l2w6G0UFybuuym5hKl3jpVzorHBYSE7so6Iclpi1oaUMzIa33aZ4xfMAc
KLvoPphYm4FlubVxzeif+mS7DI9r7DcQVGOYGbyTCVh3VeWKvZvKRM+xIU+YBiiw
v2hLePOAxp2SnA6v5KBSafCPHU0KlwV0XQO7CxDq5HIbcnlIO06EIHOa9ZIMiS1n
SQgFOnz0g7bBU2wnPAVb9lDXfZLrxTvNMRsCot8=
-----END CERTIFICATE-----
2 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=support@zscaler.com
i:C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 5 05:33:19 2020 GMT; NotAfter: Jun 23 05:33:19 2041 GMT
-----BEGIN CERTIFICATE-----
MIIEQTCCAymgAwIBAgICAQMwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEVMBMGA1UE
ChMMWnNjYWxlciBJbmMuMRUwEwYDVQQLEwxac2NhbGVyIEluYy4xGDAWBgNVBAMT
D1pzY2FsZXIgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEB6c2NhbGVy
LmNvbTAeFw0yMDA2MDUwNTMzMTlaFw00MTA2MjMwNTMzMTlaMIGpMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEChMMWnNjYWxlciBJbmMu
MRUwEwYDVQQLEwxac2NhbGVyIEluYy4xMzAxBgNVBAMTKlpzY2FsZXIgSW50ZXJt
ZWRpYXRlIFJvb3QgQ0EgKHpzY2xvdWQubmV0KTEiMCAGCSqGSIb3DQEJARYTc3Vw
cG9ydEB6c2NhbGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL1jJ79rdyq82MQxBd5v0193M0+JE3VZpizKmfseQ5FjuTj6ai4Qhw/G3vL3VXa3
P24/MbfaDn5WPAMp2LmZhF+Mv7WmETbPy1wVi0U2WZKROe9MeQSfXiJi7mtLYluP
PHEkOeki2gXM+AXDO+pdY/HVNxYGC3uc37xpPafHzSB1aV4GyTi2L7m4bKlNl3GY
8WWKe1nJUwgZEd+Pa1HxneNvEz8cj7LvZysgXPqnT7MuKXcAWepbGz5jQlPWM4U5
Og0/hn8PEg/4gRwvjBKtUWDlHWNcynjTk6IJM0W2Qx9qUR5BDc/5cNJuh1trl8j/
BLKIPDc9W9o/E7bXgwoFtH8CAwEAAaN5MHcwHQYDVR0OBBYEFBFTWZHscKAsSZ9n
35ET0aF34xauMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH+MDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9nYXRld2F5LnpzY2xvdWQubmV0L2NybC96c2MtaW50LmNy
bDANBgkqhkiG9w0BAQsFAAOCAQEAEvJfnZHJUucldbDWSP8WfHPCnzbjbJr1RUtA
JZyC7+3kM4wx6TpVZj4Q+Y4/i3ebzDTROhiTe+6iTlcPmRh9Y+7EYQKw53IjGQsG
O7jwP3O3iHTzL1dZ9WbCEQ5jR6vNp3YZlv3YkOYNinb+fjvQpFcLS//SAnn0frwT
UUxGLewzGpW+KYfkF81ZF7m8ORHxmpYwhowjuLZ/lENZywzSQ44Jh5P6YVRDKq8m
8sfOTS2vZq1dyI41EFD/DLej1XcAJKscuDd4FYBp6BqTTwE0azXWFyPaaNV1QGrP
mAbSn8Bw1PBwPZQP0+D4bF60+Qgur6L3jlnh2kCpPTuy6Bqk0w==
-----END CERTIFICATE-----

Server certificate
subject=CN=repo.msys2.org
issuer=C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 3740 bytes and written 412 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CFEE67F2BEB534A5B21FD8AC39CBFB2F7C68C592022F10E29E293489A599DDF3
Session-ID-ctx:
Master-Key: 0E0C57C351E64C24DDA5471555890FFB5AFB3A870139E140AD663879D7F09278BF534C2FA1B0D930F0CE70C47E0B0C47
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1713184041
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes