[arch-commits] Commit in ca-certificates/repos/testing-any (8 files)

Jan Steffens heftig at archlinux.org
Thu Apr 2 20:40:52 UTC 2015 

    Date: Thursday, April 2, 2015 @ 22:40:51
  Author: heftig
Revision: 235355

archrelease: copy trunk to testing-any

Added:
  ca-certificates/repos/testing-any/PKGBUILD
    (from rev 235354, ca-certificates/trunk/PKGBUILD)
  ca-certificates/repos/testing-any/ca-certificates-utils.install
    (from rev 235354, ca-certificates/trunk/ca-certificates-utils.install)
  ca-certificates/repos/testing-any/update-ca-trust
    (from rev 235354, ca-certificates/trunk/update-ca-trust)
  ca-certificates/repos/testing-any/update-ca-trust.8.txt
    (from rev 235354, ca-certificates/trunk/update-ca-trust.8.txt)
Deleted:
  ca-certificates/repos/testing-any/PKGBUILD
  ca-certificates/repos/testing-any/ca-certificates-utils.install
  ca-certificates/repos/testing-any/update-ca-trust
  ca-certificates/repos/testing-any/update-ca-trust.8.txt

-------------------------------+
 PKGBUILD                      |   98 +++----
 ca-certificates-utils.install |   86 +++---
 update-ca-trust               |   55 ++--
 update-ca-trust.8.txt         |  520 ++++++++++++++++++++--------------------
 4 files changed, 386 insertions(+), 373 deletions(-)

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2015-04-02 20:39:35 UTC (rev 235354)
+++ PKGBUILD	2015-04-02 20:40:51 UTC (rev 235355)
@@ -1,48 +0,0 @@
-# $Id$
-# Maintainer: Pierre Schmitz <pierre at archlinux.de>
-
-pkgbase=ca-certificates
-pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20140923
-pkgrel=10
-pkgdesc='Common CA certificates'
-arch=('any')
-url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
-license=('GPL2')
-makedepends=('asciidoc' 'p11-kit')
-source=(update-ca-trust update-ca-trust.8.txt)
-sha256sums=('6337e487cdf691d33a3c07c894f133b280093a2c60d267a534b56c316c5d7370'
-            '916bc0582b5230aedc7fdada70bc387fbd605dbc9d3d421621e4736c60a8ef41')
-
-build() {
-	asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
-	xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
-}
-
-package_ca-certificates-utils() {
-	pkgdesc+=" (utilities)"
-	depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1')
-	install=ca-certificates-utils.install
-	provides=(ca-certificates ca-certificates-java)
-	conflicts=(ca-certificates-java)
-	replaces=(ca-certificates-java)
-
-	install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust"
-	install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8"
-
-	# Trust source directories
-	install -d "${pkgdir}"/{etc,usr/share}/${pkgbase}/trust-source/{anchors,blacklist}
-
-	# Directories used by update-ca-trust (aka "trust extract-compat")
-	install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted}
-
-	# Contrary to Fedora, the /etc/ssl/certs dir is generated
-	ln -srT "${pkgdir}"/etc/ssl/{certs/ca-certificates.crt,cert.pem}
-}
-
-package_ca-certificates() {
-	pkgdesc+=" (default providers)"
-	depends=(ca-certificates-{mozilla,cacert})
-}
-
-# vim:set noet ts=8 sw=8:

Copied: ca-certificates/repos/testing-any/PKGBUILD (from rev 235354, ca-certificates/trunk/PKGBUILD)
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2015-04-02 20:40:51 UTC (rev 235355)
@@ -0,0 +1,50 @@
+# $Id$
+# Maintainer: Jan Alexander Steffens (heftig) <jan.steffens at gmail.com>
+# Contributor: Pierre Schmitz <pierre at archlinux.de>
+
+pkgbase=ca-certificates
+pkgname=(ca-certificates-utils ca-certificates)
+pkgver=20150402
+pkgrel=1
+pkgdesc='Common CA certificates'
+arch=('any')
+url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
+license=('GPL2')
+makedepends=('asciidoc' 'p11-kit')
+source=(update-ca-trust update-ca-trust.8.txt)
+sha256sums=('746d2cce8ec107fa3b7aaa246d69a7e238c3d2ac5cd82c5aeed996fe9cb0a874'
+            '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929')
+
+build() {
+	asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
+	xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
+}
+
+package_ca-certificates-utils() {
+	pkgdesc+=" (utilities)"
+	depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1')
+	install=ca-certificates-utils.install
+	provides=(ca-certificates ca-certificates-java)
+	conflicts=(ca-certificates-java)
+	replaces=(ca-certificates-java)
+
+	install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust"
+	install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8"
+
+	# Trust source directories
+	install -d "${pkgdir}"/{etc,usr/share}/${pkgbase}/trust-source/{anchors,blacklist}
+
+	# Directories used by update-ca-trust (aka "trust extract-compat")
+	install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted}
+
+	# Compatibility link for OpenSSL using /etc/ssl as CAdir
+	# Used in preference to the individual links in /etc/ssl/certs
+	ln -s ../${pkgbase}/extracted/tls-ca-bundle.pem "${pkgdir}/etc/ssl/cert.pem"
+}
+
+package_ca-certificates() {
+	pkgdesc+=" (default providers)"
+	depends=(ca-certificates-{mozilla,cacert})
+}
+
+# vim:set noet ts=8 sw=8 sts=0:

