upg ca-certificates libxml2
This commit is contained in:
parent
9102dc9f00
commit
df70a285e3
7 changed files with 314 additions and 159 deletions
|
|
@ -7,11 +7,10 @@
|
|||
|
||||
pkgbase=ca-certificates
|
||||
pkgname=(ca-certificates-utils ca-certificates)
|
||||
pkgver=20220905
|
||||
pkgver=20240618
|
||||
pkgrel=01
|
||||
pkgdesc="Common CA certificates"
|
||||
url="https://src.fedoraproject.org/rpms/ca-certificates"
|
||||
arch=(any)
|
||||
makedepends=(asciidoc p11-kit)
|
||||
source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
|
||||
README.{etc,etcssl,extr,java,src,usr})
|
||||
|
|
@ -22,7 +21,7 @@ build() {
|
|||
|
||||
package_ca-certificates-utils() {
|
||||
pkgdesc+=" (utilities)"
|
||||
depends=(bash coreutils findutils 'p11-kit>=0.24.0')
|
||||
depends=(bash coreutils findutils 'p11-kit')
|
||||
provides=(ca-certificates ca-certificates-java)
|
||||
conflicts=(ca-certificates-java)
|
||||
replaces=(ca-certificates-java)
|
||||
|
|
@ -32,27 +31,32 @@ package_ca-certificates-utils() {
|
|||
install -Dt "$pkgdir/usr/share/man/man8" -m644 update-ca-trust.8
|
||||
install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
|
||||
|
||||
# Trust source directories
|
||||
install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
|
||||
install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
|
||||
install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
|
||||
install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
|
||||
local etcdir="$pkgdir/etc/$pkgbase"
|
||||
local ssldir="$pkgdir/etc/ssl"
|
||||
local usrdir="$pkgdir/usr/share/$pkgbase"
|
||||
|
||||
# Trust source directories
|
||||
install -Dm644 README.etc "$etcdir/README"
|
||||
install -Dm644 README.src "$etcdir/trust-source/README"
|
||||
install -Dm644 README.usr "$usrdir/trust-source/README"
|
||||
install -d {"$etcdir","$usrdir"}/trust-source/{anchors,blocklist}
|
||||
|
||||
# Directories used by update-ca-trust (aka "trust extract-compat")
|
||||
install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
|
||||
install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README"
|
||||
install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README"
|
||||
install -Dm644 README.etcssl "$ssldir/README"
|
||||
install -Dm644 README.java "$ssldir/certs/java/README"
|
||||
install -Dm644 README.extr "$etcdir/extracted/README"
|
||||
|
||||
# Compatibility link for OpenSSL using /etc/ssl as CAdir
|
||||
# Used in preference to the individual links in /etc/ssl/certs
|
||||
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
|
||||
ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/cert.pem"
|
||||
|
||||
# Compatibility link for legacy bundle (Debian)
|
||||
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
|
||||
ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-certificates.crt"
|
||||
|
||||
# Compatibility link for legacy bundle (RHEL/Fedora)
|
||||
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
|
||||
ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-bundle.crt"
|
||||
|
||||
# FIXME: Make "$ssldir/certs/java/cacerts" a packaged symlink, too
|
||||
}
|
||||
|
||||
package_ca-certificates() {
|
||||
|
|
@ -62,17 +66,35 @@ package_ca-certificates() {
|
|||
replaces=("${conflicts[@]}")
|
||||
}
|
||||
|
||||
#---- license gpg-key sha256sums ----
|
||||
#---- arch license gpg-key & sha256sums ----
|
||||
|
||||
license=(GPL)
|
||||
arch=(x86_64)
|
||||
|
||||
sha256sums=(ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3 # update-ca-trust
|
||||
7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763 # update-ca-trust.8.txt
|
||||
3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748 # 40-update-ca-trust.hook
|
||||
e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a # README.etc
|
||||
c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10 # README.etcssl
|
||||
badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78 # README.extr
|
||||
5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d # README.java
|
||||
eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f # README.src
|
||||
license=(GPL-2.0-or-later)
|
||||
|
||||
b2sums=( 31a8539ffb9fc2cdc840a079f8e5a8d5c0b45b36db33a835a2c5784d4151e33f6b5c36c44ff809932cc8ba130015a768f94e73a26f694a48a91cd82b540a7bbd # update-ca-trust.1
|
||||
08a77b118db14f520a9a3fa8ee257eaa03fded9d7267e29836f1d5eeb65b2c875ec081eddc3e71473dd4ea50a0a43346c5a60a89362b02bab601d0e78331c7f8 # update-ca-trust.8.txt.1
|
||||
82e3d728267d931dd8613f5e4944995fb1909dffdd61bce17c5c8aa0e8d14201d249cb25899ac631e6a44a6d2acc02e62bd17692fd7fd27e3c8fb9a7648c6004 # 40-update-ca-trust.hook
|
||||
0de3d4ce83f00f95ea7b94f497403b4dc7ff5d0de33bdc76abe3bdd02280d6dc494c7ca4334cfdc5b91ab3fb0022c69f6809eca67d12e77048aa7f70252d479c # README.etc
|
||||
a43766c7e451b3053abee99f8c9c526d984e20c1e60f1ef6e685805bbca46afa2725c7768a16ac5464778132fb13b43e59b2145ea89e4d2058f68cd2bf0abb1a # README.etcssl
|
||||
ead530282525ea699fcb814fe9fcfe7f47d44febef40703dd65372fd6e583c347f07135efe5244b1d9c400b235dc43a3f7b27abb4c87ef5faa61da6c6d744ebf # README.extr
|
||||
9fdd34c3f99a01a0d12bb48595114def7685841f81871f5dbf56c433e19bb3acb733e108e6463b48425cd4b74a41ee961c927b24c2dce65f26a37baae5ed9eb9 # README.java
|
||||
1fbefe367f9e59e7bc5886d07b7da8bd918c8b77ab0d2026813dad965294d2bb3fd4698d6b22e728d890044b98c0015e7328c050c5d96d0e7d2a3a1ae3f16362 # README.src
|
||||
57e5f6485cde17139e3d1649bd05e1f1b7e260ec58137d41e91ac938bc728bed8ee72eacd0d03f1ccb8cd9e2a23df0df1b2f5fd46694530e1cb49325b05d68fd) # README.usr
|
||||
|
||||
sha256sums=(10ffd94e93fa02dca0a3da55757a9f2fc0bacda9bc745087b013a4d09764b892 # update-ca-trust
|
||||
b5088b6a4d5bcf59e7518bb903fdedb0366d3c0033560ca2205df74716adc396 # update-ca-trust.8.txt
|
||||
3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748 # 40-update-ca-trust.hook
|
||||
e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a # README.etc
|
||||
c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10 # README.etcssl
|
||||
26b07fa4b58c6f9d6a94b549233cfad48a3dd78b9ce97156d85fd7ef3db12df4 # README.extr
|
||||
5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d # README.java
|
||||
eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f # README.src
|
||||
3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc) # README.usr
|
||||
|
||||
## df5f30d979073d06006b18950603b6e3ea220312b0d4ecaac84e26704b72655b ca-certificates-20240618-01-x86_64.pkg.tar.lz
|
||||
## fd5aa936b8e6b4e08ca69127e838b69ec06e693bf2aad258a25b0097cd9cb1d8 ca-certificates-utils-20240618-01-x86_64.pkg.tar.lz
|
||||
|
||||
|
||||
## 581c4f5c03f144298e2f9fe72d99a9e6d98cdbeea076f20d687559de701fd5c0 # ca-certificates-utils.install
|
||||
581c4f5c03f144298e2f9fe72d99a9e6d98cdbeea076f20d687559de701fd5c0 # ca-certificates-utils.install.1
|
||||
|
|
|
|||
|
|
@ -2,25 +2,35 @@
|
|||
# Contributor: Pierre Schmitz <pierre@archlinux.de>
|
||||
|
||||
pkgbase=ca-certificates
|
||||
pkgname=(ca-certificates-utils ca-certificates)
|
||||
pkgver=20220905
|
||||
pkgname=(
|
||||
ca-certificates-utils
|
||||
ca-certificates
|
||||
)
|
||||
pkgver=20240618
|
||||
pkgrel=1
|
||||
pkgdesc="Common CA certificates"
|
||||
url="https://src.fedoraproject.org/rpms/ca-certificates"
|
||||
arch=(any)
|
||||
license=(GPL)
|
||||
makedepends=(asciidoc p11-kit)
|
||||
source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
|
||||
README.{etc,etcssl,extr,java,src,usr})
|
||||
sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
|
||||
'7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763'
|
||||
'3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748'
|
||||
'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a'
|
||||
'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10'
|
||||
'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78'
|
