diff --git a/ca-certificates/PKGBUILD b/ca-certificates/PKGBUILD index febfe78..e6238c5 100644 --- a/ca-certificates/PKGBUILD +++ b/ca-certificates/PKGBUILD @@ -1,22 +1,23 @@ #!/usr/bin/bash # JOBoRun : Jwm OpenBox Obarun RUNit -# Maintainer : Joe Bo Run +# Maintainer : Joe Bo Run # PkgSource : url="https://gittea.disroot.org/joborun-pkg/jobcore/$pkgname" +# Website : https://pozol.eu #-----------------------------------------| DESCRIPTION |--------------------------------------- pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20210603 +pkgver=20220905 pkgrel=01 pkgdesc="Common CA certificates" url="https://src.fedoraproject.org/rpms/ca-certificates" arch=(any) makedepends=(asciidoc p11-kit) -source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook) +source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook + README.{etc,etcssl,extr,java,src,usr}) build() { - asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt - xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml + a2x -v -f manpage update-ca-trust.8.txt } package_ca-certificates-utils() { @@ -32,18 +33,26 @@ package_ca-certificates-utils() { install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook # Trust source directories - # Upstream also adds "blocklist" but that's useless without support in p11-kit + install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README" + install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README" + install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README" install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist} + # Directories used by update-ca-trust (aka "trust extract-compat") - install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted} + install -Dm644 README.etcssl "$pkgdir/etc/ssl/README" + install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README" + install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README" # Compatibility link for OpenSSL using /etc/ssl as CAdir # Used in preference to the individual links in /etc/ssl/certs ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem" - # Compatiblity link for legacy bundle + # Compatibility link for legacy bundle (Debian) ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt" + + # Compatibility link for legacy bundle (RHEL/Fedora) + ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt" } package_ca-certificates() { @@ -55,8 +64,15 @@ package_ca-certificates() { #---- license gpg-key sha256sums ---- -license=(GPL2) +license=(GPL) sha256sums=(ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3 # update-ca-trust - acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751 # update-ca-trust.8.txt - 3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748) # 40-update-ca-trust.hook + 7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763 # update-ca-trust.8.txt + 3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748 # 40-update-ca-trust.hook + e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a # README.etc + c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10 # README.etcssl + badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78 # README.extr + 5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d # README.java + eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f # README.src + 3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc) # README.usr + diff --git a/ca-certificates/PKGBUILD-arch b/ca-certificates/PKGBUILD-arch index e2a4327..bc7186d 100644 --- a/ca-certificates/PKGBUILD-arch +++ b/ca-certificates/PKGBUILD-arch @@ -3,21 +3,27 @@ pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20210603 +pkgver=20220905 pkgrel=1 pkgdesc="Common CA certificates" url="https://src.fedoraproject.org/rpms/ca-certificates" arch=(any) -license=(GPL2) +license=(GPL) makedepends=(asciidoc p11-kit) -source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook) +source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook + README.{etc,etcssl,extr,java,src,usr}) sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3' - 'acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751' - '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748') + '7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763' + '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748' + 'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a' + 'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10' + 'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78' + '5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d' + 'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f' + '3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc') build() { - asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt - xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml + a2x -v -f manpage update-ca-trust.8.txt } package_ca-certificates-utils() { @@ -33,18 +39,25 @@ package_ca-certificates-utils() { install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook # Trust source directories - # Upstream also adds "blocklist" but that's useless without support in p11-kit + install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README" + install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README" + install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README" install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist} # Directories used by update-ca-trust (aka "trust extract-compat") - install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted} + install -Dm644 README.etcssl "$pkgdir/etc/ssl/README" + install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README" + install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README" # Compatibility link for OpenSSL using /etc/ssl as CAdir # Used in preference to the individual links in /etc/ssl/certs ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem" - # Compatiblity link for legacy bundle + # Compatibility link for legacy bundle (Debian) ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt" + + # Compatibility link for legacy bundle (RHEL/Fedora) + ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt" } package_ca-certificates() { @@ -54,4 +67,4 @@ package_ca-certificates() { replaces=("${conflicts[@]}") } -# vim:set et sw=2: +# vim:set sw=2 sts=-1 et: diff --git a/ca-certificates/README.etc b/ca-certificates/README.etc new file mode 100644 index 0000000..6bef647 --- /dev/null +++ b/ca-certificates/README.etc @@ -0,0 +1,4 @@ +This directory /etc/ca-certificates/ is used by a system of consolidated +CA certificates. + +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates/README.etcssl b/ca-certificates/README.etcssl new file mode 100644 index 0000000..1af338d --- /dev/null +++ b/ca-certificates/README.etcssl @@ -0,0 +1,21 @@ +This directory (/etc/ssl) is provided as a courtesy attempt to provide +compatibility with software which assumes its existence. It is not a +supported or canonical location. Software which assumes and relies on +the existence and layout of this directory is making