[arch-commits] Commit in ca-certificates/trunk (5 files)
Jan Steffens
heftig at archlinux.org
Fri Nov 14 09:00:02 UTC 2014
Date: Friday, November 14, 2014 @ 10:00:02
Author: heftig
Revision: 226214
FS#41909
Added:
ca-certificates/trunk/update-ca-trust
ca-certificates/trunk/update-ca-trust.8.txt
Modified:
ca-certificates/trunk/PKGBUILD
ca-certificates/trunk/ca-certificates-utils.install
Deleted:
ca-certificates/trunk/confd.patch
-------------------------------+
PKGBUILD | 51 +++++---
ca-certificates-utils.install | 41 +++++-
confd.patch | 28 ----
update-ca-trust | 22 +++
update-ca-trust.8.txt | 245 ++++++++++++++++++++++++++++++++++++++++
5 files changed, 333 insertions(+), 54 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-11-14 05:05:22 UTC (rev 226213)
+++ PKGBUILD 2014-11-14 09:00:02 UTC (rev 226214)
@@ -3,35 +3,48 @@
pkgbase=ca-certificates
pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20140325
-pkgrel=2
+pkgver=20140923
+pkgrel=4
pkgdesc='Common CA certificates'
arch=('any')
-url='http://packages.qa.debian.org/c/ca-certificates.html'
-license=('MPL' 'GPL')
-depends=('bash' 'run-parts' 'openssl' 'findutils' 'coreutils' 'sed')
-makedepends=('python2')
-source=("http://ftp.debian.org/debian/pool/main/c/${pkgbase}/${pkgbase}_${pkgver}.tar.xz"
- confd.patch)
-sha256sums=('c0e3d8c517995db2737f7f1a9b69d654b8823fa6d337871c6ce111fcf083454a'
- '6a6efe688bd7f40dc57d07ad6bfdbb83f4853a1964c55e0620e833e6c2945dab')
+url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
+license=('GPL2')
+depends=('sh' 'p11-kit')
+makedepends=('asciidoc')
+source=(update-ca-trust update-ca-trust.8.txt)
+sha256sums=('c737236405320440665c9e7034585fde95d34495fc65789591a7ab76dc7568d5'
+ '52f7067ced3771bfa315e4b2a4d078ba0502b663ed4d87a9a18558e14d4ed99e')
-prepare() {
- cd "${srcdir}/${pkgbase}"
- patch -Np1 -i ../confd.patch
+_confdir=/etc/$pkgbase
+_datadir=/usr/share/$pkgbase
+
+build() {
+ asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
+ xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
}
package_ca-certificates-utils() {
pkgdesc+=" (utilities)"
- backup=('etc/ca-certificates.conf')
install=ca-certificates-utils.install
- provides=(ca-certificates)
+ provides=(ca-certificates ca-certificates-java)
+ conflicts=(ca-certificates-java)
+ replaces=(ca-certificates-java)
- cd "${srcdir}/${pkgbase}"
+ install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust"
+ install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8"
- install -d "${pkgdir}"/{etc/{ca-certificates/update.d,ssl/certs},usr/share/ca-certificates}
- install -Dm644 sbin/update-ca-certificates.8 "${pkgdir}/usr/share/man/man8/update-ca-certificates.8"
- install -D sbin/update-ca-certificates "${pkgdir}/usr/bin/update-ca-certificates"
+ install -d "${pkgdir}"{${_confdir},${_datadir}}/trust-source/{anchors,blacklist}
+
+ _extractdir="${pkgdir}${_confdir}/extracted"
+ _ssldir="${pkgdir}/etc/ssl"
+
+ install -d "${_ssldir}/certs/java" "${_extractdir}"/{openssl,pem,java}
+ ln -sr "${_extractdir}/openssl/ca-bundle.trust.crt" "${_ssldir}/certs/ca-bundle.trust.crt"
+ ln -sr "${_extractdir}/pem/tls-ca-bundle.pem" "${_ssldir}/cert.pem"
+
+ # These are inverted (for now?) to ease upgrading
+ ln -sr "${_ssldir}/certs/ca-certificates.crt" "${_extractdir}/pem/tls-ca-bundle.pem"
