[arch-commits] Commit in ca-certificates/trunk (4 files)
Jan Steffens
heftig at archlinux.org
Thu Apr 2 20:39:35 UTC 2015
Date: Thursday, April 2, 2015 @ 22:39:35
Author: heftig
Revision: 235354
Some updates and simplifications
Remove pre_upgrade symlink handling. update-ca-trust already cleans out broken links, so this is unneeded.
Move ca-bundle.trust.crt to ca-certificates/extracted. This file has so far been left unused, so no need to put it in
the compat dir.
Create ca-certificates.crt from the install file instead of update-ca-trust.
Reorder update-ca-trust a bit.
Update the documentation.
Modified:
ca-certificates/trunk/PKGBUILD
ca-certificates/trunk/ca-certificates-utils.install
ca-certificates/trunk/update-ca-trust
ca-certificates/trunk/update-ca-trust.8.txt
-------------------------------+
PKGBUILD | 18 ++++++-----
ca-certificates-utils.install | 28 +++++++++--------
update-ca-trust | 23 ++++++--------
update-ca-trust.8.txt | 64 +++++++++++++++++++++++-----------------
4 files changed, 73 insertions(+), 60 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-04-02 20:36:24 UTC (rev 235353)
+++ PKGBUILD 2015-04-02 20:39:35 UTC (rev 235354)
@@ -1,10 +1,11 @@
# $Id$
-# Maintainer: Pierre Schmitz <pierre at archlinux.de>
+# Maintainer: Jan Alexander Steffens (heftig) <jan.steffens at gmail.com>
+# Contributor: Pierre Schmitz <pierre at archlinux.de>
pkgbase=ca-certificates
pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20140923
-pkgrel=10
+pkgver=20150402
+pkgrel=1
pkgdesc='Common CA certificates'
arch=('any')
url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
@@ -11,8 +12,8 @@
license=('GPL2')
makedepends=('asciidoc' 'p11-kit')
source=(update-ca-trust update-ca-trust.8.txt)
-sha256sums=('6337e487cdf691d33a3c07c894f133b280093a2c60d267a534b56c316c5d7370'
- '916bc0582b5230aedc7fdada70bc387fbd605dbc9d3d421621e4736c60a8ef41')
+sha256sums=('746d2cce8ec107fa3b7aaa246d69a7e238c3d2ac5cd82c5aeed996fe9cb0a874'
+ '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929')
build() {
asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
@@ -36,8 +37,9 @@
# Directories used by update-ca-trust (aka "trust extract-compat")
install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted}
- # Contrary to Fedora, the /etc/ssl/certs dir is generated
- ln -srT "${pkgdir}"/etc/ssl/{certs/ca-certificates.crt,cert.pem}
+ # Compatibility link for OpenSSL using /etc/ssl as CAdir
+ # Used in preference to the individual links in /etc/ssl/certs
+ ln -s ../${pkgbase}/extracted/tls-ca-bundle.pem "${pkgdir}/etc/ssl/cert.pem"
}
package_ca-certificates() {
@@ -45,4 +47,4 @@
depends=(ca-certificates-{mozilla,cacert})
}
-# vim:set noet ts=8 sw=8:
+# vim:set noet ts=8 sw=8 sts=0:
Modified: ca-certificates-utils.install
===================================================================
--- ca-certificates-utils.install 2015-04-02 20:36:24 UTC (rev 235353)
+++ ca-certificates-utils.install 2015-04-02 20:39:35 UTC (rev 235354)
@@ -2,19 +2,11 @@
post_install() {
usr/bin/update-ca-trust
-}
-pre_upgrade() {
- if (( $(vercmp $2 20140923-2) < 0 )); then
- find /etc/ssl/certs -type l -print | while read symlink; do
- case $(readlink $symlink) in
- /usr/share/ca-certificates*) rm -f $symlink;;
- esac
- done
- find /etc/ssl/certs -type l -print | while read symlink; do
- test -f $symlink || rm -f $symlink
- done
- fi
+ # This should be a normally packaged file, but that would
+ # require user intervention at upgrade
+ ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \
+ etc/ssl/certs/ca-certificates.crt
}
post_upgrade() {
@@ -33,10 +25,20 @@
Also see \`man 8 update-ca-trust\` and \`trust --help\`.
