rootcerts/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages %{nil}
%define debug_package %{nil}

# _without = java enabled, _with = java disabled
%bcond_without java

%define pkidir %{_sysconfdir}/pki
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define openssl_format_trust_bundle ca-bundle.trust.crt
%define p11_format_bundle ca-bundle.trust.p11-kit
%define legacy_default_bundle ca-bundle.legacy.default.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
%define java_bundle java/cacerts

Summary:	Bundle of CA Root Certificates
Name:		rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:		1
Version:	20220927.00
Release:	2
License:	GPL
Group:		System/Servers
URL:		%{disturl}
# For Source0, the NSS commit trunk version of this file is here:
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
# The version tag for this package should come from the commit date of the version used from the NSS repository above
# To choose which NSS commit version to use, we can check the certdata.txt file used in either...
# the current Mozilla release:
# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# or the Mozilla development commit trunk:
# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# Ideally, it should correspond to the version shipped in the NSS release we are using
Source0:	https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
# Similarly, Source1 comes from:
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
# Check the log to see if it needs to be updated:
# https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/nssckbi.h
Source1:	nssckbi.h
Source2:	update-ca-trust
Source3:	trust-fixes
Source4:	certdata2pem.py
Source5:	ca-legacy.conf
Source6:	ca-legacy
Source9:	ca-legacy.8.txt
Source10:	update-ca-trust.8.txt
# https://www.gosuslugi.ru/crt -> macOS
# https://developers.sber.ru/docs/ru/salutespeech/certificates
Source11:	https://gu-st.ru/content/Other/doc/russiantrustedca.pem
BuildRequires:	python3
BuildRequires:	openssl
BuildRequires:	nss
BuildRequires:	automake
BuildRequires:	libtool
%if %{with java}
BuildRequires:	java-devel
BuildRequires:	javapackages-tools
%endif
BuildRequires:	docbook-xsl
BuildRequires:	asciidoc
BuildRequires:	xsltproc
Recommends:		(%{name}-russia if locales-ru)
# have rootcerts-russia installed before update-ca-trust is run
# TODO: convert %%post into filetriggers
OrderWithRequires(post):	%{name}-russia
Requires(post):	coreutils
Requires(post):	p11-kit
Requires(post):	p11-kit-trust
BuildArch:	noarch
Provides:	ca-certificates

# update-ca-trust (provided by rootcerts, called by %%post script)
# calls /usr/bin/p11-kit, which in turn calls /usr/bin/trust
Requires(post):	p11-kit p11-kit-trust
Requires:	p11-kit p11-kit-trust

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

#--------------------------------------------------------------------

%package russia
Summary:	Root certificates of Russian government (Mintsyfra)
Url:		https://www.gosuslugi.ru/tls
Requires:	%{name}

%description russia
Root certificates of Russian government (Mintsyfra)

#--------------------------------------------------------------------

%if %{with java}
%package java
Summary:	Bundle of CA Root Certificates for Java
Group:		Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep
rm -rf %{name}
mkdir -p %{name}/certs/legacy-default
mkdir %{name}/certs/legacy-disable
mkdir %{name}/java

%build
pushd %{name}/certs
 cp %{SOURCE0} certdata.txt
 python3 %{SOURCE4} >c2p.log 2>c2p.err
popd
pushd %{name}
 (
   cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates and trust/distrust attributes use the file format accepted
# by the p11-kit-trust module.
#
# Source: nss/lib/ckfw/builtins/certdata.txt
# Source: nss/lib/ckfw/builtins/nssckbi.h
#
# Generated from:
EOF
   cat %{SOURCE1}  |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
   echo '#';
 ) > %{p11_format_bundle}

 touch %{legacy_default_bundle}
 NUM_LEGACY_DEFAULT=$(find certs/legacy-default -type f | wc -l)
 if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
     for f in certs/legacy-default/*.crt; do
       echo "processing $f"
       tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
       alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
       targs=""
       if [ -n "$tbits" ]; then
          for t in $tbits; do
             targs="${targs} -addtrust $t"
          done
       fi
       if [ -n "$targs" ]; then
          echo "legacy default flags $targs for $f" >> info.trust
          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_default_bundle}
       fi
     done
 fi

 touch %{legacy_disable_bundle}
 NUM_LEGACY_DISABLE=$(find certs/legacy-disable -type f | wc -l)
 if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
     for f in certs/legacy-disable/*.crt; do
       echo "processing $f"
       tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
       alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
       targs=""
       if [ -n "$tbits" ]; then
          for t in $tbits; do
             targs="${targs} -addtrust $t"
          done
       fi
       if [ -n "$targs" ]; then
          echo "legacy disable flags $targs for $f" >> info.trust
          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
       fi
     done
 fi

