[arch-commits] Commit in ca-certificates/trunk (3 files)

Jan Steffens heftig at archlinux.org
Thu Dec 18 18:40:21 UTC 2014


    Date: Thursday, December 18, 2014 @ 19:40:20
  Author: heftig
Revision: 227754

Avoid clearing out /etc/ssl/certs

Modified:
  ca-certificates/trunk/PKGBUILD
  ca-certificates/trunk/ca-certificates-utils.install
  ca-certificates/trunk/update-ca-trust

-------------------------------+
 PKGBUILD                      |    4 ++--
 ca-certificates-utils.install |    9 ++++-----
 update-ca-trust               |   23 +++++++++++++----------
 3 files changed, 19 insertions(+), 17 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-12-18 17:55:42 UTC (rev 227753)
+++ PKGBUILD	2014-12-18 18:40:20 UTC (rev 227754)
@@ -4,7 +4,7 @@
 pkgbase=ca-certificates
 pkgname=(ca-certificates-utils ca-certificates)
 pkgver=20140923
-pkgrel=7.2
+pkgrel=8
 pkgdesc='Common CA certificates'
 arch=('any')
 url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
@@ -12,7 +12,7 @@
 depends=('sh' 'p11-kit')
 makedepends=('asciidoc')
 source=(update-ca-trust update-ca-trust.8.txt)
-sha256sums=('28d0f8469e022889d2fa3c92a57fb51a5fdff4715cb899de6cf4b374fecd2270'
+sha256sums=('fe6d5bc3bd133d7bd1047abef9f98ad9b9c1e3762766e1b2df9dbeabe3420abe'
             '916bc0582b5230aedc7fdada70bc387fbd605dbc9d3d421621e4736c60a8ef41')
 
 build() {

Modified: ca-certificates-utils.install
===================================================================
--- ca-certificates-utils.install	2014-12-18 17:55:42 UTC (rev 227753)
+++ ca-certificates-utils.install	2014-12-18 18:40:20 UTC (rev 227754)
@@ -23,12 +23,11 @@
 	if (( $(vercmp $2 20140923-7.1) < 0 )); then
 		cat <<MSG
   The way local CA certificates are handled has changed.
-  If you have any:
+  If you have added any certificates manually:
 
-  1. Move /usr/local/share/ca-certificates/*.crt to
-     /etc/ca-certificates/trust-source/anchors/
-  2. Do the same with all manually-added /etc/ssl/certs/*.pem files
-     and rename them to *.crt
+  1. Move certificates from /usr/local/share/ca-certificates/
+     to /etc/ca-certificates/trust-source/anchors/
+  2. Do the same with root certificates added to /etc/ssl/certs/
   3. Instead of \`update-ca-certificates\`, run \`trust extract-compat\`
 
   Also see \`man 8 update-ca-trust\` and \`trust --help\`.

Modified: update-ca-trust
===================================================================
--- update-ca-trust	2014-12-18 17:55:42 UTC (rev 227753)
+++ update-ca-trust	2014-12-18 18:40:20 UTC (rev 227754)
@@ -1,7 +1,5 @@
-#!/bin/sh
+#!/bin/bash
 
-#set -vx
-
 # At this time, while this script is trivial, we ignore any parameters given.
 # However, for backwards compatibility reasons, future versions of this script must 
 # support the syntax "update-ca-trust extract" trigger the generation of output 
@@ -8,18 +6,23 @@
 # files in $DEST.
 
 DEST=/etc/ca-certificates/extracted
-SSL=/etc/ssl/certs
-
 trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth  $DEST/tls-ca-bundle.pem
 trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email        $DEST/email-ca-bundle.pem
 trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
 
-# Removes all files in /etc/ssl/certs, but not directories or files therein
-trust extract --overwrite --format=openssl-directory --filter=certificates $SSL
+# Removes all files in the target directory, but not directories or files therein
+trust extract --overwrite --format=openssl-directory --filter=certificates $DEST/cadir
 
-# 'trust extract' makes everything it generated mode 0555; let's not do that for the directory
-chmod 0755 $SSL
-
+SSL=/etc/ssl/certs
 trust extract --overwrite --format=openssl-bundle --filter=certificates $SSL/ca-bundle.trust.crt
 trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth $SSL/java/cacerts
 ln -fsrT $DEST/tls-ca-bundle.pem $SSL/ca-certificates.crt
+
+# We don't want to have to remove everything from the certs directory but neither
+# do we want to leave stale certs around, so symlink it all from somewhere else
+for f in $DEST/cadir/*; do
+  ln -fsr -t $SSL "$f"
+done
+
+# Now find and remove all broken symlinks
+find -L $SSL -maxdepth 1 -type l -delete



More information about the arch-commits mailing list