MSG
fi
+
+ if (( $(vercmp $2 20150402) < 0 )); then
+ ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \
+ etc/ssl/certs/ca-certificates.crt
+
+ # Moved to etc/ca-certificates/extracted
+ rm -f etc/ssl/certs/ca-bundle.trust.crt
+ fi
}
pre_remove() {
usr/bin/update-ca-trust
+
+ rm -f etc/ssl/certs/{ca-certificates.crt,java/cacerts}
}
-# vim:set noet ts=8 sw=8:
+# vim:set noet ts=8 sw=8 sts=0:
Modified: update-ca-trust
===================================================================
--- update-ca-trust 2015-04-02 20:36:24 UTC (rev 235353)
+++ update-ca-trust 2015-04-02 20:39:35 UTC (rev 235354)
@@ -6,23 +6,22 @@
# files in $DEST.
DEST=/etc/ca-certificates/extracted
-trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth $DEST/tls-ca-bundle.pem
-trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email $DEST/email-ca-bundle.pem
-trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
-# Removes all files in the target directory, but not directories or files therein
-trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth $DEST/cadir
+# The directory-format extractors remove all files in the target directory, but not directories or files therein
+trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth $DEST/cadir
+trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth $DEST/tls-ca-bundle.pem
+trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email $DEST/email-ca-bundle.pem
+trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
+trust extract --overwrite --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
-SSL=/etc/ssl/certs
-trust extract --overwrite --format=openssl-bundle --filter=certificates $SSL/ca-bundle.trust.crt
-trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth $SSL/java/cacerts
-ln -fsrT $DEST/tls-ca-bundle.pem $SSL/ca-certificates.crt
-
# We don't want to have to remove everything from the certs directory but neither
# do we want to leave stale certs around, so symlink it all from somewhere else
for f in $DEST/cadir/*; do
- ln -fsr -t $SSL "$f"
+ ln -fsr -t /etc/ssl/certs "$f"
done
# Now find and remove all broken symlinks
-find -L $SSL -maxdepth 1 -type l -delete
+find -L /etc/ssl/certs -maxdepth 1 -type l -delete
+
+# Java bundle
+trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts
Modified: update-ca-trust.8.txt
===================================================================
--- update-ca-trust.8.txt 2015-04-02 20:36:24 UTC (rev 235353)
+++ update-ca-trust.8.txt 2015-04-02 20:39:35 UTC (rev 235354)
@@ -178,6 +178,10 @@
/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
+The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm.
+Distrust information cannot be represented in this format,
+and distrusted certificates are missing from these files.
+
The directory /etc/ssl/certs/java contains
a CA certificate bundle in the java keystore file format.
Distrust information cannot be represented in this file format,
@@ -184,12 +188,6 @@
and distrusted certificates are missing from these files.
File cacerts contains CA certificates trusted for TLS server authentication.
-The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm, as well
-as a ca-bundle.trust.crt bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format,
-as described in the x509(1) manual page.
-The dir or the bundle contain the full set of all trusted
-or distrusted certificates, including the associated trust flags.
-
The directory /etc/ca-certificates/extracted contains
CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
as decribed in the x509(1) manual page.
@@ -201,6 +199,10 @@
trusted for E-Mail protection.
File objsign-ca-bundle.pem contains CA certificates
trusted for code signing.
+File ca-bundle.trust.crt contains certificates in the extended
+BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page.
+This bundle contains the full set of all trusted
+and distrusted certificates, including the associated trust flags.
COMMANDS
@@ -218,27 +220,6 @@
FILES
-----
-/etc/ssl/certs::
- Classic directory, contains individual CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage,
- which are created by the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
- See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
-
-/etc/ssl/certs/ca-bundle.trust.crt::
- Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
- This file is consolidated output created by the update-ca-trust command.
-
-/etc/ssl/certs/ca-certificates.crt::
- Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
- This file is a symbolic link that refers to consolidated output created by the update-ca-trust command.
-
-/etc/ssl/cert.pem::
- Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
- This file is a symbolic link that refers to consolidated output created by the update-ca-trust command.
-
-/etc/ssl/java/cacerts::
- Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
- This file is consolidated output created by the update-ca-trust command.
-
/usr/share/ca-certificates/trust-source::
Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
@@ -250,6 +231,35 @@
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
+/etc/ca-certificates/extracted/tls-ca-bundle.pem::
+ Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+
+/etc/ca-certificates/extracted/email-ca-bundle.pem::
+ Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+
+/etc/ca-certificates/extracted/objsign-ca-bundle.pem::
+ Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+
+/etc/ca-certificates/extracted/ca-bundle.trust.crt::
+ Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+
+/etc/ca-certificates/extracted/cadir::
+ Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ Also includes the necessary hash symlinks expected by OpenSSL.
+
+/etc/ssl/certs::
+ Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command.
+
+/etc/ssl/certs/ca-certificates.crt::
+ Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
+
+/etc/ssl/cert.pem::
+ Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
+
+/etc/ssl/java/cacerts::
+ Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
AUTHOR
------
Written by Kai Engert and Stef Walter.
More information about the arch-commits
mailing list