From 06fe052876ddd26f25899f550dc228e2bf3d8258 Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Sat, 2 Feb 2019 20:59:22 +0000 Subject: ca-certificates: update to 20181109 --- abs/core/ca-certificates/PKGBUILD | 65 ++++++++++--------- .../ca-certificates/ca-certificates-utils.install | 44 ------------- abs/core/ca-certificates/update-ca-trust | 37 +++++++---- abs/core/ca-certificates/update-ca-trust.8.txt | 75 ++++++++++++++-------- abs/core/ca-certificates/update-ca-trust.hook | 11 ++++ 5 files changed, 120 insertions(+), 112 deletions(-) delete mode 100644 abs/core/ca-certificates/ca-certificates-utils.install create mode 100644 abs/core/ca-certificates/update-ca-trust.hook diff --git a/abs/core/ca-certificates/PKGBUILD b/abs/core/ca-certificates/PKGBUILD index f377a79..1a7b291 100644 --- a/abs/core/ca-certificates/PKGBUILD +++ b/abs/core/ca-certificates/PKGBUILD @@ -1,50 +1,55 @@ -# $Id$ # Maintainer: Jan Alexander Steffens (heftig) # Contributor: Pierre Schmitz pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20150402 +pkgver=20181109 pkgrel=1 -pkgdesc='Common CA certificates' -arch=('any') -url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git' -license=('GPL2') -makedepends=('asciidoc' 'p11-kit') -source=(update-ca-trust update-ca-trust.8.txt) -sha256sums=('746d2cce8ec107fa3b7aaa246d69a7e238c3d2ac5cd82c5aeed996fe9cb0a874' - '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929') +pkgdesc="Common CA certificates" +url="https://src.fedoraproject.org/rpms/ca-certificates" +arch=(any) +license=(GPL2) +makedepends=(asciidoc p11-kit) +source=(update-ca-trust update-ca-trust.8.txt update-ca-trust.hook) +sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3' + 'acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751' + '15eb04e757b7c61c8ee1540fd697771b8ae8e31f92cfb39c260b423101e21af8') build() { - asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt - xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml + asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt + xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml } package_ca-certificates-utils() { - pkgdesc+=" (utilities)" - depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1') - install=ca-certificates-utils.install - provides=(ca-certificates ca-certificates-java) - conflicts=(ca-certificates-java) - replaces=(ca-certificates-java) + pkgdesc+=" (utilities)" + depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1') + provides=(ca-certificates ca-certificates-java) + conflicts=(ca-certificates-java) + replaces=(ca-certificates-java) - install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust" - install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8" + install -D update-ca-trust "$pkgdir/usr/bin/update-ca-trust" + install -Dm644 update-ca-trust.8 "$pkgdir/usr/share/man/man8/update-ca-trust.8" + install -Dm644 update-ca-trust.hook "$pkgdir/usr/share/libalpm/hooks/update-ca-trust.hook" - # Trust source directories - install -d "${pkgdir}"/{etc,usr/share}/${pkgbase}/trust-source/{anchors,blacklist} + # Trust source directories + install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blacklist} - # Directories used by update-ca-trust (aka "trust extract-compat") - install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted} + # Directories used by update-ca-trust (aka "trust extract-compat") + install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted} - # Compatibility link for OpenSSL using /etc/ssl as CAdir - # Used in preference to the individual links in /etc/ssl/certs - ln -s ../${pkgbase}/extracted/tls-ca-bundle.pem "${pkgdir}/etc/ssl/cert.pem" + # Compatibility link for OpenSSL using /etc/ssl as CAdir + # Used in preference to the individual links in /etc/ssl/certs + ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem" + + # Compatiblity link for legacy bundle + ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt" } package_ca-certificates() { - pkgdesc+=" (default providers)" - depends=(ca-certificates-{mozilla,cacert}) + pkgdesc+=" (default providers)" + depends=(ca-certificates-mozilla) + replaces=('ca-certificates-cacert<=20140824-4') + conflicts=('ca-certificates-cacert<=20140824-4') } -# vim:set noet ts=8 sw=8 sts=0: +# vim:set et sw=2: diff --git a/abs/core/ca-certificates/ca-certificates-utils.install b/abs/core/ca-certificates/ca-certificates-utils.install deleted file mode 100644 index 8120878..0000000 --- a/abs/core/ca-certificates/ca-certificates-utils.install +++ /dev/null @@ -1,44 +0,0 @@ -export LC_ALL=C - -post_install() { - usr/bin/update-ca-trust - - # This should be a normally packaged