Update README

README.md

@@ -4,13 +4,33 @@ This repository contains a small setup to automate the delivery of our root cert
 
 ### Files
 * `kto.crt` is our current only root certificate
+* `advancedsettings.xml` is a Kodi user configuration file
 #### Installation
-* `install.sh` copies the certificates to the right location and then reloads the system's certificates
+* `install.sh` copies the certificates to the right location and then reloads the system's certificates (Linux only)
 
 ### Firefox
-* On Mint, had to use the following so that Firefox uses system CAs:
-```
-sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
-sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
-```
-* Stil unclear: Will this be overwritten at Firefox update?
+On Debian-based distros, the following is required so that Firefox uses system CAs:
+* go to Firefox Settings -> Privacy & Security -> Security -> Security Devices
+* then click "Load" to add a new device pointing to `/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so`
+
+### Manually import in Kodi
+In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy `advancedsettings.xml` and
+`kto.crt` (renamed to `cacert.pem`) to `$HOME_OF_KODI_USER/.kodi/userdata/`.
+
+This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in
+`cacert.pem` KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).
+
+#### Android (TV)
+1. find Kodi app user data directory (usually `/sdcard/Android/data/org.xbmc.kodi`)
+2. copy `advancedsettings.xml` and `kto.crt` (renamed to `cacert.pem`) to `$KODI/files/.kodi/userdata/`
+
+### Import in Windows
+1. Download the CA
+2. Double-click on it
+3. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard
+4. On the Welcome page, click Next
+5. On the Certificate Store page, select Place all certificates in the following store and click Browse
+6. In the Select Certificate Store dialog box, select Show Physical Stores
+7. Double-click Trusted Root Certification Authorities, select Local Computer, and then click OK
+8. On the Certificate Store page, click Next
+9. On the summary page, review the details and click Finish

advancedsettings.xml

@@ -0,0 +1,5 @@
+<advancedsettings version="1.0">
+  <network>
+    <catrustfile>special://masterprofile/cacert.pem</catrustfile>
+  </network>
+</advancedsettings>

install.sh

@@ -14,18 +14,24 @@ else
   sudo=""
 fi
 
-if command -v update-ca-trust > /dev/null; then
-  $sudo cp $run_directory/*.crt /etc/ca-certificates/trust-source/anchors/
-  $sudo update-ca-trust
-elif command -v update-ca-certificates > /dev/null; then
-  $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
-  $sudo update-ca-certificates
-elif [ -f /usr/sbin/update-ca-certificates ]; then # Debian...
-  $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
-  $sudo update-ca-certificates
-else
-  echo "No update-ca binary found. Exiting with error!"
-  exit 1
+if [ $(echo $(lsb_release) | cut -d ' ' -f 1) = "LibreELEC" ]; then
+  cp /usr/share/kodi/system/certs/cacert.pem /storage/.kodi/userdata/cacert.pem
+  cat $run_directory/kto.crt >> /storage/.kodi/userdata/cacert.pem
+  cp $run_directory/advancedsettings.xml /storage/.kodi/userdata/
+else # More classic Linux expected
+  if command -v update-ca-trust > /dev/null; then
+    $sudo cp $run_directory/*.crt /etc/ca-certificates/trust-source/anchors/
+    $sudo update-ca-trust
+  elif command -v update-ca-certificates > /dev/null; then
+    $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
+    $sudo update-ca-certificates
+  elif [ -f /usr/sbin/update-ca-certificates ]; then # Debian...
+    $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
+    $sudo update-ca-certificates
+  else
+    echo "No update-ca binary found. Exiting with error!"
+    exit 1
+  fi
 fi
 
 echo "Finished install. Exiting..."