From 06fe052876ddd26f25899f550dc228e2bf3d8258 Mon Sep 17 00:00:00 2001
From: Britney Fransen <brfransen@gmail.com>
Date: Sat, 2 Feb 2019 20:59:22 +0000
Subject: ca-certificates: update to 20181109

---
 abs/core/ca-certificates/PKGBUILD                  | 65 ++++++++++---------
 .../ca-certificates/ca-certificates-utils.install  | 44 -------------
 abs/core/ca-certificates/update-ca-trust           | 37 +++++++----
 abs/core/ca-certificates/update-ca-trust.8.txt     | 75 ++++++++++++++--------
 abs/core/ca-certificates/update-ca-trust.hook      | 11 ++++
 5 files changed, 120 insertions(+), 112 deletions(-)
 delete mode 100644 abs/core/ca-certificates/ca-certificates-utils.install
 create mode 100644 abs/core/ca-certificates/update-ca-trust.hook

diff --git a/abs/core/ca-certificates/PKGBUILD b/abs/core/ca-certificates/PKGBUILD
index f377a79..1a7b291 100644
--- a/abs/core/ca-certificates/PKGBUILD
+++ b/abs/core/ca-certificates/PKGBUILD
@@ -1,50 +1,55 @@
-# $Id$
 # Maintainer: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
 # Contributor: Pierre Schmitz <pierre@archlinux.de>
 
 pkgbase=ca-certificates
 pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20150402
+pkgver=20181109
 pkgrel=1
-pkgdesc='Common CA certificates'
-arch=('any')
-url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
-license=('GPL2')
-makedepends=('asciidoc' 'p11-kit')
-source=(update-ca-trust update-ca-trust.8.txt)
-sha256sums=('746d2cce8ec107fa3b7aaa246d69a7e238c3d2ac5cd82c5aeed996fe9cb0a874'
-            '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929')
+pkgdesc="Common CA certificates"
+url="https://src.fedoraproject.org/rpms/ca-certificates"
+arch=(any)
+license=(GPL2)
+makedepends=(asciidoc p11-kit)
+source=(update-ca-trust update-ca-trust.8.txt update-ca-trust.hook)
+sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
+            'acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751'
+            '15eb04e757b7c61c8ee1540fd697771b8ae8e31f92cfb39c260b423101e21af8')
 
 build() {
-	asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
-	xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
+  asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
+  xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
 }
 
 package_ca-certificates-utils() {
-	pkgdesc+=" (utilities)"
-	depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1')
-	install=ca-certificates-utils.install
-	provides=(ca-certificates ca-certificates-java)
-	conflicts=(ca-certificates-java)
-	replaces=(ca-certificates-java)
+  pkgdesc+=" (utilities)"
+  depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1')
+  provides=(ca-certificates ca-certificates-java)
+  conflicts=(ca-certificates-java)
+  replaces=(ca-certificates-java)
 
-	install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust"
-	install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8"
+  install -D update-ca-trust "$pkgdir/usr/bin/update-ca-trust"
+  install -Dm644 update-ca-trust.8 "$pkgdir/usr/share/man/man8/update-ca-trust.8"
+  install -Dm644 update-ca-trust.hook "$pkgdir/usr/share/libalpm/hooks/update-ca-trust.hook"
 
-	# Trust source directories
-	install -d "${pkgdir}"/{etc,usr/share}/${pkgbase}/trust-source/{anchors,blacklist}
+  # Trust source directories
+  install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blacklist}
 
-	# Directories used by update-ca-trust (aka "trust extract-compat")
-	install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted}
+  # Directories used by update-ca-trust (aka "trust extract-compat")
+  install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted}
 
-	# Compatibility link for OpenSSL using /etc/ssl as CAdir
-	# Used in preference to the individual links in /etc/ssl/certs
-	ln -s ../${pkgbase}/extracted/tls-ca-bundle.pem "${pkgdir}/etc/ssl/cert.pem"
+  # Compatibility link for OpenSSL using /etc/ssl as CAdir
+  # Used in preference to the individual links in /etc/ssl/certs
+  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
+
+  # Compatiblity link for legacy bundle
+  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
 }
 
 package_ca-certificates() {
-	pkgdesc+=" (default providers)"
-	depends=(ca-certificates-{mozilla,cacert})
+  pkgdesc+=" (default providers)"
+  depends=(ca-certificates-mozilla)
+  replaces=('ca-certificates-cacert<=20140824-4')
+  conflicts=('ca-certificates-cacert<=20140824-4')
 }
 