file, but that would - # require user intervention at upgrade - ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \ - etc/ssl/certs/ca-certificates.crt -} - -post_upgrade() { - usr/bin/update-ca-trust - - if (( $(vercmp $2 20140923-7.1) < 0 )); then - cat <> by running the 'update-ca-trust extract' command. @@ -189,8 +189,13 @@ and distrusted certificates are missing from these files. File cacerts contains CA certificates trusted for TLS server authentication. The directory /etc/ca-certificates/extracted contains +a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, +as described in the x509(1) manual page. +File ca-bundle.trust.crt contains the full set of all trusted +or distrusted certificates, including the associated trust flags. +It also contains CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, -as decribed in the x509(1) manual page. +as described in the x509(1) manual page. Distrust information cannot be represented in this file format, and distrusted certificates are missing from these files. File tls-ca-bundle.pem contains CA certificates @@ -199,10 +204,14 @@ File email-ca-bundle.pem contains CA certificates trusted for E-Mail protection. File objsign-ca-bundle.pem contains CA certificates trusted for code signing. -File ca-bundle.trust.crt contains certificates in the extended -BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page. -This bundle contains the full set of all trusted -and distrusted certificates, including the associated trust flags. +It also contains a CA +certificate bundle ("edk2-cacerts.bin") in the "sequence of +EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification, +sections "31.4.1 Signature Database" and +"EFI_CERT_X509_GUID". Distrust information cannot be represented in +this file format, and distrusted certificates are missing from these +files. File "edk2-cacerts.bin" contains CA certificates trusted for TLS +server authentication. COMMANDS @@ -215,11 +224,27 @@ COMMANDS *extract*:: Instruct update-ca-trust to scan the <> and produce updated versions of the consolidated configuration files stored below - the /etc/ssl/certs and /etc/ca-certificates/extracted directory - hierarchies. + the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies. FILES ----- +/etc/ssl/certs:: + Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + Also includes the necessary hash symlinks expected by OpenSSL. + These files are symbolic links that are maintained by the update-ca-trust command. + +/etc/ssl/certs/ca-certificates.crt:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/cert.pem:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/java/cacerts:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. + /usr/share/ca-certificates/trust-source:: Contains multiple, low priority source configuration files as explained in section <>. Please pay attention to the specific meanings of the respective subdirectories. @@ -232,32 +257,28 @@ FILES See section <> for additional details. /etc/ca-certificates/extracted/tls-ca-bundle.pem:: - Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/email-ca-bundle.pem:: - Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/objsign-ca-bundle.pem:: - Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/ca-bundle.trust.crt:: - Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/cadir:: Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. - Also includes the necessary hash symlinks expected by OpenSSL. - -/etc/ssl/certs:: - Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command. + Also includes the necessary hash symlinks expected by OpenSSL. + These files are maintained by the update-ca-trust command. -/etc/ssl/certs/ca-certificates.crt:: - Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. - -/etc/ssl/cert.pem:: - Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. - -/etc/ssl/java/cacerts:: - Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. +/etc/ca-certificates/extracted/edk2-cacerts.bin:: + File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information. This file is consolidated output created by the update-ca-trust command. AUTHOR diff --git a/abs/core/ca-certificates/update-ca-trust.hook b/abs/core/ca-certificates/update-ca-trust.hook new file mode 100644 index 0000000..ace8ea8 --- /dev/null +++ b/abs/core/ca-certificates/update-ca-trust.hook @@ -0,0 +1,11 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Operation = Remove +Type = File +Target = usr/share/ca-certificates/trust-source/* + +[Action] +Description = Rebuilding certificate stores... +When = PostTransaction +Exec = /usr/bin/update-ca-trust -- cgit v0.12