+ ln -sr "${_ssldir}/certs/java/cacerts" "${_extractdir}/java/cacerts"
}
package_ca-certificates() {
Modified: ca-certificates-utils.install
===================================================================
--- ca-certificates-utils.install 2014-11-14 05:05:22 UTC (rev 226213)
+++ ca-certificates-utils.install 2014-11-14 09:00:02 UTC (rev 226214)
@@ -1,18 +1,45 @@
export LC_ALL=C
post_install() {
- usr/bin/update-ca-certificates --fresh >/dev/null 2>&1
+ usr/bin/update-ca-trust
}
+pre_upgrade() {
+ if (( $(vercmp $2 20140923-2) < 0 )); then
+ find /etc/ssl/certs -type l -print | while read symlink; do
+ case $(readlink $symlink) in
+ /usr/share/ca-certificates*) rm -f $symlink;;
+ esac
+ done
+ find /etc/ssl/certs -type l -print | while read symlink; do
+ test -f $symlink || rm -f $symlink
+ done
+ fi
+}
+
post_upgrade() {
- usr/bin/update-ca-certificates --fresh >/dev/null 2>&1
+ usr/bin/update-ca-trust
+
+ if (( $(vercmp $2 20140923-2) < 0 )); then
+ cat <<MSG
+ The way local CA certificates are handled has changed.
+ If you have any:
+
+ 1. Move /usr/local/share/ca-certificates/*.crt to
+ /etc/ca-certificates/trust-source/anchors/
+ 2. Do the same with all manually-added /etc/ssl/certs/*.pem files
+ (and rename those to *.crt)
+ 3. Instead of \`update-ca-certificates\`, run \`update-ca-trust\`
+ 4. In programs that have settings like "ca_dir = /etc/ssl/certs",
+ change them to "ca_file = /etc/ssl/certs/ca-certificates.crt"
+
+ Also see \`man 8 update-ca-trust\`.
+MSG
+ fi
}
pre_remove() {
- usr/bin/update-ca-certificates --fresh >/dev/null 2>&1
+ usr/bin/update-ca-trust
}
-post_remove() {
- # remove the cert file if it is empty
- [[ -s etc/ssl/certs/ca-certificates.crt ]] || rm -f etc/ssl/certs/ca-certificates.crt
-}
+# vim:set noet ts=8 sw=8:
Deleted: confd.patch
===================================================================
--- confd.patch 2014-11-14 05:05:22 UTC (rev 226213)
+++ confd.patch 2014-11-14 09:00:02 UTC (rev 226214)
@@ -1,28 +0,0 @@
-diff -u -Nwr ca-certificates/sbin/update-ca-certificates ca-certificates.confd/sbin/update-ca-certificates
---- ca-certificates/sbin/update-ca-certificates 2014-03-13 13:43:00.000000000 +0100
-+++ ca-certificates.confd/sbin/update-ca-certificates 2014-08-24 13:36:19.264068119 +0200
-@@ -37,7 +37,7 @@
- shift
- done
-
--CERTSCONF=/etc/ca-certificates.conf
-+CERTSCONFS=/etc/ca-certificates/conf.d/*.conf
- CERTSDIR=/usr/share/ca-certificates
- LOCALCERTSDIR=/usr/local/share/ca-certificates
- CERTBUNDLE=ca-certificates.crt
-@@ -101,6 +101,7 @@
-
- echo -n "Updating certificates in $ETCCERTSDIR... "
-
-+for CERTSCONF in $CERTSCONFS; do
- # Handle certificates that should be removed. This is an explicit act
- # by prefixing lines in the configuration files with exclamation marks (!).
- sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
-@@ -117,6 +118,7 @@
- fi
- add "$CERTSDIR/$crt"
- done
-+done
-
- # Now process certificate authorities installed by the local system
- # administrator.
Added: update-ca-trust
===================================================================
--- update-ca-trust (rev 0)
+++ update-ca-trust 2014-11-14 09:00:02 UTC (rev 226214)
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+#set -vx
+
+# At this time, while this script is trivial, we ignore any parameters given.