 P11FILES=$(find certs -name \*.tmp-p11-kit | wc -l)
 if [ $P11FILES -ne 0 ]; then
   for p in certs/*.tmp-p11-kit; do
     cat "$p" >> %{p11_format_bundle}
   done
 fi
 # Append our trust fixes
 cat %{SOURCE3} >> %{p11_format_bundle}
popd

#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml

cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml

%install
mkdir -p -m 755 %{buildroot}%{pkidir}/java
mkdir -p -m 755 %{buildroot}%{catrustdir}/source
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2
mkdir -p -m 755 %{buildroot}%{_mandir}/man8
install -p -m 644 %{name}/update-ca-trust.8 %{buildroot}%{_mandir}/man8
install -p -m 644 %{name}/ca-legacy.8 %{buildroot}%{_mandir}/man8
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs/source
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}
install -p -m 644 %{SOURCE5} %{buildroot}%{catrustdir}/ca-legacy.conf
install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
install -p -m 755 %{SOURCE6} %{buildroot}%{_bindir}/ca-legacy

install -m0644 %{name}/certs/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

mkdir -p -m 755 %{buildroot}%{catrustdir}/source
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source
install -p -m 644 %{name}/%{p11_format_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy
install -p -m 644 %{name}/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
install -p -m 644 %{name}/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}

install -m0644 %{SOURCE11} %{buildroot}%{catrustdir}/source/anchors/russia_rsa2022.cer

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl

for d in certs private; do
    ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done

# touch ghosted files that will be extracted dynamically
# Set chmod 444 to use identical permission
touch %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch %{buildroot}%{catrustdir}/extracted/%{java_bundle}
chmod 444 %{buildroot}%{catrustdir}/extracted/%{java_bundle}
touch %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin

# legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
    %{buildroot}%{pkidir}/tls/cert.pem
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
    %{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
    %{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%if %{with java}
ln -s %{catrustdir}/extracted/%{java_bundle} \
    %{buildroot}%{pkidir}/%{java_bundle}
%endif

%post
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust

%files
%doc README
%dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blacklist
%{_sysconfdir}/pki/tls/cert.pem
%{_mandir}/man8/ca-legacy.8.*
%{_mandir}/man8/update-ca-trust.8.*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private
# symlinks for old locations
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
# master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
# update/extract tool
%config(noreplace) %{catrustdir}/ca-legacy.conf
%{_bindir}/update-ca-trust
%{_bindir}/ca-legacy
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
# files extracted files
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin


%if %{with java}
%files java
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif

%files russia
%{catrustdir}/source/anchors/russia_rsa2022.cer
update from 2019.1 2020-09-10 21:10:55 +09:00			`# don't make useless debug packages`
			`%define _enable_debug_packages %{nil}`
			`%define debug_package %{nil}`