||||
'5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d'
|
||||
'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f'
|
||||
'3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc')
|
||||
license=(GPL-2.0-or-later)
|
||||
makedepends=(
|
||||
asciidoc
|
||||
p11-kit
|
||||
)
|
||||
source=(
|
||||
40-update-ca-trust.hook
|
||||
README.{etc,etcssl,extr,java,src,usr}
|
||||
update-ca-trust
|
||||
update-ca-trust.8.txt
|
||||
)
|
||||
b2sums=('82e3d728267d931dd8613f5e4944995fb1909dffdd61bce17c5c8aa0e8d14201d249cb25899ac631e6a44a6d2acc02e62bd17692fd7fd27e3c8fb9a7648c6004'
|
||||
'0de3d4ce83f00f95ea7b94f497403b4dc7ff5d0de33bdc76abe3bdd02280d6dc494c7ca4334cfdc5b91ab3fb0022c69f6809eca67d12e77048aa7f70252d479c'
|
||||
'a43766c7e451b3053abee99f8c9c526d984e20c1e60f1ef6e685805bbca46afa2725c7768a16ac5464778132fb13b43e59b2145ea89e4d2058f68cd2bf0abb1a'
|
||||
'ead530282525ea699fcb814fe9fcfe7f47d44febef40703dd65372fd6e583c347f07135efe5244b1d9c400b235dc43a3f7b27abb4c87ef5faa61da6c6d744ebf'
|
||||
'9fdd34c3f99a01a0d12bb48595114def7685841f81871f5dbf56c433e19bb3acb733e108e6463b48425cd4b74a41ee961c927b24c2dce65f26a37baae5ed9eb9'
|
||||
'1fbefe367f9e59e7bc5886d07b7da8bd918c8b77ab0d2026813dad965294d2bb3fd4698d6b22e728d890044b98c0015e7328c050c5d96d0e7d2a3a1ae3f16362'
|
||||
'57e5f6485cde17139e3d1649bd05e1f1b7e260ec58137d41e91ac938bc728bed8ee72eacd0d03f1ccb8cd9e2a23df0df1b2f5fd46694530e1cb49325b05d68fd'
|
||||
'31a8539ffb9fc2cdc840a079f8e5a8d5c0b45b36db33a835a2c5784d4151e33f6b5c36c44ff809932cc8ba130015a768f94e73a26f694a48a91cd82b540a7bbd'
|
||||
'08a77b118db14f520a9a3fa8ee257eaa03fded9d7267e29836f1d5eeb65b2c875ec081eddc3e71473dd4ea50a0a43346c5a60a89362b02bab601d0e78331c7f8')
|
||||
|
||||
build() {
|
||||
a2x -v -f manpage update-ca-trust.8.txt
|
||||
|
|
@ -28,8 +38,16 @@ build() {
|
|||
|
||||
package_ca-certificates-utils() {
|
||||
pkgdesc+=" (utilities)"
|
||||
depends=(bash coreutils findutils 'p11-kit>=0.24.0')
|
||||
provides=(ca-certificates ca-certificates-java)
|
||||
depends=(
|
||||
bash
|
||||
coreutils
|
||||
findutils
|
||||
p11-kit
|
||||
)
|
||||
provides=(
|
||||
ca-certificates
|
||||
ca-certificates-java
|
||||
)
|
||||
conflicts=(ca-certificates-java)
|
||||
replaces=(ca-certificates-java)
|
||||
install=ca-certificates-utils.install
|
||||
|
|
@ -38,32 +56,42 @@ package_ca-certificates-utils() {
|
|||
install -Dt "$pkgdir/usr/share/man/man8" -m644 update-ca-trust.8
|
||||
install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
|
||||
|
||||
local etcdir="$pkgdir/etc/$pkgbase"
|
||||
local ssldir="$pkgdir/etc/ssl"
|
||||
local usrdir="$pkgdir/usr/share/$pkgbase"
|
||||
|
||||
# Trust source directories
|
||||
install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
|
||||
install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
|
||||
install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
|
||||
install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
|
||||
install -Dm644 README.etc "$etcdir/README"
|
||||
install -Dm644 README.src "$etcdir/trust-source/README"
|
||||
install -Dm644 README.usr "$usrdir/trust-source/README"
|
||||
install -d {"$etcdir","$usrdir"}/trust-source/{anchors,blocklist}
|
||||
|
||||
# Directories used by update-ca-trust (aka "trust extract-compat")
|
||||
install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
|
||||
install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README"
|
||||
install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README"
|
||||
install -Dm644 README.etcssl "$ssldir/README"
|
||||
install -Dm644 README.java "$ssldir/certs/java/README"
|
||||
install -Dm644 README.extr "$etcdir/extracted/README"
|
||||
|
||||
# Compatibility link for OpenSSL using /etc/ssl as CAdir
|
||||
# Used in preference to the individual links in /etc/ssl/certs
|
||||
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
|
||||
ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/cert.pem"
|
||||
|
||||
# Compatibility link for legacy bundle (Debian)
|
||||
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
|
||||
ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-certificates.crt"
|
||||
|
||||
# Compatibility link for legacy bundle (RHEL/Fedora)
|
||||
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
|
||||
ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-bundle.crt"
|
||||
|
||||
# FIXME: Make "$ssldir/certs/java/cacerts" a packaged symlink, too
|
||||
}
|
||||
|
||||
package_ca-certificates() {
|
||||
pkgdesc+=" (default providers)"
|
||||
depends=(ca-certificates-mozilla)
|
||||
conflicts=('ca-certificates-cacert<=20140824-4')
|
||||
pkgdesc+=" - default providers"
|
||||
depends=(
|
||||
ca-certificates-mozilla
|
||||
)
|
||||
conflicts=(
|
||||
'ca-certificates-cacert<=20140824-4'
|
||||
)
|
||||
replaces=("${conflicts[@]}")
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,20 +7,42 @@ The files are as follows:
|
|||
|
||||
- ca-bundle.trust.crt:
|
||||
|
||||
This file is in the BEGIN/END TRUSTED CERTIFICATE file format,
|
||||
as described in the x509(1) manual page.
|
||||
Contains CA certificates in the BEGIN/END TRUSTED CERTIFICATE file format.
|
||||
|
||||
This is the only file in a format carrying distrust information.
|
||||
Distrusted certificates are missing from the other files.
|
||||
|
||||
- email-ca-bundle.pem:
|
||||
|
||||
Contains CA certificates trusted for E-Mail protection in the
|
||||
BEGIN/END CERTIFICATE file format.
|
||||
|
||||
- objsign-ca-bundle.pem:
|
||||
|
||||
Contains CA certificates trusted for code signing in the
|
||||
BEGIN/END CERTIFICATE file format.
|
||||
|
||||
- tls-ca-bundle.pem:
|
||||
|
||||
Contains CA certificates trusted for TLS server authentication in the
|
||||
BEGIN/END CERTIFICATE file format.
|
||||
|
||||
- cadir/:
|
||||
|
||||
Directory containing individual certificates trusted for TLS server
|
||||
authentication in the BEGIN/END CERTIFICATE file format.
|
||||
|
||||
Also includes the necessary hash symlinks expected by OpenSSL.
|
||||
|
||||
- edk2-cacerts.bin:
|
||||
|
||||
This file is in the EDK2 (EFI Development Kit II) file format.
|
||||
Contains CA certificates trusted for TLS server authentication in the
|
||||
EDK2 (EFI Development Kit II) file format.
|
||||
|
||||
- email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem:
|
||||
- java-cacerts.jks:
|
||||
|
||||
All files are in the BEGIN/END CERTIFICATE file format,
|
||||
as described in the x509(1) manual page.
|
||||
|
||||
Distrust information cannot be represented in this file format,
|
||||
and distrusted certificates are missing from these files.
|
||||
Contains CA certificates trusted for TLS server authentication in the
|
||||
Java KeyStore file format.
|
||||
|
||||
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
|
||||
then you can use these files in your application to load a list of global
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
# At this time, while this script is trivial, we ignore any parameters given.
|
||||
# However, for backwards compatibility reasons, future versions of this script must
|
||||
set -eu
|
||||
|
||||
# For backwards compatibility reasons, future versions of this script must
|
||||
# support the syntax "update-ca-trust extract" trigger the generation of output
|
||||
# files in $DEST.
|
||||
|
||||
|
|
@ -10,33 +11,114 @@ DEST=/etc/ca-certificates/extracted
|
|||
# Prevent p11-kit from reading user configuration files.
|
||||
export P11_KIT_NO_USER_CONFIG=1
|
||||
|
||||
extract() {
|
||||
trust extract --overwrite "$@"
|
||||
usage() {
|
||||
fold -s -w 79 >&2 <<EOF
|
||||
Usage: $0 [extract] [-o DIR|--output=DIR]
|
||||
|
||||
Update the system trust store in $DEST.
|
||||
|
||||
COMMANDS
|
||||
(absent/empty command): Same as the extract command described below.
