freebsd-ports/security/ca_root_nss/Makefile

PORTNAME=	ca_root_nss
PORTVERSION=	${VERSION_NSS}
PORTREVISION=	0
CATEGORIES=	security
MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}

MAINTAINER=	ports-secteam@FreeBSD.org
COMMENT=	Root certificate bundle from the Mozilla Project

LICENSE=	MPL20
LICENSE_FILE=	${WRKSRC}/COPYING

USES=		perl5 ssl:build
USE_PERL5=	build

NO_ARCH=	yes
WRKSRC_SUBDIR=	nss

OPTIONS_DEFINE=		ETCSYMLINK
OPTIONS_DEFAULT=	ETCSYMLINK

OPTIONS_SUB=		yes

ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*

CERTDIR?=	share/certs
PLIST_SUB+=	CERTDIR=${CERTDIR}

VERSION_NSS=	3.75
CERTDATA_TXT_PATH=	lib/ckfw/builtins/certdata.txt
BUNDLE_PROCESSOR=	MAca-bundle.pl

SUB_FILES=	MAca-bundle.pl pkg-message
SUB_LIST=	VERSION_NSS=${VERSION_NSS}

do-build:
	@${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \
		${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \
	    < ${WRKSRC}/${CERTDATA_TXT_PATH} > \
	    ${WRKDIR}/ca-root-nss.crt

do-install:
	${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR}
	${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR}
	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
	${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample

do-install-ETCSYMLINK-on:
	${MKDIR} ${STAGEDIR}/etc/ssl
	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

.include <bsd.port.mk>
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00			`PORTNAME= ca_root_nss`
			`PORTVERSION= ${VERSION_NSS}`
security/ca_root_nss: Update to 3.71 PR: 258995 Reported by: Yasuhiro Kimura <yasu@freebsd.org> Approved: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2021-10-08 16:59:19 +02:00			`PORTREVISION= 0`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00			`CATEGORIES= security`
Convert all :U to :tu and :L to :tl Since FreeBSD 8.4 and FreeBSD 9.1 make(1) do support :tu and :tl as a replacement for :U and :L (which has been marked as deprecated) bmake which is the default on FreeBSD 10+ only support by default :tu/:tl a hack has been added at the time to support :U and :L to ease migration. This hack is now not necessary anymore Note that this makes the ports tree incompatible with make(1) from FreeBSD 8.3 or earlier With hat: portmgr 2014-05-05 11:45:36 +02:00			`MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src`
Security update: use newer Mozilla Builtin-Trust store to revoke DigiNotar.nl trust. Security fix: the modssl ca-bundle.pl script did not process "untrusted" marks on certificates. Drop it and write a new script in its place that does that. Synch up with security/nss port to 3.12.11. Not asking for maintainer approval because of multiple timeouts in response to related PRs vs. security/[ca_root_]nss. 2011-09-04 15:08:49 +02:00			`DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00
- Pass maintainership to ports-secteam, with a explicit approval for gecko@ Differential Revision: D2640 2016-01-02 16:15:06 +01:00			`MAINTAINER= ports-secteam@FreeBSD.org`
security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers Since 2.7.9, Python verifies SSL certificates by default. Currently, even with security/ca_root_nss installed, Python fails certificate verification. Upon investigation, Python uses OpenSSL's standard SSL_CTX_load_verify_locations function to load a list of CA root certificates. Support was added to ca_root_nss for "out of the box" certificate verification for a number of base utilities in r372629 [1], but this did not include support for software that uses OpenSSL's SSL_CTX_load_verify_locations function. [1] https://svnweb.freebsd.org/changeset/ports/372629 OpenSSL defaults (at compile time) to the following paths and filenames for certificate and CAFile lookup: Base: SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_FILE/etc/ssl/cert.pem Ports: SSL_CERT_DIR=/usr/local/openssl/certs SSL_CERT_FILE=/usr/local/openssl/cert.pem This change installs a symlink which points to the root certificate bundle in the location that OpenSSL from ports looks for them. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. Additionally, display a pkg-message to the user about the lack of warranty associated with these certificates. Note: This is NOT related to solving for SSL certificate verification for OpenSSL in Base, which is covered in bug 189811. While I'm here: - Add LICENSE - Use options helpers and OPTIONS_SUB - Fix typo in !!! message !!! PR: 196431 Submitted by: koobs Reviewed by: jbeich Approved by: maintainer timeout (1 month) 2015-02-09 10:44:28 +01:00			`COMMENT= Root certificate bundle from the Mozilla Project`