-# vim:set noet ts=8 sw=8 sts=0:
+# vim:set et sw=2:
diff --git a/abs/core/ca-certificates/ca-certificates-utils.install b/abs/core/ca-certificates/ca-certificates-utils.install
deleted file mode 100644
index 8120878..0000000
--- a/abs/core/ca-certificates/ca-certificates-utils.install
+++ /dev/null
@@ -1,44 +0,0 @@
-export LC_ALL=C
-
-post_install() {
-	usr/bin/update-ca-trust
-
-	# This should be a normally packaged file, but that would
-	# require user intervention at upgrade
-	ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \
-		etc/ssl/certs/ca-certificates.crt
-}
-
-post_upgrade() {
-	usr/bin/update-ca-trust
-
-	if (( $(vercmp $2 20140923-7.1) < 0 )); then
-		cat <<MSG
-  The way local CA certificates are handled has changed.
-  If you have added any certificates manually:
-
-  1. Move certificates from /usr/local/share/ca-certificates/
-     to /etc/ca-certificates/trust-source/anchors/
-  2. Do the same with root certificates added to /etc/ssl/certs/
-  3. Instead of \`update-ca-certificates\`, run \`trust extract-compat\`
-
-  Also see \`man 8 update-ca-trust\` and \`trust --help\`.
-MSG
-	fi
-
-	if (( $(vercmp $2 20150402) < 0 )); then
-		ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \
-			etc/ssl/certs/ca-certificates.crt
-
-		# Moved to etc/ca-certificates/extracted
-		rm -f etc/ssl/certs/ca-bundle.trust.crt
-	fi
-}
-
-pre_remove() {
-	usr/bin/update-ca-trust
-
-	rm -f etc/ssl/certs/{ca-certificates.crt,java/cacerts}
-}
-
-# vim:set noet ts=8 sw=8 sts=0:
diff --git a/abs/core/ca-certificates/update-ca-trust b/abs/core/ca-certificates/update-ca-trust
index 9a97e34..53441b3 100644
--- a/abs/core/ca-certificates/update-ca-trust
+++ b/abs/core/ca-certificates/update-ca-trust
@@ -1,27 +1,42 @@
 #!/bin/bash
 
 # At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
-# support the syntax "update-ca-trust extract" trigger the generation of output 
+# However, for backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
 # files in $DEST.
 
 DEST=/etc/ca-certificates/extracted
 
+# Prevent p11-kit from reading user configuration files.
+export P11_KIT_NO_USER_CONFIG=1
+
+extract() {
+  trust extract --overwrite "$@"
+}
+
+## Simple PEM bundles
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth  $DEST/tls-ca-bundle.pem
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email        $DEST/email-ca-bundle.pem
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
+
+## OpenSSL PEM bundle that includes trust flags
+extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
+
+## TianoCore EDK II bundle
+extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin
+
+## Java bundle
+extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts
+
+## OpenSSL-style directory with individual PEM files and hash links
 # The directory-format extractors remove all files in the target directory, but not directories or files therein
-trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth  $DEST/cadir
-trust extract --overwrite --format=pem-bundle         --filter=ca-anchors --purpose server-auth  $DEST/tls-ca-bundle.pem
-trust extract --overwrite --format=pem-bundle         --filter=ca-anchors --purpose email        $DEST/email-ca-bundle.pem
-trust extract --overwrite --format=pem-bundle         --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
-trust extract --overwrite --format=openssl-bundle     --filter=certificates                      $DEST/ca-bundle.trust.crt
+extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
 
 # We don't want to have to remove everything from the certs directory but neither
-# do we want to leave stale certs around, so symlink it all from somewhere else
+# do we want to leave stale certs around, so only place symlinks in the real cadir
 for f in $DEST/cadir/*; do
   ln -fsr -t /etc/ssl/certs "$f"
 done
 
 # Now find and remove all broken symlinks
 find -L /etc/ssl/certs -maxdepth 1 -type l -delete
-
-# Java bundle
-trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts
diff --git a/abs/core/ca-certificates/update-ca-trust.8.txt b/abs/core/ca-certificates/update-ca-trust.8.txt
index 67e2ba3..ba9c830 100644
--- a/abs/core/ca-certificates/update-ca-trust.8.txt
+++ b/abs/core/ca-certificates/update-ca-trust.8.txt
@@ -74,11 +74,11 @@ will be scanned for any number of source files. *It is important to select
 the correct subdirectory for adding files, as the subdirectory defines how 
 contained certificates will be trusted or distrusted, and which file formats are read.*
 
-Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and 
+Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and 
 trust settings in the PEM file format. The trust settings found here will be
 interpreted with a *low priority*.
 
-Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and 
+Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and 
 trust settings in the PEM file format. The trust settings found here will be
 interpreted with a *high priority*.
 
@@ -144,7 +144,7 @@ BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
 
 Applications that rely on a static file for a list of trusted CAs
 may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
-directory. After modifying any file in the
+directories. After modifying any file in the
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories or in any of their subdirectories, or after adding a file, 
 it is necessary to run the 'update-ca-trust extract' command,
@@ -161,7 +161,7 @@ the dynamically merged set of certificates and trust information stored in the
 [[extractconf]]
 EXTRACTED CONFIGURATION
 -----------------------
-The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate 
+The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate 
 bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> 
 by running the 'update-ca-trust extract' command.
 
@@ -189,8 +189,13 @@ and distrusted certificates are missing from these files.
 File cacerts contains CA certificates trusted for TLS server authentication.
 
 The directory /etc/ca-certificates/extracted contains 
+a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
+as described in the x509(1) manual page.
+File ca-bundle.trust.crt contains the full set of all trusted
+or distrusted certificates, including the associated trust flags.
+It also contains
 CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, 
-as decribed in the x509(1) manual page.
+as described in the x509(1) manual page.
 Distrust information cannot be represented in this file format,
 and distrusted certificates are missing from these files.
 File tls-ca-bundle.pem contains CA certificates 
@@ -199,10 +204,14 @@ File email-ca-bundle.pem contains CA certificates
 trusted for E-Mail protection.
 File objsign-ca-bundle.pem contains CA certificates 
 trusted for code signing.
-File ca-bundle.trust.crt contains certificates in the extended
-BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page.
-This bundle contains the full set of all trusted
-and distrusted certificates, including the associated trust flags.
+It also contains a CA
+certificate bundle ("edk2-cacerts.bin") in the "sequence of
+EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
+sections "31.4.1 Signature Database" and
+"EFI_CERT_X509_GUID". Distrust information cannot be represented in
+this file format, and distrusted certificates are missing from these
+files. File "edk2-cacerts.bin" contains CA certificates trusted for TLS
+server authentication.
 
 
 COMMANDS
@@ -215,11 +224,27 @@ COMMANDS
 *extract*::
     Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
     updated versions of the consolidated configuration files stored below
-    the /etc/ssl/certs and /etc/ca-certificates/extracted directory 
-    hierarchies.
+    the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies.
 
 FILES
 -----
+/etc/ssl/certs::
+	Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	Also includes the necessary hash symlinks expected by OpenSSL.
+	These files are symbolic links that are maintained by the update-ca-trust command.
+
+/etc/ssl/certs/ca-certificates.crt::
+	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/cert.pem::
+	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/java/cacerts::
+	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+	This file is consolidated output created by the update-ca-trust command.
+
 /usr/share/ca-certificates/trust-source::
 	Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
 
@@ -232,32 +257,28 @@ FILES
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
 /etc/ca-certificates/extracted/tls-ca-bundle.pem::
-	Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is consolidated output created by the update-ca-trust command.
 
 /etc/ca-certificates/extracted/email-ca-bundle.pem::
-	Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	File contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is consolidated output created by the update-ca-trust command.
 
 /etc/ca-certificates/extracted/objsign-ca-bundle.pem::
-	Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is consolidated output created by the update-ca-trust command.
 
 /etc/ca-certificates/extracted/ca-bundle.trust.crt::
-	Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+	File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+	This file is consolidated output created by the update-ca-trust command.
 
 /etc/ca-certificates/extracted/cadir::
 	Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-        Also includes the necessary hash symlinks expected by OpenSSL.
-
-/etc/ssl/certs::
-	Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command.
+	Also includes the necessary hash symlinks expected by OpenSSL.
+	These files are maintained by the update-ca-trust command.
 
-/etc/ssl/certs/ca-certificates.crt::
-	Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
-
-/etc/ssl/cert.pem::
-	Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
-
-/etc/ssl/java/cacerts::
-	Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+/etc/ca-certificates/extracted/edk2-cacerts.bin::
+	File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.
 
 AUTHOR
diff --git a/abs/core/ca-certificates/update-ca-trust.hook b/abs/core/ca-certificates/update-ca-trust.hook
new file mode 100644
index 0000000..ace8ea8
--- /dev/null
+++ b/abs/core/ca-certificates/update-ca-trust.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = File
+Target = usr/share/ca-certificates/trust-source/*
+
+[Action]
+Description = Rebuilding certificate stores...
+When = PostTransaction
+Exec = /usr/bin/update-ca-trust
-- 
cgit v0.12