|
||||
|
||||
extract: Instruct update-ca-trust to scan the source configuration in
|
||||
/usr/share/ca-certificates/trust-source and /etc/ca-certificates/trust-source
|
||||
and produce updated versions of the consolidated configuration files stored
|
||||
below the $DEST directory hierarchy.
|
||||
|
||||
EXTRACT OPTIONS
|
||||
-o DIR, --output=DIR: Write the extracted trust store into the given
|
||||
directory instead of updating
|
||||
$DEST.
|
||||
EOF
|
||||
}
|
||||
|
||||
## Simple PEM bundles
|
||||
extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth $DEST/tls-ca-bundle.pem
|
||||
extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email $DEST/email-ca-bundle.pem
|
||||
extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
|
||||
extract() {
|
||||
local dest="$DEST" f=
|
||||
|
||||
## OpenSSL PEM bundle that includes trust flags
|
||||
extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
|
||||
# can't use getopt here. ca-certificates can't depend on a lot
|
||||
# of other libraries since openssl depends on ca-certificates
|
||||
# just fail when we hand parse
|
||||
|
||||
## TianoCore EDK II bundle
|
||||
extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin
|
||||
while (( $# != 0 )); do
|
||||
case "$1" in
|
||||
"-o"|"--output")
|
||||
dest="$2"
|
||||
shift 2
|
||||
continue
|
||||
;;
|
||||
"--")
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
## Java bundle
|
||||
extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts
|
||||
mkdir -p "$dest"
|
||||
|
||||
## OpenSSL-style directory with individual PEM files and hash links
|
||||
# The directory-format extractors remove all files in the target directory, but not directories or files therein
|
||||
extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
|
||||
# Simple PEM bundles (BEGIN CERTIFICATE)
|
||||
trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
|
||||
--purpose=server-auth "$dest/tls-ca-bundle.pem"
|
||||
trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
|
||||
--purpose=email "$dest/email-ca-bundle.pem"
|
||||
trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
|
||||
--purpose=code-signing "$dest/objsign-ca-bundle.pem"
|
||||
|
||||
# We don't want to have to remove everything from the certs directory but neither
|
||||
# do we want to leave stale certs around, so only place symlinks in the real cadir
|
||||
for f in $DEST/cadir/*; do
|
||||
ln -fsr -t /etc/ssl/certs "$f"
|
||||
done
|
||||
# OpenSSL PEM bundle that includes trust flags (BEGIN TRUSTED CERTIFICATE)
|
||||
trust extract --overwrite --comment --format=openssl-bundle \
|
||||
--filter=certificates "$dest/ca-bundle.trust.crt"
|
||||
|
||||
# Now find and remove all broken symlinks
|
||||
find -L /etc/ssl/certs -maxdepth 1 -type l -delete
|
||||
# TianoCore EDK II bundle
|
||||
trust extract --overwrite --format=edk2-cacerts --filter=ca-anchors \
|
||||
--purpose=server-auth "$dest/edk2-cacerts.bin"
|
||||
|
||||
# Java KeyStore bundle
|
||||
trust extract --overwrite --format=java-cacerts --filter=ca-anchors \
|
||||
--purpose=server-auth "$dest/java-cacerts.jks"
|
||||
|
||||
# Hashed directory of simple PEM certs
|
||||
# (BEGIN CERTIFICATE, usable as OpenSSL CApath and by GnuTLS)
|
||||
trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors \
|
||||
--purpose=server-auth "$dest/cadir"
|
||||
|
||||
if [[ $dest == $DEST ]]; then
|
||||
# We can't extract directly to /etc/ssl/certs as this would indiscriminately
|
||||
# empty the directory, but it contains packaged symlinks and directories.
|
||||
|
||||
# Symlink all files from the extracted cadir
|
||||
for f in "$dest"/cadir/*; do
|
||||
ln -fsr -t /etc/ssl/certs "$f"
|
||||
done
|
||||
|
||||
# Now find and remove all broken symlinks
|
||||
find -L /etc/ssl/certs -maxdepth 1 -type l -delete
|
||||
|
||||
ln -fsr "$dest/java-cacerts.jks" /etc/ssl/certs/java/cacerts
|
||||
fi
|
||||
}
|
||||
|
||||
if (( $# < 1 )); then
|
||||
set -- extract
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
"extract")
|
||||
shift
|
||||
extract $@
|
||||
;;
|
||||
"--"*|"-"*)
|
||||
# First parameter seems to be an option, assume the command is 'extract'
|
||||
extract $@
|
||||
;;
|
||||
*)
|
||||
echo >&2 "Error: Unknown command: $1"
|
||||
echo >&2
|
||||
usage
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# vim:set sw=2 sts=-1 et:
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ certificates and associated trust
|
|||
|
||||
SYNOPSIS
|
||||
--------
|
||||
*update-ca-trust* ['COMMAND']
|
||||
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
|
|
@ -36,7 +36,7 @@ update-ca-trust(8) is used to manage a consolidated and dynamic configuration
|
|||
feature of Certificate Authority (CA) certificates and associated trust.