+# However, for backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
+# files in $DEST.
+
+DEST=/etc/ca-certificates/extracted
+
+# OpenSSL PEM bundle that includes trust flags
+# (BEGIN TRUSTED CERTIFICATE)
+/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
+#/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
+/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
+/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
+#/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
+
+# Make upgrade on Arch smooth, by inverting some locations
+/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth /etc/ssl/certs/ca-certificates.crt
+/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth /etc/ssl/certs/java/cacerts
Added: update-ca-trust.8.txt
===================================================================
--- update-ca-trust.8.txt (rev 0)
+++ update-ca-trust.8.txt 2014-11-14 09:00:02 UTC (rev 226214)
@@ -0,0 +1,245 @@
+////
+Copyright (C) 2013 Red Hat, Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+////
+
+
+update-ca-trust(8)
+==================
+:doctype: manpage
+:man source: update-ca-trust
+
+
+NAME
+----
+update-ca-trust - manage consolidated and dynamic configuration of CA
+certificates and associated trust
+
+
+SYNOPSIS
+--------
+*update-ca-trust* ['COMMAND']
+
+
+DESCRIPTION
+-----------
+update-ca-trust(8) is used to manage a consolidated and dynamic configuration
+feature of Certificate Authority (CA) certificates and associated trust.
+
+The feature is available for new applications that read the
+consolidated configuration files found in the /etc/ca-certificates/extracted directory
+or that load the PKCS#11 module p11-kit-trust.so
+
+Parts of the new feature are also provided in a way to make it useful
+for legacy applications.
+
+Many legacy applications expect CA certificates and trust configuration
+in a fixed location, contained in files with particular path and name,
+or by referring to a classic PKCS#11 trust module provided by the
+NSS cryptographic library.
+
+The dynamic configuration feature provides functionally compatible replacements
+for classic configuration files and for the classic NSS trust module named libnssckbi.
+
+In order to enable legacy applications, that read the classic files or
+access the classic module, to make use of the new consolidated and dynamic configuration
+feature, the classic filenames have been changed to symbolic links.
+The symbolic links refer to dynamically created and consolidated
+output stored below the /etc/ca-certificates/extracted directory hierarchy.
+
+The output is produced using the 'update-ca-trust' command (without parameters),
+or using the 'update-ca-trust extract' command.
+In order to produce the output, a flexible set of source configuration
+is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
+
+In addition, the classic PKCS#11 module
+is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically
+reads the same source configuration.
+
+
+[[sourceconf]]
+SOURCE CONFIGURATION
+--------------------
+The dynamic configuration feature uses several source directories that
+will be scanned for any number of source files. *It is important to select
+the correct subdirectory for adding files, as the subdirectory defines how
+contained certificates will be trusted or distrusted, and which file formats are read.*
+
+Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and
+trust settings in the PEM file format. The trust settings found here will be
+interpreted with a *low priority*.
+
+Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and
+trust settings in the PEM file format. The trust settings found here will be
+interpreted with a *high priority*.
+
+.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:
+* If you are manually adding a configuration file to a system, you probably
+want it to override any other default configuration, and you most likely should
+add it to the respective subdirectory in the /etc hierarchy.
+* If you are creating a package that provides additional root CA certificates,
+that is intended for distribution to several computer systems, but you still
+want to allow the administrator to override your list, then your package should
+add your files to the respective subdirectory in the /usr hierarchy.
+* If you are creating a package that is supposed to override the default system
+trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective
+subdirectory in the /etc hierarchy.
+
+.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
+* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/
+* run 'update-ca-trust extract'
+
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+* add it as a new file to directory /etc/ca-certificates/trust-source/
+* run 'update-ca-trust extract'
+
+.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
+* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
+* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
+* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+
+.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats:
+* certificate files that include trust flags,
+ in the BEGIN/END TRUSTED CERTIFICATE file format
+ (any file name), which have been created using the openssl x509 tool
+ and the -addreject -addtrust options.