a wrong assumption +(this directory is not any kind of 'standard', it is a configuration +detail of Debian and its derivatives) and should be improved. No +software packaged in this distribution should use this directory. + +An attempt is made to make the layout of /etc/ssl/certs match that +provided by Debian: it is an OpenSSL 'CApath'-style hashed directory +of individual certificate files, and also contains a certificate bundle +file named ca-certificates.crt, as Debian does. It also contains a +bundle named ca-bundle.crt, as RHEL and Fedora have long provided +such a file, and it is possible some software has come to expect its +existence. Similarly, a bundle named cert.pem is placed in /etc/ssl, as +this was the historical bundle used by Arch Linux. + +The certificates files and the bundle files are in fact symlinks to +some of the output of the 'update-ca-trust' script which forms a part +of a system of consolidated CA certificates. Please refer to the +update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates/README.extr b/ca-certificates/README.extr new file mode 100644 index 0000000..3f45b72 --- /dev/null +++ b/ca-certificates/README.extr @@ -0,0 +1,33 @@ +This directory /etc/ca-certificates/extracted/ contains CA certificate bundle +files which are automatically created based on the information found in the +/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ +directories. + +The files are as follows: + + - ca-bundle.trust.crt: + + This file is in the BEGIN/END TRUSTED CERTIFICATE file format, + as described in the x509(1) manual page. + + - edk2-cacerts.bin: + + This file is in the EDK2 (EFI Development Kit II) file format. + + - email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem: + + All files are in the BEGIN/END CERTIFICATE file format, + as described in the x509(1) manual page. + + Distrust information cannot be represented in this file format, + and distrusted certificates are missing from these files. + +If your application isn't able to load the PKCS#11 module p11-kit-trust.so, +then you can use these files in your application to load a list of global +root CA certificates. + +Please never manually edit the files stored in this directory, +because your changes will be lost and the files automatically overwritten, +each time the update-ca-trust command gets executed. + +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates/README.java b/ca-certificates/README.java new file mode 100644 index 0000000..c096824 --- /dev/null +++ b/ca-certificates/README.java @@ -0,0 +1,16 @@ +This directory /etc/ssl/certs/java/ contains CA certificate bundle +files which are automatically created based on the information found in the +/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ +directories. + +All files are in the java keystore file format. + +If your application isn't able to load the PKCS#11 module p11-kit-trust.so, +then you can use these files in your application to load a list of global +root CA certificates. + +Please never manually edit the files stored in this directory, +because your changes will be lost and the files automatically overwritten, +each time the update-ca-trust command gets executed. + +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates/README.src b/ca-certificates/README.src new file mode 100644 index 0000000..7d92622 --- /dev/null +++ b/ca-certificates/README.src @@ -0,0 +1,20 @@ +This directory /etc/ca-certificates/trust-source/ contains CA certificates +and trust settings in the PEM file format. The trust settings found here will be +interpreted with a high priority - higher than the ones found in +/usr/share/ca-certificates/trust-source/ . + +============================================================================= +QUICK HELP: To add a certificate in the simple PEM or DER file formats to the + list of CAs trusted on the system: + + Copy it to the + /etc/ca-certificates/trust-source/anchors/ + subdirectory, and run the + update-ca-trust + command. + + If your certificate is in the extended BEGIN TRUSTED file format, + then place it into the main trust-source/ directory instead. +============================================================================= + +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates/README.usr b/ca-certificates/README.usr new file mode 100644 index 0000000..4d1d9c3 --- /dev/null +++ b/ca-certificates/README.usr @@ -0,0 +1,20 @@ +This directory /usr/share/ca-certificates/trust-source/ contains CA certificates +and trust settings in the PEM file format. The trust settings found here will be +interpreted with a low priority - lower than the ones found in +/etc/ca-certificates/trust-source/ . + +============================================================================= +QUICK HELP: To add a certificate in the simple PEM or DER file formats to the + list of CAs trusted on the system: + + Copy it to the + /usr/share/ca-certificates/trust-source/anchors/ + subdirectory, and run the + update-ca-trust + command. + + If your certificate is in the extended BEGIN TRUSTED file format, + then place it into the main trust-source/ directory instead. +============================================================================= + +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates/ca-certificates-utils.install b/ca-certificates/ca-certificates-utils.install index e781c00..c58edfb 100644 --- a/ca-certificates/ca-certificates-utils.install +++ b/ca-certificates/ca-certificates-utils.install @@ -20,4 +20,4 @@ MSG fi } -# vim:set ts=2 sw=2 et: +# vim:set sw=2 sts=-1 et: diff --git a/ca-certificates/deps b/ca-certificates/deps index 1cd92d9..74df02b 100644 --- a/ca-certificates/deps +++ b/ca-certificates/deps @@ -1 +1,3 @@ asciidoc + + diff --git a/ca-certificates/update-ca-trust.8.txt b/ca-certificates/update-ca-trust.8.txt index ba9c830..1237d04 100644 --- a/ca-certificates/update-ca-trust.8.txt +++ b/ca-certificates/update-ca-trust.8.txt @@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy. * add it as a new file to directory /etc/ca-certificates/trust-source/anchors/ * run 'update-ca-trust extract' -.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: +.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then: * add it as a new file to directory /etc/ca-certificates/trust-source/ * run 'update-ca-trust extract' .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. * simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/ -* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/ +* simple blocklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/ * extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ .In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats: @@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. Each certificate will be treated as *trusted* for all purposes. -In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/ +In the blocklist subdirectories /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. Each certificate will be treated as *distrusted* for all purposes.