|
||||
|
||||
The feature is available for new applications that read the
|
||||
consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
|
||||
consolidated configuration files found in the /etc/ca-certificates/extracted directory
|
||||
or that load the PKCS#11 module p11-kit-trust.so
|
||||
|
||||
Parts of the new feature are also provided in a way to make it useful
|
||||
|
|
@ -52,7 +52,7 @@ for classic configuration files and for the classic NSS trust module named libns
|
|||
|
||||
In order to enable legacy applications, that read the classic files or
|
||||
access the classic module, to make use of the new consolidated and dynamic configuration
|
||||
feature, some classic filenames have been changed to symbolic links.
|
||||
feature, the classic filenames have been changed to symbolic links.
|
||||
The symbolic links refer to dynamically created and consolidated
|
||||
output stored below the /etc/ca-certificates/extracted directory hierarchy.
|
||||
|
||||
|
|
@ -143,12 +143,12 @@ Please refer to the x509(1) manual page for the documentation of the
|
|||
BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
|
||||
|
||||
Applications that rely on a static file for a list of trusted CAs
|
||||
may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
|
||||
directories. After modifying any file in the
|
||||
may load one of the files found in the /etc/ca-certificates/extracted
|
||||
directory. After modifying any file in the
|
||||
/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
|
||||
directories or in any of their subdirectories, or after adding a file,
|
||||
it is necessary to run the 'update-ca-trust extract' command,
|
||||
in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
|
||||
in order to update the consolidated files in /etc/ca-certificates/extracted/ .
|
||||
|
||||
Applications that load the classic PKCS#11 module using filename libnssckbi.so
|
||||
(which has been converted into a symbolic link pointing to the new module)
|
||||
|
|
@ -161,7 +161,7 @@ the dynamically merged set of certificates and trust information stored in the
|
|||
[[extractconf]]
|
||||
EXTRACTED CONFIGURATION
|
||||
-----------------------
|
||||
The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate
|
||||
The directory /etc/ca-certificates/extracted/ contains generated CA certificate
|
||||
bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>>
|
||||
by running the 'update-ca-trust extract' command.
|
||||
|
||||
|
|
@ -169,7 +169,7 @@ If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
|
|||
then you can use these files in your application to load a list of global
|
||||
root CA certificates.
|
||||
|
||||
Please never manually edit the files stored in these directories,
|
||||
Please never manually edit the files stored in this directory,
|
||||
because your changes will be lost and the files automatically overwritten,
|
||||
each time the 'update-ca-trust extract' command gets executed.
|
||||
|
||||
|
|
@ -178,22 +178,19 @@ please rather install them in the respective subdirectory below the
|
|||
/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
|
||||
directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
|
||||
|
||||
The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm.
|
||||
Distrust information cannot be represented in this format,
|
||||
and distrusted certificates are missing from these files.
|
||||
|
||||
The directory /etc/ssl/certs/java contains
|
||||
The directory /etc/ca-certificates/extracted/ contains
|
||||
a CA certificate bundle in the java keystore file format.
|
||||
Distrust information cannot be represented in this file format,
|
||||
and distrusted certificates are missing from these files.
|
||||
File cacerts contains CA certificates trusted for TLS server authentication.
|
||||
File java-cacerts.jks contains CA certificates trusted for TLS server authentication.
|
||||
|
||||
The directory /etc/ca-certificates/extracted contains
|
||||
a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format,
|
||||
It also contains
|
||||
CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format,
|
||||
as described in the x509(1) manual page.
|
||||
File ca-bundle.trust.crt contains the full set of all trusted
|
||||
or distrusted certificates, including the associated trust flags.
|
||||
It also contains
|
||||
|
||||
It also contains
|
||||
CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
|
||||
as described in the x509(1) manual page.