Deleted: ca-certificates-utils.install
===================================================================
--- ca-certificates-utils.install	2015-04-02 20:39:35 UTC (rev 235354)
+++ ca-certificates-utils.install	2015-04-02 20:40:51 UTC (rev 235355)
@@ -1,42 +0,0 @@
-export LC_ALL=C
-
-post_install() {
-	usr/bin/update-ca-trust
-}
-
-pre_upgrade() {
-	if (( $(vercmp $2 20140923-2) < 0 )); then
-		find /etc/ssl/certs -type l -print | while read symlink; do
-			case $(readlink $symlink) in
-			/usr/share/ca-certificates*) rm -f $symlink;;
-			esac
-		done
-		find /etc/ssl/certs -type l -print | while read symlink; do
-			test -f $symlink || rm -f $symlink
-		done
-	fi
-}
-
-post_upgrade() {
-	usr/bin/update-ca-trust
-
-	if (( $(vercmp $2 20140923-7.1) < 0 )); then
-		cat <<MSG
-  The way local CA certificates are handled has changed.
-  If you have added any certificates manually:
-
-  1. Move certificates from /usr/local/share/ca-certificates/
-     to /etc/ca-certificates/trust-source/anchors/
-  2. Do the same with root certificates added to /etc/ssl/certs/
-  3. Instead of \`update-ca-certificates\`, run \`trust extract-compat\`
-
-  Also see \`man 8 update-ca-trust\` and \`trust --help\`.
-MSG
-	fi
-}
-
-pre_remove() {
-	usr/bin/update-ca-trust
-}
-
-# vim:set noet ts=8 sw=8:

Copied: ca-certificates/repos/testing-any/ca-certificates-utils.install (from rev 235354, ca-certificates/trunk/ca-certificates-utils.install)
===================================================================
--- ca-certificates-utils.install	                        (rev 0)
+++ ca-certificates-utils.install	2015-04-02 20:40:51 UTC (rev 235355)
@@ -0,0 +1,44 @@
+export LC_ALL=C
+
+post_install() {
+	usr/bin/update-ca-trust
+
+	# This should be a normally packaged file, but that would
+	# require user intervention at upgrade
+	ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \
+		etc/ssl/certs/ca-certificates.crt
+}
+
+post_upgrade() {
+	usr/bin/update-ca-trust
+
+	if (( $(vercmp $2 20140923-7.1) < 0 )); then
+		cat <<MSG
+  The way local CA certificates are handled has changed.
+  If you have added any certificates manually:
+
+  1. Move certificates from /usr/local/share/ca-certificates/
+     to /etc/ca-certificates/trust-source/anchors/
+  2. Do the same with root certificates added to /etc/ssl/certs/
+  3. Instead of \`update-ca-certificates\`, run \`trust extract-compat\`
+
+  Also see \`man 8 update-ca-trust\` and \`trust --help\`.
+MSG
+	fi
+
+	if (( $(vercmp $2 20150402) < 0 )); then
+		ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \
+			etc/ssl/certs/ca-certificates.crt
+
+		# Moved to etc/ca-certificates/extracted
+		rm -f etc/ssl/certs/ca-bundle.trust.crt
+	fi
+}
+
+pre_remove() {
+	usr/bin/update-ca-trust
+
+	rm -f etc/ssl/certs/{ca-certificates.crt,java/cacerts}
+}
+
+# vim:set noet ts=8 sw=8 sts=0:

