rootcerts/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages %{nil}
%define debug_package %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %mips
%bcond_without java
%endif

%define catrustdir %{_sysconfdir}/pki/ca-trust

Summary:	Bundle of CA Root Certificates
Name:		rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:		1
Version:	20160922.00
Release:	2
License:	GPL
Group:		System/Servers
URL:		%{disturl}
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:	rootcerts.tar.bz2
#  http://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
Source1:	certdata-%{version}.txt
Source2:	rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:	cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:	verisign-class-3-secure-server-ca.pem
#http://www.cacert.org/certs/root.crt
Source5:	cacert.org.crt
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:	generate-cacerts.pl
# http://www.cacert.org/certs/class3.der
Source7:	cacert_class3.der
# certificates from signet
# http://www.signet.pl/repository/index.html
Source8:	http://www.signet.pl/repository/signetrootca/rootca_der.crt
Source9:	http://www.signet.pl/repository/publicca/publicxca_der.crt

# Helpers from Fedora
Source20:	update-ca-trust
Source21:	update-ca-trust.8.txt
Source22:	update-ca-trust.8

# Fix overwriting issue with generate-cacerts.pl
Patch0:		generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:		generate-cacerts-mandriva.patch
# Just rename identically named certificates that are not handled by mandriva.cpatch
Patch2:		generate-cacerts-rename-duplicates.patch
BuildRequires:	perl
BuildRequires:	openssl
#BuildRequires:	openssl-perl
BuildRequires:	nss
BuildRequires:	automake
BuildRequires:	libtool
#BuildRequires:	asciidoc
#BuildRequires:	xsltproc
%if %{with java}
BuildRequires:	java-devel
BuildRequires:	java-rpmbuild
%endif

# For update-ca-trust
Requires:	p11-kit
Provides:	ca-certificates

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %{with java}
%package java
Summary:	Bundle of CA Root Certificates for Java
Group:		Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep
%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt

# extract the license
head -4 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .
cp %{SOURCE5} .
cp %{SOURCE6} .
cp %{SOURCE7} .
cp %{SOURCE8} .
cp %{SOURCE9} .

%patch0 -p0
%patch1 -p0
%patch2 -p0

%build
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
addbuiltin -n "CAcert Inc. Class 3" -t "CT,C,C" < cacert_class3.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
	addbuiltin -n "VeriSign Class 3 Secure Server CA" \
	-t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure --with-certdb=%{_sysconfdir}/pki/tls/rootcerts

%make

cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %{with java}
mkdir java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

#manpage  -we use generated one for now
#cp %{SOURCE21} update-ca-trust.8.txt
#asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
#xsltproc --nonet -o update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml

%install
%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %{with java}
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# fix #58107
install -d %{buildroot}%{_sysconfdir}/ssl

for d in certs private; do
	ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done

mkdir -p %{buildroot}%{_mandir}/man8
install -p -m 755 %{SOURCE20} %{buildroot}%{_bindir}/update-ca-trust
mkdir -p %{buildroot}/bin
pushd %{buildroot}/bin
ln -s ../%{_bindir}/update-ca-trust update-ca-trust
popd
#install -p -m 644 update-ca-trust.8 %{buildroot}%{_mandir}/man8
install -p -m 644 %{SOURCE22} %{buildroot}%{_mandir}/man8

# Compatibility with Fedora-oriented packages
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java

%files
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private
%{_bindir}/update-ca-trust
/bin/update-ca-trust
%{_mandir}/man?/*

%{catrustdir}/source/anchors
%{catrustdir}/source/blacklist
%{catrustdir}/extracted/pem
%{catrustdir}/extracted/openssl
%{catrustdir}/extracted/java

%if %{with java}
%files java
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`# don't make useless debug packages`
Updated to 20150326 2015-08-22 12:37:35 +04:00			`%define _enable_debug_packages %{nil}`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`%define debug_package %{nil}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
			`# _without = java enabled, _with = java disabled`
Updated to 20150326 2015-08-22 12:37:35 +04:00			`%ifnarch %mips`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%bcond_without java`
Updated to 20150326 2015-08-22 12:37:35 +04:00			`%endif`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`%define catrustdir %{_sysconfdir}/pki/ca-trust`

Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`Summary: Bundle of CA Root Certificates`
			`Name: rootcerts`
			`# <mrl> Use this versioning style in order to be easily backportable.`
			`# Note that the release is the last two digits on the version.`
			`# All BuildRequires for rootcerts should be done this way:`
			`# BuildRequires: rootcerts >= 0:20070402.00, for example`
			`# - NEVER specifying the %%{release}`
			`Epoch: 1`
Updated to 20160922 2016-11-03 00:31:57 +03:00			`Version: 20160922.00`
MassBuild#1230: Increase release tag 2017-02-04 18:35:39 +03:00			`Release: 2`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`License: GPL`
			`Group: System/Servers`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`URL: %{disturl}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2`
			`Source0: rootcerts.tar.bz2`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`# http://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt`
Updated to 20160225 2016-03-20 16:43:47 +03:00			`Source1: certdata-%{version}.txt`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`Source2: rootcerts-igp-brasil.txt`
			`# http://www.cacert.org/certs/root.der`
			`Source3: cacert.org.der`
			`# http://qa.mandriva.com/show_bug.cgi?id=29612`
			`# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html`
			`Source4: verisign-class-3-secure-server-ca.pem`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`#http://www.cacert.org/certs/root.crt`
			`Source5: cacert.org.crt`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`# Java JKS keystore generator:`
			`# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl`
			`Source6: generate-cacerts.pl`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`# http://www.cacert.org/certs/class3.der`
			`Source7: cacert_class3.der`
			`# certificates from signet`
			`# http://www.signet.pl/repository/index.html`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`Source8: http://www.signet.pl/repository/signetrootca/rootca_der.crt`
			`Source9: http://www.signet.pl/repository/publicca/publicxca_der.crt`

			`# Helpers from Fedora`
			`Source20: update-ca-trust`
			`Source21: update-ca-trust.8.txt`
USe generated man page for now 2015-10-07 11:42:47 +03:00			`Source22: update-ca-trust.8`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`# Fix overwriting issue with generate-cacerts.pl`
			`Patch0: generate-cacerts-fix-entrustsslca.patch`
			`# Some hacks to make generate-cacerts.pl work with some of our certificates`
			`Patch1: generate-cacerts-mandriva.patch`
			`# Just rename identically named certificates that are not handled by mandriva.cpatch`
			`Patch2: generate-cacerts-rename-duplicates.patch`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`BuildRequires: perl`
			`BuildRequires: openssl`
Updated to 20150326 2015-08-22 12:37:35 +04:00			`#BuildRequires: openssl-perl`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`BuildRequires: nss`
			`BuildRequires: automake`
			`BuildRequires: libtool`
USe generated man page for now 2015-10-07 11:42:47 +03:00			`#BuildRequires: asciidoc`
			`#BuildRequires: xsltproc`
Updated to 20150326 2015-08-22 12:37:35 +04:00			`%if %{with java}`
			`BuildRequires: java-devel`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`BuildRequires: java-rpmbuild`
			`%endif`

Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`# For update-ca-trust`
			`Requires: p11-kit`
			`Provides: ca-certificates`

Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%description`
			`This is a bundle of X.509 certificates of public Certificate`
			`Authorities (CA). These were automatically extracted from Mozilla's`
			`root CA list (the file "certdata.txt"). It contains the certificates`
			`in both plain text and PEM format and therefore can be directly used`
			`with an Apache/mod_ssl webserver for SSL client authentication. Just`
			`configure this file as the SSLCACertificateFile.`

Updated to 20150326 2015-08-22 12:37:35 +04:00			`%if %{with java}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%package java`
			`Summary: Bundle of CA Root Certificates for Java`
			`Group: Development/Java`

			`%description java`
			`Bundle of X.509 certificates of public Certificate Authorities (CA)`
			`in a format used by Java Runtime Environment.`
			`%endif`

			`%prep`
			`%setup -q -n rootcerts`

			`mkdir -p builtins`
			`cp %{SOURCE1} builtins/certdata.txt`

			`# extract the license`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`head -4 builtins/certdata.txt > LICENSE`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
			`# add additional CA's here, needs to have the mozilla format...`
			`cat %{SOURCE2} >> builtins/certdata.txt`

			`# CAcert`
			`cp %{SOURCE3} .`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`cp %{SOURCE5} .`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`cp %{SOURCE6} .`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`cp %{SOURCE7} .`
			`cp %{SOURCE8} .`
			`cp %{SOURCE9} .`

Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%patch0 -p0`
			`%patch1 -p0`
			`%patch2 -p0`

Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`%build`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`rm -f configure`
			`libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy`

			`# CAcert`
			`# http://wiki.cacert.org/wiki/NSSLib`
			`addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`addbuiltin -n "CAcert Inc. Class 3" -t "CT,C,C" < cacert_class3.der >> builtins/certdata.txt`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
			`# new verisign intermediate certificate`
			`# -t trust trust flags (cCTpPuw).`
			`openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \`
			`addbuiltin -n "VeriSign Class 3 Secure Server CA" \`
			`-t "CT,C,C" >> builtins/certdata.txt`

			`perl mkcerts.pl > certs.sh`

Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`%configure --with-certdb=%{_sysconfdir}/pki/tls/rootcerts`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%make`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`cat pem/*.pem > ca-bundle.crt`
			`cat %{SOURCE4} >> ca-bundle.crt`

Updated to 20150326 2015-08-22 12:37:35 +04:00			`%if %{with java}`
			`mkdir java`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`cd java`
			`LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt`
			`cd ..`
			`%endif`

USe generated man page for now 2015-10-07 11:42:47 +03:00			`#manpage -we use generated one for now`
			`#cp %{SOURCE21} update-ca-trust.8.txt`
			`#asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt`
			`#xsltproc --nonet -o update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%install`
			`%makeinstall_std`

			`install -d %{buildroot}%{_sysconfdir}/pki/tls/certs`
			`install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla`
			`install -d %{buildroot}%{_bindir}`

			`install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/`
			`ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem`

			`install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/`

Updated to 20150326 2015-08-22 12:37:35 +04:00			`%if %{with java}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`install -d %{buildroot}%{_sysconfdir}/pki/java`
			`install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/`
			`%endif`

			`cat > README << EOF`

			`R O O T C E R T S`
			`-----------------`

			`This is a bundle of X.509 certificates of public Certificate`
			`Authorities (CA). These were automatically extracted from Mozilla's`
			`root CA list (the file "certdata.txt"). It contains the certificates`
			`in both plain text and PEM format and therefore can be directly used`
			`with an Apache/mod_ssl webserver for SSL client authentication. Just`
			`configure this file as the SSLCACertificateFile.`

			`EOF`

			`# fix #58107`
			`install -d %{buildroot}%{_sysconfdir}/ssl`

Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`for d in certs private; do`
			`ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/`
			`done`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`mkdir -p %{buildroot}%{_mandir}/man8`
			`install -p -m 755 %{SOURCE20} %{buildroot}%{_bindir}/update-ca-trust`
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`mkdir -p %{buildroot}/bin`
			`pushd %{buildroot}/bin`
			`ln -s ../%{_bindir}/update-ca-trust update-ca-trust`
			`popd`
USe generated man page for now 2015-10-07 11:42:47 +03:00			`#install -p -m 644 update-ca-trust.8 %{buildroot}%{_mandir}/man8`
			`install -p -m 644 %{SOURCE22} %{buildroot}%{_mandir}/man8`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`# Compatibility with Fedora-oriented packages`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl`
			`mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`%files`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%doc README LICENSE`
			`%{_sysconfdir}/pki/tls/cert.pem`
			`%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt`
			`%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*`
			`%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt`
			`%{_sysconfdir}/ssl/certs`
Updated to 20131114.00 2013-11-27 00:16:10 +04:00			`%{_sysconfdir}/ssl/private`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`%{_bindir}/update-ca-trust`
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`/bin/update-ca-trust`
Updated to 20150929.00, added update-ca-trust helper 2015-10-07 02:45:08 +03:00			`%{_mandir}/man?/*`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00
Add several ca-trust folders to be more compatible with Fedora-oriented packages 2015-10-07 11:08:14 +03:00			`%{catrustdir}/source/anchors`
			`%{catrustdir}/source/blacklist`
			`%{catrustdir}/extracted/pem`
			`%{catrustdir}/extracted/openssl`
			`%{catrustdir}/extracted/java`

Updated to 20150326 2015-08-22 12:37:35 +04:00			`%if %{with java}`
Automatic import for version 20110830.00 2012-02-01 14:52:42 +04:00			`%files java`
			`%dir %{_sysconfdir}/pki/java`
			`%config(noreplace) %{_sysconfdir}/pki/java/cacerts`
			`%endif`