|
||||
Distrust information cannot be represented in this file format,
|
||||
|
|
@ -204,6 +201,7 @@ File email-ca-bundle.pem contains CA certificates
|
|||
trusted for E-Mail protection.
|
||||
File objsign-ca-bundle.pem contains CA certificates
|
||||
trusted for code signing.
|
||||
|
||||
It also contains a CA
|
||||
certificate bundle ("edk2-cacerts.bin") in the "sequence of
|
||||
EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
|
||||
|
|
@ -216,34 +214,46 @@ server authentication.
|
|||
|
||||
COMMANDS
|
||||
--------
|
||||
(absent/empty command)::
|
||||
Same as the *extract* command described below. (However, the command may
|
||||
print fewer warnings, as this command is being run during package
|
||||
installation, where non-fatal status output is undesired.)
|
||||
(absent/empty command)
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
Same as the *extract* command described below. (However, the command may print
|
||||
fewer warnings, as this command is being run during rpm package installation,
|
||||
where non-fatal status output is undesired.)
|
||||
|
||||
*extract*::
|
||||
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
|
||||
updated versions of the consolidated configuration files stored below
|
||||
the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies.
|
||||
extract
|
||||
~~~~~~~
|
||||
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
|
||||
produce updated versions of the consolidated configuration files stored below
|
||||
the /etc/ca-certificates/extracted directory hierarchy.
|
||||
|
||||
EXTRACT OPTIONS
|
||||
^^^^^^^^^^^^^^^
|
||||
*-o DIR*, *--output=DIR*::
|
||||
Write the extracted trust store into the given directory instead of
|
||||
updating /etc/ca-certificates/extracted.
|
||||
|
||||
FILES
|
||||
-----
|
||||
/etc/ssl/certs::
|
||||
Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
Also includes the necessary hash symlinks expected by OpenSSL.
|
||||
These files are symbolic links that are maintained by the update-ca-trust command.
|
||||
|
||||
/etc/ssl/certs/ca-certificates.crt::
|
||||
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ssl/cert.pem::
|
||||
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ssl/java/cacerts::
|
||||
/etc/ssl/certs/::
|
||||
Classic directory, contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
Also includes the necessary hash symlinks expected by OpenSSL.
|
||||
The files are symbolic links that refer to the output created by the update-ca-trust command.
|
||||
|
||||
/etc/ssl/certs/ca-bundle.crt::
|
||||
Classic filename for compatibility with RHEL/Fedora, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ssl/certs/ca-certificates.crt::
|
||||
Classic filename for compatibility with Debian, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ssl/certs/java/cacerts::
|
||||
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
|
||||
This file is consolidated output created by the update-ca-trust command.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
||||
/usr/share/ca-certificates/trust-source::
|
||||
Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
|
||||
|
|
@ -256,8 +266,8 @@ FILES
|
|||
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
|
||||
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
|
||||
|
||||
/etc/ca-certificates/extracted/tls-ca-bundle.pem::
|
||||
File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
/etc/ca-certificates/extracted/ca-bundle.trust.crt::
|
||||
File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
|
||||
This file is consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ca-certificates/extracted/email-ca-bundle.pem::
|
||||
|
|
@ -268,11 +278,11 @@ FILES
|
|||
File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
This file is consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ca-certificates/extracted/ca-bundle.trust.crt::
|
||||
File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
|
||||
/etc/ca-certificates/extracted/tls-ca-bundle.pem::
|
||||
File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
This file is consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ca-certificates/extracted/cadir::
|
||||
/etc/ca-certificates/extracted/cadir/::
|
||||
Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
||||
Also includes the necessary hash symlinks expected by OpenSSL.
|
||||
These files are maintained by the update-ca-trust command.
|
||||
|
|
@ -281,6 +291,10 @@ FILES
|
|||
File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information.
|
||||
This file is consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/ca-certificates/extracted/java-cacerts.jks::
|
||||
File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
|
||||
This file is consolidated output created by the update-ca-trust command.
|
||||
|
||||
AUTHOR
|
||||
------
|
||||
Written by Kai Engert and Stef Walter.
|
||||
Written by Kai Engert and Stef Walter for Fedora. Modified for Arch Linux by Jan Alexander Steffens (heftig).