Update LICENSE Approved by: portmgr (blanket) 2017-09-24 20:50:00 +02:00			`LICENSE= MPL20`
- Add LICENSE_FILE. - Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them. - Some cosmetics fixes PR: 222262 Reported by: Yasuhiro KIMURA <yasu@utahime.org> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2020-07-23 17:13:22 +02:00			`LICENSE_FILE= ${WRKSRC}/COPYING`

			`USES= perl5 ssl:build`
			`USE_PERL5= build`

			`NO_ARCH= yes`
			`WRKSRC_SUBDIR= nss`
security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers Since 2.7.9, Python verifies SSL certificates by default. Currently, even with security/ca_root_nss installed, Python fails certificate verification. Upon investigation, Python uses OpenSSL's standard SSL_CTX_load_verify_locations function to load a list of CA root certificates. Support was added to ca_root_nss for "out of the box" certificate verification for a number of base utilities in r372629 [1], but this did not include support for software that uses OpenSSL's SSL_CTX_load_verify_locations function. [1] https://svnweb.freebsd.org/changeset/ports/372629 OpenSSL defaults (at compile time) to the following paths and filenames for certificate and CAFile lookup: Base: SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_FILE/etc/ssl/cert.pem Ports: SSL_CERT_DIR=/usr/local/openssl/certs SSL_CERT_FILE=/usr/local/openssl/cert.pem This change installs a symlink which points to the root certificate bundle in the location that OpenSSL from ports looks for them. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. Additionally, display a pkg-message to the user about the lack of warranty associated with these certificates. Note: This is NOT related to solving for SSL certificate verification for OpenSSL in Base, which is covered in bug 189811. While I'm here: - Add LICENSE - Use options helpers and OPTIONS_SUB - Fix typo in !!! message !!! PR: 196431 Submitted by: koobs Reviewed by: jbeich Approved by: maintainer timeout (1 month) 2015-02-09 10:44:28 +01:00
			`OPTIONS_DEFINE= ETCSYMLINK`
security/ca_root_nss: Enable certificate verification (for Base OpenSSL) Enable the ETCSYMLINK option so that SSL certificate verification is enabled by default for OpenSSL in base. This change is the third in a set of changes [1][2] that improves the default configuration and behaviour of client software relying on OpenSSL for SSL/TLS and certificate verification. A symlink is installed which points to the root certificate bundle in the location that OpenSSL in base looks for them, as configured at build time [2]. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. [1] https://svnweb.freebsd.org/changeset/ports/372629 [2] https://svnweb.freebsd.org/changeset/ports/378720 PR: 189811 196357 Requested by: many Submitted by: dreamcat4 gmail com Approved by: maintainer timeout (>1 year) 2015-06-06 09:41:51 +02:00			`OPTIONS_DEFAULT= ETCSYMLINK`

security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers Since 2.7.9, Python verifies SSL certificates by default. Currently, even with security/ca_root_nss installed, Python fails certificate verification. Upon investigation, Python uses OpenSSL's standard SSL_CTX_load_verify_locations function to load a list of CA root certificates. Support was added to ca_root_nss for "out of the box" certificate verification for a number of base utilities in r372629 [1], but this did not include support for software that uses OpenSSL's SSL_CTX_load_verify_locations function. [1] https://svnweb.freebsd.org/changeset/ports/372629 OpenSSL defaults (at compile time) to the following paths and filenames for certificate and CAFile lookup: Base: SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_FILE/etc/ssl/cert.pem Ports: SSL_CERT_DIR=/usr/local/openssl/certs SSL_CERT_FILE=/usr/local/openssl/cert.pem This change installs a symlink which points to the root certificate bundle in the location that OpenSSL from ports looks for them. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. Additionally, display a pkg-message to the user about the lack of warranty associated with these certificates. Note: This is NOT related to solving for SSL certificate verification for OpenSSL in Base, which is covered in bug 189811. While I'm here: - Add LICENSE - Use options helpers and OPTIONS_SUB - Fix typo in !!! message !!! PR: 196431 Submitted by: koobs Reviewed by: jbeich Approved by: maintainer timeout (1 month) 2015-02-09 10:44:28 +01:00			`OPTIONS_SUB= yes`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00
- Update to 3.13.5 - Convert to optionsng 2012-06-04 23:14:30 +02:00			`ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem`
- Update NSS and ca_root_nss to 3.19.2 - Update Firefox and gmp-api to 39.0 - Update Firefox ESR and libxul to 38.1.0 Changes: https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes Changes: https://www.mozilla.org/firefox/39.0/releasenotes/ Changes: https://www.mozilla.org/firefox/38.1.0/releasenotes/ MFH: 2015Q3 Security: https://vuxml.freebsd.org/freebsd/44d9daee-940c-4179-86bb-6e3ffd617869.html 2015-07-16 08:05:59 +02:00			`ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]*`
Add an option (defaulting to off since messing with files outside PREFIX is to be avoided) to link the installed certificate bundle to /etc/ssh/cert.pem 2008-03-12 22:02:01 +01:00
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00			`CERTDIR?= share/certs`
Add an option (defaulting to off since messing with files outside PREFIX is to be avoided) to link the installed certificate bundle to /etc/ssh/cert.pem 2008-03-12 22:02:01 +01:00			`PLIST_SUB+= CERTDIR=${CERTDIR}`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00
security/ca_root_nss: Update to 3.75 With hat: ports-secteam Sponsored by: Netzkommune GmbH 2022-02-06 10:40:03 +01:00			`VERSION_NSS= 3.75`
- Add LICENSE_FILE. - Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them. - Some cosmetics fixes PR: 222262 Reported by: Yasuhiro KIMURA <yasu@utahime.org> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2020-07-23 17:13:22 +02:00			`CERTDATA_TXT_PATH= lib/ckfw/builtins/certdata.txt`
Security update: use newer Mozilla Builtin-Trust store to revoke DigiNotar.nl trust. Security fix: the modssl ca-bundle.pl script did not process "untrusted" marks on certificates. Drop it and write a new script in its place that does that. Synch up with security/nss port to 3.12.11. Not asking for maintainer approval because of multiple timeouts in response to related PRs vs. security/[ca_root_]nss. 2011-09-04 15:08:49 +02:00			`BUNDLE_PROCESSOR= MAca-bundle.pl`
security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers Since 2.7.9, Python verifies SSL certificates by default. Currently, even with security/ca_root_nss installed, Python fails certificate verification. Upon investigation, Python uses OpenSSL's standard SSL_CTX_load_verify_locations function to load a list of CA root certificates. Support was added to ca_root_nss for "out of the box" certificate verification for a number of base utilities in r372629 [1], but this did not include support for software that uses OpenSSL's SSL_CTX_load_verify_locations function. [1] https://svnweb.freebsd.org/changeset/ports/372629 OpenSSL defaults (at compile time) to the following paths and filenames for certificate and CAFile lookup: Base: SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_FILE/etc/ssl/cert.pem Ports: SSL_CERT_DIR=/usr/local/openssl/certs SSL_CERT_FILE=/usr/local/openssl/cert.pem This change installs a symlink which points to the root certificate bundle in the location that OpenSSL from ports looks for them. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. Additionally, display a pkg-message to the user about the lack of warranty associated with these certificates. Note: This is NOT related to solving for SSL certificate verification for OpenSSL in Base, which is covered in bug 189811. While I'm here: - Add LICENSE - Use options helpers and OPTIONS_SUB - Fix typo in !!! message !!! PR: 196431 Submitted by: koobs Reviewed by: jbeich Approved by: maintainer timeout (1 month) 2015-02-09 10:44:28 +01:00
			`SUB_FILES= MAca-bundle.pl pkg-message`
- update firefox to 19.0 - update firefox-esr, thunderbird, linux-firefox, linux-thunderbird to 17.0.3 - update linux-seamonkey to 2.16 - update nspr to 4.9.5 - update nss to 3.14.3 - add DuckDuckGo search plugin to firefox [1] - mark kompozer deprecated - clang fixes for www/libxul19 [2] Security: http://www.vuxml.org/freebsd/e3f0374a-7ad6-11e2-84cd-d43d7e0c7c02.html Submitted by: DuckDuckGo [1], dim [2] In collaboration with: Jan Beich <jbeich@tormail.org> 2013-02-20 00:53:07 +01:00			`SUB_LIST= VERSION_NSS=${VERSION_NSS}`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00
Mk: Cleanup after moving apply-slist earlier. 2021-04-13 12:58:16 +02:00			`do-build:`
This uses OpenSSL, use openssl from ports if available. Sponsored by: Absolight 2016-09-23 16:59:28 +02:00			`@${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \`
			`${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \`
- Add LICENSE_FILE. - Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them. - Some cosmetics fixes PR: 222262 Reported by: Yasuhiro KIMURA <yasu@utahime.org> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2020-07-23 17:13:22 +02:00			`< ${WRKSRC}/${CERTDATA_TXT_PATH} > \`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00			`${WRKDIR}/ca-root-nss.crt`

			`do-install:`
- update to 3.15.2 [1] - support stage PR: ports/183282 [1] Submitted by: pfg [1] 2013-10-24 22:10:51 +02:00			`${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR}`
			`${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR}`
Always install ${PREFIX}/etc/ssl/cert.pem symlink to allow both some base applications some root certificates. Discussed with: des 2014-11-16 11:10:12 +01:00			`${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl`
- Add LICENSE_FILE. - Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them. - Some cosmetics fixes PR: 222262 Reported by: Yasuhiro KIMURA <yasu@utahime.org> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2020-07-23 17:13:22 +02:00			`${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample`
security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers Since 2.7.9, Python verifies SSL certificates by default. Currently, even with security/ca_root_nss installed, Python fails certificate verification. Upon investigation, Python uses OpenSSL's standard SSL_CTX_load_verify_locations function to load a list of CA root certificates. Support was added to ca_root_nss for "out of the box" certificate verification for a number of base utilities in r372629 [1], but this did not include support for software that uses OpenSSL's SSL_CTX_load_verify_locations function. [1] https://svnweb.freebsd.org/changeset/ports/372629 OpenSSL defaults (at compile time) to the following paths and filenames for certificate and CAFile lookup: Base: SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_FILE/etc/ssl/cert.pem Ports: SSL_CERT_DIR=/usr/local/openssl/certs SSL_CERT_FILE=/usr/local/openssl/cert.pem This change installs a symlink which points to the root certificate bundle in the location that OpenSSL from ports looks for them. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. Additionally, display a pkg-message to the user about the lack of warranty associated with these certificates. Note: This is NOT related to solving for SSL certificate verification for OpenSSL in Base, which is covered in bug 189811. While I'm here: - Add LICENSE - Use options helpers and OPTIONS_SUB - Fix typo in !!! message !!! PR: 196431 Submitted by: koobs Reviewed by: jbeich Approved by: maintainer timeout (1 month) 2015-02-09 10:44:28 +01:00			`${MKDIR} ${STAGEDIR}${PREFIX}/openssl`
- Add LICENSE_FILE. - Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them. - Some cosmetics fixes PR: 222262 Reported by: Yasuhiro KIMURA <yasu@utahime.org> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2020-07-23 17:13:22 +02:00			`${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample`
Add ca_root_nss: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. 2007-07-06 23:37:35 +02:00
Convert to options target helper Approved by: portmgr (blanket) 2019-02-02 22:56:43 +01:00			`do-install-ETCSYMLINK-on:`
			`${MKDIR} ${STAGEDIR}/etc/ssl`
- Add LICENSE_FILE. - Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them. - Some cosmetics fixes PR: 222262 Reported by: Yasuhiro KIMURA <yasu@utahime.org> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH 2020-07-23 17:13:22 +02:00			`${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem`
Convert to options target helper Approved by: portmgr (blanket) 2019-02-02 22:56:43 +01:00
- Update to 3.13.5 - Convert to optionsng 2012-06-04 23:14:30 +02:00			`.include <bsd.port.mk>`