[arch-commits] Commit in ca-certificates/trunk (3 files)
Jan Steffens
heftig at archlinux.org
Thu Dec 18 18:40:21 UTC 2014
Date: Thursday, December 18, 2014 @ 19:40:20
Author: heftig
Revision: 227754
Avoid clearing out /etc/ssl/certs
Modified:
ca-certificates/trunk/PKGBUILD
ca-certificates/trunk/ca-certificates-utils.install
ca-certificates/trunk/update-ca-trust
-------------------------------+
PKGBUILD | 4 ++--
ca-certificates-utils.install | 9 ++++-----
update-ca-trust | 23 +++++++++++++----------
3 files changed, 19 insertions(+), 17 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-12-18 17:55:42 UTC (rev 227753)
+++ PKGBUILD 2014-12-18 18:40:20 UTC (rev 227754)
@@ -4,7 +4,7 @@
pkgbase=ca-certificates
pkgname=(ca-certificates-utils ca-certificates)
pkgver=20140923
-pkgrel=7.2
+pkgrel=8
pkgdesc='Common CA certificates'
arch=('any')
url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
@@ -12,7 +12,7 @@
depends=('sh' 'p11-kit')
makedepends=('asciidoc')
source=(update-ca-trust update-ca-trust.8.txt)
-sha256sums=('28d0f8469e022889d2fa3c92a57fb51a5fdff4715cb899de6cf4b374fecd2270'
+sha256sums=('fe6d5bc3bd133d7bd1047abef9f98ad9b9c1e3762766e1b2df9dbeabe3420abe'
'916bc0582b5230aedc7fdada70bc387fbd605dbc9d3d421621e4736c60a8ef41')
build() {
Modified: ca-certificates-utils.install
===================================================================
--- ca-certificates-utils.install 2014-12-18 17:55:42 UTC (rev 227753)
+++ ca-certificates-utils.install 2014-12-18 18:40:20 UTC (rev 227754)
@@ -23,12 +23,11 @@
if (( $(vercmp $2 20140923-7.1) < 0 )); then
cat <<MSG
The way local CA certificates are handled has changed.
- If you have any:
+ If you have added any certificates manually:
- 1. Move /usr/local/share/ca-certificates/*.crt to
- /etc/ca-certificates/trust-source/anchors/
- 2. Do the same with all manually-added /etc/ssl/certs/*.pem files
- and rename them to *.crt
+ 1. Move certificates from /usr/local/share/ca-certificates/
+ to /etc/ca-certificates/trust-source/anchors/
+ 2. Do the same with root certificates added to /etc/ssl/certs/
3. Instead of \`update-ca-certificates\`, run \`trust extract-compat\`
Also see \`man 8 update-ca-trust\` and \`trust --help\`.
Modified: update-ca-trust
===================================================================
--- update-ca-trust 2014-12-18 17:55:42 UTC (rev 227753)
+++ update-ca-trust 2014-12-18 18:40:20 UTC (rev 227754)
@@ -1,7 +1,5 @@
-#!/bin/sh
+#!/bin/bash
-#set -vx
-
# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
@@ -8,18 +6,23 @@
# files in $DEST.
DEST=/etc/ca-certificates/extracted
-SSL=/etc/ssl/certs
-
trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth $DEST/tls-ca-bundle.pem
trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email $DEST/email-ca-bundle.pem
trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
-# Removes all files in /etc/ssl/certs, but not directories or files therein
-trust extract --overwrite --format=openssl-directory --filter=certificates $SSL
+# Removes all files in the target directory, but not directories or files therein
+trust extract --overwrite --format=openssl-directory --filter=certificates $DEST/cadir
-# 'trust extract' makes everything it generated mode 0555; let's not do that for the directory
-chmod 0755 $SSL
-
+SSL=/etc/ssl/certs
trust extract --overwrite --format=openssl-bundle --filter=certificates $SSL/ca-bundle.trust.crt
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth $SSL/java/cacerts
ln -fsrT $DEST/tls-ca-bundle.pem $SSL/ca-certificates.crt
+
+# We don't want to have to remove everything from the certs directory but neither
+# do we want to leave stale certs around, so symlink it all from somewhere else
+for f in $DEST/cadir/*; do
+ ln -fsr -t $SSL "$f"
+done
+
+# Now find and remove all broken symlinks
+find -L $SSL -maxdepth 1 -type l -delete
More information about the arch-commits
mailing list