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
#pkgname=(libxml2 libxml2-docs)
|
||||
pkgname=libxml2
|
||||
pkgver=2.13.0
|
||||
pkgrel=04
|
||||
pkgrel=05
|
||||
# mixup between jobcore and staging 4/22 rebuild on jobcore used staging PKGBUILD-arch
|
||||
# so staging pkgrel is bumped up one to distinguish from jobcore's build
|
||||
pkgdesc="XML C parser and toolkit w/o ipv6"
|
||||
|
|
@ -36,21 +36,14 @@ prepare() {
|
|||
# Use xmlconf from conformance test suite
|
||||
ln -s ../xmlconf
|
||||
|
||||
# Cherry-pick fixes from 2.13 branch
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/731
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/732
|
||||
git cherry-pick -n 8322eef39d775b1c16a5895a77da53d82653a04e
|
||||
|
||||
# Fix gambas
|
||||
git cherry-pick -n 599ceaffad97faff9e77a3237d319f18cdc2984a
|
||||
|
||||
# # https://gitlab.gnome.org/GNOME/libxml2/-/issues/731
|
||||
# git cherry-pick -n 9ecabe1c2461dc4aa28a75bb9c889f82e37a5786
|
||||
|
||||
# # https://gitlab.gnome.org/GNOME/libxml2/-/issues/733
|
||||
# # https://github.com/systemd/systemd/issues/33302
|
||||
# git cherry-pick -n aa90cb0c578bd189089cd1fe195faf85040ac98b \
|
||||
# c04d9b1b87eaf5c12f70173762f8c81c34e59aeb \
|
||||
# 1ff484339e98b9adc992478f2786c3db174c8a32 \
|
||||
# 3c7c831c7c10ee3b68a039da138abf38ec4ab994
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/733
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/734
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/737
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/738
|
||||
# git cherry-pick -n v2.13.0..def06f376e1fefcc666a4daef687f87ad25f6793
|
||||
|
||||
# Do not run fuzzing tests
|
||||
git apply -3 ../0001-HACK-Don-t-run-fuzzing-tests.patch
|
||||
|
|
@ -116,4 +109,5 @@ sha256sums=(SKIP
|
|||
9b61db9f5dbffa545f4b8d78422167083a8568c59bd1129f94138f936cf6fc1f # xmlts20130923.tar.gz
|
||||
24b0239f4528dbb83ce2aa4e8fd89cb7dd228cff360a04e76b8c689f0953c58f) # 0001-HACK-Don-t-run-fuzzing-tests.patch
|
||||
|
||||
## 1ceff0303204213934a433cf4db8823dba2652fab315b89fc8c2b1dd6c2d0689 libxml2-2.13.0-04-x86_64.pkg.tar.lz
|
||||
## 166ea0f34d877d7baf4bcc4c7fbaaa9761c7e8f816c122056c5cf2b1bcdf2a51 libxml2-2.13.0-05-x86_64.pkg.tar.lz
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ pkgname=(
|
|||
libxml2-docs
|
||||
)
|
||||
pkgver=2.13.0
|
||||
pkgrel=4
|
||||
pkgrel=5
|
||||
pkgdesc="XML C parser and toolkit"
|
||||
url="https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home"
|
||||
arch=(x86_64)
|
||||
|
|
@ -43,21 +43,14 @@ prepare() {
|
|||
# Use xmlconf from conformance test suite
|
||||
ln -s ../xmlconf
|
||||
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/732
|
||||
git cherry-pick -n 8322eef39d775b1c16a5895a77da53d82653a04e
|
||||
|
||||
# Cherry-pick fixes from 2.13 branch
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/731
|
||||
git cherry-pick -n 9ecabe1c2461dc4aa28a75bb9c889f82e37a5786
|
||||
|
||||
# Fix gambas
|
||||
git cherry-pick -n 599ceaffad97faff9e77a3237d319f18cdc2984a
|
||||
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/732
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/733
|
||||
# https://github.com/systemd/systemd/issues/33302
|
||||
git cherry-pick -n aa90cb0c578bd189089cd1fe195faf85040ac98b \
|
||||
c04d9b1b87eaf5c12f70173762f8c81c34e59aeb \
|
||||
1ff484339e98b9adc992478f2786c3db174c8a32 \
|
||||
3c7c831c7c10ee3b68a039da138abf38ec4ab994
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/734
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/737
|
||||
# https://gitlab.gnome.org/GNOME/libxml2/-/issues/738
|
||||
git cherry-pick -n v2.13.0..def06f376e1fefcc666a4daef687f87ad25f6793
|
||||
|
||||
# Do not run fuzzing tests
|
||||
git apply -3 ../0001-HACK-Don-t-run-fuzzing-tests.patch
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue