diff --git a/certdata-20200909.00.txt b/certdata.txt similarity index 100% rename from certdata-20200909.00.txt rename to certdata.txt diff --git a/rootcerts.spec b/rootcerts.spec index d405c28..7031b0f 100644 --- a/rootcerts.spec +++ b/rootcerts.spec @@ -1,5 +1,9 @@ -%bcond_with bootstrap -%bcond_without java +# don't make useless debug packages +%define _enable_debug_packages %{nil} +%define debug_package %{nil} + +# _without = java enabled, _with = java disabled +%bcond_with java %define pkidir %{_sysconfdir}/pki %define catrustdir %{_sysconfdir}/pki/ca-trust @@ -12,13 +16,17 @@ Summary: Bundle of CA Root Certificates Name: rootcerts +# Use this versioning style in order to be easily backportable. +# Note that the release is the last two digits on the version. +# All BuildRequires for rootcerts should be done this way: +# BuildRequires: rootcerts >= 0:20070402.00, for example +# - NEVER specifying the %%{release} Epoch: 1 -# *** Important: update BOTH Source0 and Source1 when newer than date below -Version: 20200909.00 -Release: 1.vsos0 +Version: 20200910.00 +Release: 1 License: GPL -Group: Security -URL: https://fedoraproject.org/wiki/CA-Certificates +Group: System/Servers +URL: %{disturl} # For Source0, the NSS commit trunk version of this file is here: # https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt # See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions @@ -29,7 +37,7 @@ URL: https://fedoraproject.org/wiki/CA-Certificates # or the Mozilla development commit trunk: # https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt # Ideally, it should correspond to the version shipped in the NSS release we are using -Source0: certdata-%{version}.txt +Source0: https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt # Similarly, Source1 comes from: # https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h # Check the log to see if it needs to be updated: @@ -42,24 +50,29 @@ Source5: ca-legacy.conf Source6: ca-legacy Source9: ca-legacy.8.txt Source10: update-ca-trust.8.txt +BuildRequires: python3 +BuildRequires: openssl +BuildRequires: nss +BuildRequires: automake +BuildRequires: libtool +%if %{with java} +BuildRequires: java-devel +BuildRequires: javapackages-tools +%endif +BuildRequires: docbook-xsl +BuildRequires: asciidoc +BuildRequires: xsltproc Requires(post): coreutils Requires(post): p11-kit Requires(post): p11-kit-trust -BuildRequires: perl -BuildRequires: openssl -%if %{without bootstrap} -BuildRequires: nss -%endif -%if %with java -BuildRequires: javapackages-tools -BuildRequires: java-devel -%endif -BuildRequires: asciidoc -BuildRequires: xsltproc - BuildArch: noarch Provides: ca-certificates +# update-ca-trust (provided by rootcerts, called by %%post script) +# calls /usr/bin/p11-kit, which in turn calls /usr/bin/trust +Requires(post): p11-kit p11-kit-trust +Requires: p11-kit p11-kit-trust + %description This is a bundle of X.509 certificates of public Certificate Authorities (CA). These were automatically extracted from Mozilla's @@ -68,7 +81,7 @@ in both plain text and PEM format and therefore can be directly used with an Apache/mod_ssl webserver for SSL client authentication. Just configure this file as the SSLCACertificateFile. -%if %with java +%if %{with java} %package java Summary: Bundle of CA Root Certificates for Java Group: Development/Java @@ -84,7 +97,6 @@ mkdir -p %{name}/certs/legacy-default mkdir %{name}/certs/legacy-disable mkdir %{name}/java - %build pushd %{name}/certs cp %{SOURCE0} certdata.txt @@ -108,12 +120,12 @@ EOF ) > %{p11_format_bundle} touch %{legacy_default_bundle} - NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l` + NUM_LEGACY_DEFAULT=$(find certs/legacy-default -type f | wc -l) if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then - for f in certs/legacy-default/*.crt; do + for f in certs/legacy-default/*.crt; do echo "processing $f" - tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` - alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'` + tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f) + alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g') targs="" if [ -n "$tbits" ]; then for t in $tbits; do @@ -128,12 +140,12 @@ EOF fi touch %{legacy_disable_bundle} - NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l` + NUM_LEGACY_DISABLE=$(find certs/legacy-disable -type f | wc -l) if [ $NUM_LEGACY_DISABLE -ne 0 ]; then - for f in certs/legacy-disable/*.crt; do + for f in certs/legacy-disable/*.crt; do echo "processing $f" - tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` - alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'` + tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f) + alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g') targs="" if [ -n "$tbits" ]; then for t in $tbits; do @@ -147,9 +159,9 @@ EOF done fi - P11FILES=`find certs -name \*.tmp-p11-kit | wc -l` + P11FILES=$(find certs -name \*.tmp-p11-kit | wc -l) if [ $P11FILES -ne 0 ]; then - for p in certs/*.tmp-p11-kit; do + for p in certs/*.tmp-p11-kit; do cat "$p" >> %{p11_format_bundle} done fi @@ -166,7 +178,6 @@ cp %{SOURCE9} %{name}/ca-legacy.8.txt asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml - %install mkdir -p -m 755 %{buildroot}%{pkidir}/java mkdir -p -m 755 %{buildroot}%{catrustdir}/source @@ -219,6 +230,7 @@ EOF # be compatible with Debian/Ubuntu SSL paths # fix #58107 (also used by dovecot default config) install -d %{buildroot}%{_sysconfdir}/ssl + for d in certs private; do ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/ done @@ -245,23 +257,17 @@ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ %{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle} ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \ %{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle} -%if %with java +%if %{with java} ln -s %{catrustdir}/extracted/%{java_bundle} \ %{buildroot}%{pkidir}/%{java_bundle} %endif %post -if [ -x %{_bindir}/ln ]; then -%{_bindir}/ca-legacy install -%{_bindir}/update-ca-trust -fi - -%posttrans %{_bindir}/ca-legacy install %{_bindir}/update-ca-trust -%files -%doc README +%files +%doc README %dir %{catrustdir}/source %dir %{catrustdir}/source/anchors %dir %{catrustdir}/source/blacklist @@ -292,8 +298,10 @@ fi %ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/edk2/cacerts.bin -%if %with java + +%if %{with java} %files java %dir %{_sysconfdir}/pki/java %config(noreplace) %{_sysconfdir}/pki/java/cacerts %endif + diff --git a/trust-fixes b/trust-fixes new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/trust-fixes @@ -0,0 +1 @@ +