+ Bundle files with multiple certificates are supported.
+* files in the p11-kit file format using the .p11-kit file name
+ extension, which can (e.g.) be used to distrust certificates
+ based on serial number and issuer name, without having the
+ full certificate available.
+ (This is currently an undocumented format, to be extended later.
+ For examples of the supported formats, see the files
+ shipped with the ca-certificates package.)
+* certificate files without trust flags in either the DER file format or in
+ the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
+ will be added with neutral trust, neither trusted nor distrusted.
+ They will simply be known to the system, which might be helpful to
+ assist cryptographic software in constructing chains of certificates.
+ (If you want a CA certificate in these file formats to be trusted, you
+ should remove it from this directory and move it to the
+ ./anchors subdirectory instead.)
+
+In the anchors subdirectories /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
+you may install one or multiple certificates in either the DER file
+format or in the PEM (BEGIN/END CERTIFICATE) file format.
+Each certificate will be treated as *trusted* for all purposes.
+
+In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
+you may install one or multiple certificates in either the DER file
+format or in the PEM (BEGIN/END CERTIFICATE) file format.
+Each certificate will be treated as *distrusted* for all purposes.
+
+Please refer to the x509(1) manual page for the documentation of the
+BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
+
+Applications that rely on a static file for a list of trusted CAs
+may load one of the files found in the /etc/ca-certificates/extracted
+directory. After modifying any file in the
+/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+directories or in any of their subdirectories, or after adding a file,
+it is necessary to run the 'update-ca-trust extract' command,
+in order to update the consolidated files in /etc/ca-certificates/extracted/ .
+
+Applications that load the classic PKCS#11 module using filename libnssckbi.so
+(which has been converted into a symbolic link pointing to the new module)
+and any application capable of
+loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
+the dynamically merged set of certificates and trust information stored in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ directories.
+
+
+[[extractconf]]
+EXTRACTED CONFIGURATION
+-----------------------
+The directory /etc/ca-certificates/extracted/ contains generated CA certificate
+bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>>
+by running the 'update-ca-trust extract' command.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the 'update-ca-trust extract' command gets executed.
+
+In order to install new trusted or distrusted certificates,
+please rather install them in the respective subdirectory below the
+/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
+
+The directory /etc/ca-certificates/extracted/java/ contains
+a CA certificate bundle in the java keystore file format.
+Distrust information cannot be represented in this file format,
+and distrusted certificates are missing from these files.
+File cacerts contains CA certificates trusted for TLS server authentication.
+
+The directory /etc/ca-certificates/extracted/openssl/ contains
+CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format,
+as described in the x509(1) manual page.
+File ca-bundle.trust.crt contains the full set of all trusted
+or distrusted certificates, including the associated trust flags.
+
+The directory /etc/ca-certificates/extracted/pem/ contains
+CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
+as decribed in the x509(1) manual page.
+Distrust information cannot be represented in this file format,
+and distrusted certificates are missing from these files.
+File tls-ca-bundle.pem contains CA certificates
+trusted for TLS server authentication.
+File email-ca-bundle.pem contains CA certificates
+trusted for E-Mail protection.
+File objsign-ca-bundle.pem contains CA certificates
+trusted for code signing.
+
+
+COMMANDS
+--------
+(absent/empty command)::
+ Same as the *extract* command described below. (However, the command may
+ print fewer warnings, as this command is being run during package
+ installation, where non-fatal status output is undesired.)
+
+*extract*::
+ Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
+ updated versions of the consolidated configuration files stored below
+ the /etc/ca-certificates/extracted directory hierarchy.
+
+FILES
+-----
+/etc/ssl/certs/ca-certificates.crt::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/certs/ca-bundle.trust.crt::
+ Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/java/cacerts::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/usr/share/ca-certificates/trust-source::
+ Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
+
+/etc/ca-certificates/trust-source::
+ Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
+
+/etc/ca-certificates/extracted::
+ Contains consolidated and automatically generated configuration files for consumption by applications,
+ which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
+ See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
+
+AUTHOR
+------
+Written by Kai Engert and Stef Walter.
More information about the arch-commits
mailing list