upg ca-certificates

This commit is contained in:
joborun linux 2022-09-06 10:55:40 +03:00
parent 8a8cabe695
commit 667d91e6f8
11 changed files with 171 additions and 26 deletions

View file

@ -1,22 +1,23 @@
#!/usr/bin/bash
# JOBoRun : Jwm OpenBox Obarun RUNit
# Maintainer : Joe Bo Run <joborun@disroot.org>
# Maintainer : Joe Bo Run <joborun@disroot.org>
# PkgSource : url="https://gittea.disroot.org/joborun-pkg/jobcore/$pkgname"
# Website : https://pozol.eu
#-----------------------------------------| DESCRIPTION |---------------------------------------
pkgbase=ca-certificates
pkgname=(ca-certificates-utils ca-certificates)
pkgver=20210603
pkgver=20220905
pkgrel=01
pkgdesc="Common CA certificates"
url="https://src.fedoraproject.org/rpms/ca-certificates"
arch=(any)
makedepends=(asciidoc p11-kit)
source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook)
source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
README.{etc,etcssl,extr,java,src,usr})
build() {
asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
a2x -v -f manpage update-ca-trust.8.txt
}
package_ca-certificates-utils() {
@ -32,18 +33,26 @@ package_ca-certificates-utils() {
install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
# Trust source directories
# Upstream also adds "blocklist" but that's useless without support in p11-kit
install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
# Directories used by update-ca-trust (aka "trust extract-compat")
install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted}
install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README"
install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README"
# Compatibility link for OpenSSL using /etc/ssl as CAdir
# Used in preference to the individual links in /etc/ssl/certs
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
# Compatiblity link for legacy bundle
# Compatibility link for legacy bundle (Debian)
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
# Compatibility link for legacy bundle (RHEL/Fedora)
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
}
package_ca-certificates() {
@ -55,8 +64,15 @@ package_ca-certificates() {
#---- license gpg-key sha256sums ----
license=(GPL2)
license=(GPL)
sha256sums=(ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3 # update-ca-trust
acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751 # update-ca-trust.8.txt
3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748) # 40-update-ca-trust.hook
7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763 # update-ca-trust.8.txt
3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748 # 40-update-ca-trust.hook
e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a # README.etc
c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10 # README.etcssl
badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78 # README.extr
5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d # README.java
eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f # README.src
3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc) # README.usr

View file

@ -3,21 +3,27 @@
pkgbase=ca-certificates
pkgname=(ca-certificates-utils ca-certificates)
pkgver=20210603
pkgver=20220905
pkgrel=1
pkgdesc="Common CA certificates"
url="https://src.fedoraproject.org/rpms/ca-certificates"
arch=(any)
license=(GPL2)
license=(GPL)
makedepends=(asciidoc p11-kit)
source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook)
source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
README.{etc,etcssl,extr,java,src,usr})
sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
'acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751'
'3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748')
'7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763'
'3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748'
'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a'
'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10'
'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78'
'5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d'
'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f'
'3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc')
build() {
asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
a2x -v -f manpage update-ca-trust.8.txt
}
package_ca-certificates-utils() {
@ -33,18 +39,25 @@ package_ca-certificates-utils() {
install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
# Trust source directories
# Upstream also adds "blocklist" but that's useless without support in p11-kit
install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
# Directories used by update-ca-trust (aka "trust extract-compat")
install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted}
install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README"
install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README"
# Compatibility link for OpenSSL using /etc/ssl as CAdir
# Used in preference to the individual links in /etc/ssl/certs
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
# Compatiblity link for legacy bundle
# Compatibility link for legacy bundle (Debian)
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
# Compatibility link for legacy bundle (RHEL/Fedora)
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
}
package_ca-certificates() {
@ -54,4 +67,4 @@ package_ca-certificates() {
replaces=("${conflicts[@]}")
}
# vim:set et sw=2:
# vim:set sw=2 sts=-1 et:

View file

@ -0,0 +1,4 @@
This directory /etc/ca-certificates/ is used by a system of consolidated
CA certificates.
Please refer to the update-ca-trust(8) manual page for additional information.

View file

@ -0,0 +1,21 @@
This directory (/etc/ssl) is provided as a courtesy attempt to provide
compatibility with software which assumes its existence. It is not a
supported or canonical location. Software which assumes and relies on
the existence and layout of this directory is making a wrong assumption
(this directory is not any kind of 'standard', it is a configuration
detail of Debian and its derivatives) and should be improved. No
software packaged in this distribution should use this directory.
An attempt is made to make the layout of /etc/ssl/certs match that
provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
of individual certificate files, and also contains a certificate bundle
file named ca-certificates.crt, as Debian does. It also contains a
bundle named ca-bundle.crt, as RHEL and Fedora have long provided
such a file, and it is possible some software has come to expect its
existence. Similarly, a bundle named cert.pem is placed in /etc/ssl, as
this was the historical bundle used by Arch Linux.
The certificates files and the bundle files are in fact symlinks to
some of the output of the 'update-ca-trust' script which forms a part
of a system of consolidated CA certificates. Please refer to the
update-ca-trust(8) manual page for additional information.

View file

@ -0,0 +1,33 @@
This directory /etc/ca-certificates/extracted/ contains CA certificate bundle
files which are automatically created based on the information found in the
/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/
directories.
The files are as follows:
- ca-bundle.trust.crt:
This file is in the BEGIN/END TRUSTED CERTIFICATE file format,
as described in the x509(1) manual page.
- edk2-cacerts.bin:
This file is in the EDK2 (EFI Development Kit II) file format.
- email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem:
All files are in the BEGIN/END CERTIFICATE file format,
as described in the x509(1) manual page.
Distrust information cannot be represented in this file format,
and distrusted certificates are missing from these files.
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
then you can use these files in your application to load a list of global
root CA certificates.
Please never manually edit the files stored in this directory,
because your changes will be lost and the files automatically overwritten,
each time the update-ca-trust command gets executed.
Please refer to the update-ca-trust(8) manual page for additional information.

View file

@ -0,0 +1,16 @@
This directory /etc/ssl/certs/java/ contains CA certificate bundle
files which are automatically created based on the information found in the
/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/
directories.
All files are in the java keystore file format.
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
then you can use these files in your application to load a list of global
root CA certificates.
Please never manually edit the files stored in this directory,
because your changes will be lost and the files automatically overwritten,
each time the update-ca-trust command gets executed.
Please refer to the update-ca-trust(8) manual page for additional information.

View file

@ -0,0 +1,20 @@
This directory /etc/ca-certificates/trust-source/ contains CA certificates
and trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in
/usr/share/ca-certificates/trust-source/ .
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Copy it to the
/etc/ca-certificates/trust-source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main trust-source/ directory instead.
=============================================================================
Please refer to the update-ca-trust(8) manual page for additional information.

View file

@ -0,0 +1,20 @@
This directory /usr/share/ca-certificates/trust-source/ contains CA certificates
and trust settings in the PEM file format. The trust settings found here will be
interpreted with a low priority - lower than the ones found in
/etc/ca-certificates/trust-source/ .
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Copy it to the
/usr/share/ca-certificates/trust-source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main trust-source/ directory instead.
=============================================================================
Please refer to the update-ca-trust(8) manual page for additional information.

View file

@ -20,4 +20,4 @@ MSG
fi
}
# vim:set ts=2 sw=2 et:
# vim:set sw=2 sts=-1 et:

View file

@ -1 +1,3 @@
asciidoc

View file

@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/
* run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/ca-certificates/trust-source/
* run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
* simple blocklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/
* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
In the blocklist subdirectories /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.