			`# _without = java enabled, _with = java disabled`
enable java 2020-09-10 21:11:25 +09:00			`%bcond_without java`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%define pkidir %{_sysconfdir}/pki`
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`%define catrustdir %{_sysconfdir}/pki/ca-trust`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%define classic_tls_bundle ca-bundle.crt`
			`%define openssl_format_trust_bundle ca-bundle.trust.crt`
			`%define p11_format_bundle ca-bundle.trust.p11-kit`
			`%define legacy_default_bundle ca-bundle.legacy.default.crt`
			`%define legacy_disable_bundle ca-bundle.legacy.disable.crt`
			`%define java_bundle java/cacerts`
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`Summary: Bundle of CA Root Certificates`
			`Name: rootcerts`
update from 2019.1 2020-09-10 21:10:55 +09:00			`# <mrl> Use this versioning style in order to be easily backportable.`
			`# Note that the release is the last two digits on the version.`
			`# All BuildRequires for rootcerts should be done this way:`
			`# BuildRequires: rootcerts >= 0:20070402.00, for example`
			`# - NEVER specifying the %%{release}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`Epoch: 1`
Add Russian root certificates, update bundle 2022-09-27 23:35:13 +03:00			`Version: 20220927.00`
Add second Russian certificate This new file contains the one from the previous one + another one 2022-09-28 00:54:21 +03:00			`Release: 2`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`License: GPL`
update from 2019.1 2020-09-10 21:10:55 +09:00			`Group: System/Servers`
			`URL: %{disturl}`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`# For Source0, the NSS commit trunk version of this file is here:`
			`# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt`
			`# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions`
			`# The version tag for this package should come from the commit date of the version used from the NSS repository above`
			`# To choose which NSS commit version to use, we can check the certdata.txt file used in either...`
			`# the current Mozilla release:`
			`# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt`
			`# or the Mozilla development commit trunk:`
			`# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt`
			`# Ideally, it should correspond to the version shipped in the NSS release we are using`
update from 2019.1 2020-09-10 21:10:55 +09:00			`Source0: https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`# Similarly, Source1 comes from:`
			`# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h`
			`# Check the log to see if it needs to be updated:`
			`# https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/nssckbi.h`
			`Source1: nssckbi.h`
			`Source2: update-ca-trust`
			`Source3: trust-fixes`
			`Source4: certdata2pem.py`
			`Source5: ca-legacy.conf`
			`Source6: ca-legacy`
			`Source9: ca-legacy.8.txt`
			`Source10: update-ca-trust.8.txt`
Add second Russian certificate This new file contains the one from the previous one + another one 2022-09-28 00:54:21 +03:00			`# https://www.gosuslugi.ru/crt -> macOS`
			`# https://developers.sber.ru/docs/ru/salutespeech/certificates`
			`Source11: https://gu-st.ru/content/Other/doc/russiantrustedca.pem`
update from 2019.1 2020-09-10 21:10:55 +09:00			`BuildRequires: python3`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`BuildRequires: openssl`
			`BuildRequires: nss`
update from 2019.1 2020-09-10 21:10:55 +09:00			`BuildRequires: automake`
			`BuildRequires: libtool`
			`%if %{with java}`
Updated to 20150326 2015-08-22 12:37:35 +04:00			`BuildRequires: java-devel`
update from 2019.1 2020-09-10 21:10:55 +09:00			`BuildRequires: javapackages-tools`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%endif`
update from 2019.1 2020-09-10 21:10:55 +09:00			`BuildRequires: docbook-xsl`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`BuildRequires: asciidoc`
update from 2019.1 2020-09-10 21:10:55 +09:00			`BuildRequires: xsltproc`
Add Russian root certificates, update bundle 2022-09-27 23:35:13 +03:00			`Recommends: (%{name}-russia if locales-ru)`
			`# have rootcerts-russia installed before update-ca-trust is run`
			`# TODO: convert %%post into filetriggers`
			`OrderWithRequires(post): %{name}-russia`
update from 2019.1 2020-09-10 21:10:55 +09:00			`Requires(post): coreutils`
			`Requires(post): p11-kit`
			`Requires(post): p11-kit-trust`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`BuildArch: noarch`
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`Provides: ca-certificates`

update from 2019.1 2020-09-10 21:10:55 +09:00			`# update-ca-trust (provided by rootcerts, called by %%post script)`
			`# calls /usr/bin/p11-kit, which in turn calls /usr/bin/trust`
			`Requires(post): p11-kit p11-kit-trust`
			`Requires: p11-kit p11-kit-trust`

Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%description`
			`This is a bundle of X.509 certificates of public Certificate`
			`Authorities (CA). These were automatically extracted from Mozilla's`
			`root CA list (the file "certdata.txt"). It contains the certificates`
			`in both plain text and PEM format and therefore can be directly used`
			`with an Apache/mod_ssl webserver for SSL client authentication. Just`
			`configure this file as the SSLCACertificateFile.`

Add Russian root certificates, update bundle 2022-09-27 23:35:13 +03:00			`#--------------------------------------------------------------------`

			`%package russia`
			`Summary: Root certificates of Russian government (Mintsyfra)`
			`Url: https://www.gosuslugi.ru/tls`
			`Requires: %{name}`

			`%description russia`
			`Root certificates of Russian government (Mintsyfra)`

			`#--------------------------------------------------------------------`

update from 2019.1 2020-09-10 21:10:55 +09:00			`%if %{with java}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%package java`
			`Summary: Bundle of CA Root Certificates for Java`
			`Group: Development/Java`

			`%description java`
			`Bundle of X.509 certificates of public Certificate Authorities (CA)`
			`in a format used by Java Runtime Environment.`
			`%endif`

			`%prep`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`rm -rf %{name}`
			`mkdir -p %{name}/certs/legacy-default`
			`mkdir %{name}/certs/legacy-disable`
			`mkdir %{name}/java`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`%build`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`pushd %{name}/certs`
			`cp %{SOURCE0} certdata.txt`
			`python3 %{SOURCE4} >c2p.log 2>c2p.err`
			`popd`
			`pushd %{name}`
			`(`
			`cat <<EOF`
			`# This is a bundle of X.509 certificates of public Certificate`
			`# Authorities. It was generated from the Mozilla root CA list.`
			`# These certificates and trust/distrust attributes use the file format accepted`
			`# by the p11-kit-trust module.`
			`#`
			`# Source: nss/lib/ckfw/builtins/certdata.txt`
			`# Source: nss/lib/ckfw/builtins/nssckbi.h`
			`#`
			`# Generated from:`
			`EOF`
			`cat %{SOURCE1} \|grep -w NSS_BUILTINS_LIBRARY_VERSION \| awk '{print "# " $2 " " $3}';`
			`echo '#';`
			`) > %{p11_format_bundle}`

			`touch %{legacy_default_bundle}`
update from 2019.1 2020-09-10 21:10:55 +09:00			`NUM_LEGACY_DEFAULT=$(find certs/legacy-default -type f \| wc -l)`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then`
update from 2019.1 2020-09-10 21:10:55 +09:00			`for f in certs/legacy-default/*.crt; do`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`echo "processing $f"`
update from 2019.1 2020-09-10 21:10:55 +09:00			`tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)`
			`alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f \| sed "s/'//g" \| sed 's/"//g')`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`targs=""`
			`if [ -n "$tbits" ]; then`
			`for t in $tbits; do`
			`targs="${targs} -addtrust $t"`
			`done`
			`fi`
			`if [ -n "$targs" ]; then`
			`echo "legacy default flags $targs for $f" >> info.trust`
			`openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_default_bundle}`
			`fi`
			`done`
			`fi`

			`touch %{legacy_disable_bundle}`
update from 2019.1 2020-09-10 21:10:55 +09:00			`NUM_LEGACY_DISABLE=$(find certs/legacy-disable -type f \| wc -l)`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`if [ $NUM_LEGACY_DISABLE -ne 0 ]; then`
update from 2019.1 2020-09-10 21:10:55 +09:00			`for f in certs/legacy-disable/*.crt; do`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`echo "processing $f"`
update from 2019.1 2020-09-10 21:10:55 +09:00			`tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)`
			`alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f \| sed "s/'//g" \| sed 's/"//g')`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`targs=""`
			`if [ -n "$tbits" ]; then`
			`for t in $tbits; do`
			`targs="${targs} -addtrust $t"`
			`done`
			`fi`
			`if [ -n "$targs" ]; then`
			`echo "legacy disable flags $targs for $f" >> info.trust`
			`openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}`
			`fi`
			`done`
			`fi`

update from 2019.1 2020-09-10 21:10:55 +09:00			`P11FILES=$(find certs -name \*.tmp-p11-kit \| wc -l)`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`if [ $P11FILES -ne 0 ]; then`
update from 2019.1 2020-09-10 21:10:55 +09:00			`for p in certs/*.tmp-p11-kit; do`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`cat "$p" >> %{p11_format_bundle}`
			`done`
			`fi`
			`# Append our trust fixes`
			`cat %{SOURCE3} >> %{p11_format_bundle}`
			`popd`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`#manpage`
			`cp %{SOURCE10} %{name}/update-ca-trust.8.txt`
			`asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt`
			`xsltproc --nonet -o %{name}/update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`cp %{SOURCE9} %{name}/ca-legacy.8.txt`
			`asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt`
			`xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
			`%install`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`mkdir -p -m 755 %{buildroot}%{pkidir}/java`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/source`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2`
			`mkdir -p -m 755 %{buildroot}%{_mandir}/man8`
			`install -p -m 644 %{name}/update-ca-trust.8 %{buildroot}%{_mandir}/man8`
			`install -p -m 644 %{name}/ca-legacy.8 %{buildroot}%{_mandir}/man8`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`install -d %{buildroot}%{_sysconfdir}/pki/tls/certs`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`install -d %{buildroot}%{_sysconfdir}/pki/tls/certs/source`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla`
			`install -d %{buildroot}%{_bindir}`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`install -p -m 644 %{SOURCE5} %{buildroot}%{catrustdir}/ca-legacy.conf`
			`install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust`
			`install -p -m 755 %{SOURCE6} %{buildroot}%{_bindir}/ca-legacy`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`install -m0644 %{name}/certs/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`mkdir -p -m 755 %{buildroot}%{catrustdir}/source`
			`mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source`
			`install -p -m 644 %{name}/%{p11_format_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy`
			`install -p -m 644 %{name}/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}`
			`install -p -m 644 %{name}/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}`

Add second Russian certificate This new file contains the one from the previous one + another one 2022-09-28 00:54:21 +03:00			`install -m0644 %{SOURCE11} %{buildroot}%{catrustdir}/source/anchors/russia_rsa2022.cer`
Add Russian root certificates, update bundle 2022-09-27 23:35:13 +03:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%if %with java`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`install -d %{buildroot}%{_sysconfdir}/pki/java`
			`%endif`

			`cat > README << EOF`

			`R O O T C E R T S`
			`-----------------`

			`This is a bundle of X.509 certificates of public Certificate`
			`Authorities (CA). These were automatically extracted from Mozilla's`
			`root CA list (the file "certdata.txt"). It contains the certificates`
			`in both plain text and PEM format and therefore can be directly used`
			`with an Apache/mod_ssl webserver for SSL client authentication. Just`
			`configure this file as the SSLCACertificateFile.`

			`EOF`

Updated to 20200909 2020-09-09 21:41:53 +03:00			`# be compatible with Debian/Ubuntu SSL paths`
			`# fix #58107 (also used by dovecot default config)`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`install -d %{buildroot}%{_sysconfdir}/ssl`
update from 2019.1 2020-09-10 21:10:55 +09:00
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`for d in certs private; do`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`done`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`# touch ghosted files that will be extracted dynamically`
			`# Set chmod 444 to use identical permission`
			`touch %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem`
			`chmod 444 %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem`
			`touch %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem`
			`chmod 444 %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem`
			`touch %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem`
			`chmod 444 %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem`
			`touch %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}`
			`chmod 444 %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}`
			`touch %{buildroot}%{catrustdir}/extracted/%{java_bundle}`
			`chmod 444 %{buildroot}%{catrustdir}/extracted/%{java_bundle}`
			`touch %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin`
			`chmod 444 %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin`

			`# legacy filenames`
			`ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \`
			`%{buildroot}%{pkidir}/tls/cert.pem`
			`ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \`
			`%{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}`
			`ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \`
			`%{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}`
update from 2019.1 2020-09-10 21:10:55 +09:00			`%if %{with java}`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`ln -s %{catrustdir}/extracted/%{java_bundle} \`
			`%{buildroot}%{pkidir}/%{java_bundle}`
			`%endif`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%post`
			`%{_bindir}/ca-legacy install`
			`%{_bindir}/update-ca-trust`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00
update from 2019.1 2020-09-10 21:10:55 +09:00			`%files`
			`%doc README`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%dir %{catrustdir}/source`
			`%dir %{catrustdir}/source/anchors`
			`%dir %{catrustdir}/source/blacklist`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%{_sysconfdir}/pki/tls/cert.pem`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%{_mandir}/man8/ca-legacy.8.*`
			`%{_mandir}/man8/update-ca-trust.8.*`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt`
			`%{_sysconfdir}/ssl/certs`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`%{_sysconfdir}/ssl/private`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`# symlinks for old locations`
			`%{pkidir}/tls/certs/%{classic_tls_bundle}`
			`%{pkidir}/tls/certs/%{openssl_format_trust_bundle}`
			`# master bundle file with trust`
			`%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}`

			`%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}`
			`%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}`
			`# update/extract tool`
			`%config(noreplace) %{catrustdir}/ca-legacy.conf`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`%{_bindir}/update-ca-trust`
Updated to 20200909 2020-09-09 21:41:53 +03:00			`%{_bindir}/ca-legacy`
			`%ghost %{catrustdir}/source/ca-bundle.legacy.crt`
			`# files extracted files`
			`%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem`
			`%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem`
			`%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem`
			`%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}`
			`%ghost %{catrustdir}/extracted/%{java_bundle}`
			`%ghost %{catrustdir}/extracted/edk2/cacerts.bin`

update from 2019.1 2020-09-10 21:10:55 +09:00
			`%if %{with java}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%files java`
			`%dir %{_sysconfdir}/pki/java`
			`%config(noreplace) %{_sysconfdir}/pki/java/cacerts`
			`%endif`
update from 2019.1 2020-09-10 21:10:55 +09:00
Add Russian root certificates, update bundle 2022-09-27 23:35:13 +03:00			`%files russia`
			`%{catrustdir}/source/anchors/russia_rsa2022.cer`