Deleted: update-ca-trust
===================================================================
--- update-ca-trust	2015-04-02 20:39:35 UTC (rev 235354)
+++ update-ca-trust	2015-04-02 20:40:51 UTC (rev 235355)
@@ -1,28 +0,0 @@
-#!/bin/bash
-
-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
-# support the syntax "update-ca-trust extract" trigger the generation of output 
-# files in $DEST.
-
-DEST=/etc/ca-certificates/extracted
-trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth  $DEST/tls-ca-bundle.pem
-trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email        $DEST/email-ca-bundle.pem
-trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
-
-# Removes all files in the target directory, but not directories or files therein
-trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth $DEST/cadir
-
-SSL=/etc/ssl/certs
-trust extract --overwrite --format=openssl-bundle --filter=certificates $SSL/ca-bundle.trust.crt
-trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth $SSL/java/cacerts
-ln -fsrT $DEST/tls-ca-bundle.pem $SSL/ca-certificates.crt
-
-# We don't want to have to remove everything from the certs directory but neither
-# do we want to leave stale certs around, so symlink it all from somewhere else
-for f in $DEST/cadir/*; do
-  ln -fsr -t $SSL "$f"
-done
-
-# Now find and remove all broken symlinks
-find -L $SSL -maxdepth 1 -type l -delete

Copied: ca-certificates/repos/testing-any/update-ca-trust (from rev 235354, ca-certificates/trunk/update-ca-trust)
===================================================================
--- update-ca-trust	                        (rev 0)
+++ update-ca-trust	2015-04-02 20:40:51 UTC (rev 235355)
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# At this time, while this script is trivial, we ignore any parameters given.
+# However, for backwards compatibility reasons, future versions of this script must 
+# support the syntax "update-ca-trust extract" trigger the generation of output 
+# files in $DEST.
+
+DEST=/etc/ca-certificates/extracted
+
+# The directory-format extractors remove all files in the target directory, but not directories or files therein
+trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth  $DEST/cadir
+trust extract --overwrite --format=pem-bundle         --filter=ca-anchors --purpose server-auth  $DEST/tls-ca-bundle.pem
+trust extract --overwrite --format=pem-bundle         --filter=ca-anchors --purpose email        $DEST/email-ca-bundle.pem
+trust extract --overwrite --format=pem-bundle         --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem
+trust extract --overwrite --format=openssl-bundle     --filter=certificates                      $DEST/ca-bundle.trust.crt
+
+# We don't want to have to remove everything from the certs directory but neither
+# do we want to leave stale certs around, so symlink it all from somewhere else
+for f in $DEST/cadir/*; do
+  ln -fsr -t /etc/ssl/certs "$f"
+done
+
+# Now find and remove all broken symlinks
+find -L /etc/ssl/certs -maxdepth 1 -type l -delete
+
+# Java bundle
+trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts

Deleted: update-ca-trust.8.txt
===================================================================
--- update-ca-trust.8.txt	2015-04-02 20:39:35 UTC (rev 235354)
+++ update-ca-trust.8.txt	2015-04-02 20:40:51 UTC (rev 235355)
@@ -1,255 +0,0 @@
-////
-Copyright (C) 2013 Red Hat, Inc.
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-////
-
-
-update-ca-trust(8)
-==================
-:doctype: manpage
-:man source: update-ca-trust
-
-
-NAME
-----
-update-ca-trust - manage consolidated and dynamic configuration of CA 
-certificates and associated trust
-
-
-SYNOPSIS
---------
-*update-ca-trust* ['COMMAND']
-
-
-DESCRIPTION
------------
-update-ca-trust(8) is used to manage a consolidated and dynamic configuration 
-feature of Certificate Authority (CA) certificates and associated trust.
-
-The feature is available for new applications that read the
-consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
-or that load the PKCS#11 module p11-kit-trust.so
-
-Parts of the new feature are also provided in a way to make it useful
-for legacy applications.
-
-Many legacy applications expect CA certificates and trust configuration
-in a fixed location, contained in files with particular path and name,
-or by referring to a classic PKCS#11 trust module provided by the 
-NSS cryptographic library.
-
-The dynamic configuration feature provides functionally compatible replacements 
-for classic configuration files and for the classic NSS trust module named libnssckbi.
-
-In order to enable legacy applications, that read the classic files or 
-access the classic module, to make use of the new consolidated and dynamic configuration 
-feature, some classic filenames have been changed to symbolic links.
-The symbolic links refer to dynamically created and consolidated 
-output stored below the /etc/ca-certificates/extracted directory hierarchy.
-
-The output is produced using the 'update-ca-trust' command (without parameters),
-or using the 'update-ca-trust extract' command.
-In order to produce the output, a flexible set of source configuration
-is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
-
-In addition, the classic PKCS#11 module 
-is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically 
-reads the same source configuration.
-
-
-[[sourceconf]]
-SOURCE CONFIGURATION
---------------------
-The dynamic configuration feature uses several source directories that
-will be scanned for any number of source files. *It is important to select 
-the correct subdirectory for adding files, as the subdirectory defines how 
-contained certificates will be trusted or distrusted, and which file formats are read.*
-
-Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and 
-trust settings in the PEM file format. The trust settings found here will be
-interpreted with a *low priority*.
-
-Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and 
-trust settings in the PEM file format. The trust settings found here will be
-interpreted with a *high priority*.
-
-.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:
-* If you are manually adding a configuration file to a system, you probably 
-want it to override any other default configuration, and you most likely should
-add it to the respective subdirectory in the /etc hierarchy.
-* If you are creating a package that provides additional root CA certificates,
-that is intended for distribution to several computer systems, but you still
-want to allow the administrator to override your list, then your package should 
-add your files to the respective subdirectory in the /usr hierarchy.
-* If you are creating a package that is supposed to override the default system
-trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective
-subdirectory in the /etc hierarchy.
-
-.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
-* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/
-* run 'update-ca-trust extract'
-
-.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
-* add it as a new file to directory /etc/ca-certificates/trust-source/
-* run 'update-ca-trust extract'
-
-.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
-* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
-* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
-* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
-
-.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats:
-* certificate files that include trust flags,
-  in the BEGIN/END TRUSTED CERTIFICATE file format
-  (any file name), which have been created using the openssl x509 tool
-  and the -addreject -addtrust options.
-  Bundle files with multiple certificates are supported.
-* files in the p11-kit file format using the .p11-kit file name
-  extension, which can (e.g.) be used to distrust certificates
-  based on serial number and issuer name, without having the
-  full certificate available.
-  (This is currently an undocumented format, to be extended later.
-   For examples of the supported formats, see the files
-   shipped with the ca-certificates-mozilla package.)
-* certificate files without trust flags in either the DER file format or in
-  the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files 
-  will be added with neutral trust, neither trusted nor distrusted.
-  They will simply be known to the system, which might be helpful to
-  assist cryptographic software in constructing chains of certificates.
-  (If you want a CA certificate in these file formats to be trusted, you 
-   should remove it from this directory and move it to the 
-   ./anchors subdirectory instead.)
-
-In the anchors subdirectories /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
-you may install one or multiple certificates in either the DER file
-format or in the PEM (BEGIN/END CERTIFICATE) file format.
-Each certificate will be treated as *trusted* for all purposes.
-
-In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
-you may install one or multiple certificates in either the DER file
-format or in the PEM (BEGIN/END CERTIFICATE) file format.
-Each certificate will be treated as *distrusted* for all purposes.
-
-Please refer to the x509(1) manual page for the documentation of the 
-BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
-
-Applications that rely on a static file for a list of trusted CAs
-may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
-directory. After modifying any file in the
-/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
-directories or in any of their subdirectories, or after adding a file, 
-it is necessary to run the 'update-ca-trust extract' command,
-in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
-
-Applications that load the classic PKCS#11 module using filename libnssckbi.so 
-(which has been converted into a symbolic link pointing to the new module)
-and any application capable of 
-loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
-the dynamically merged set of certificates and trust information stored in the
-/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ directories.
-
-
-[[extractconf]]
-EXTRACTED CONFIGURATION
------------------------
-The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate 
-bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> 
-by running the 'update-ca-trust extract' command.
-
-If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
-then you can use these files in your application to load a list of global
-root CA certificates.
-
-Please never manually edit the files stored in these directories,
-because your changes will be lost and the files automatically overwritten,
-each time the 'update-ca-trust extract' command gets executed.
-
-In order to install new trusted or distrusted certificates,
-please rather install them in the respective subdirectory below the
-/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
-directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
-
-The directory /etc/ssl/certs/java contains 
-a CA certificate bundle in the java keystore file format.
-Distrust information cannot be represented in this file format,
-and distrusted certificates are missing from these files.
-File cacerts contains CA certificates trusted for TLS server authentication.
-
-The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm, as well 
-as a ca-bundle.trust.crt bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
-as described in the x509(1) manual page.
-The dir or the bundle contain the full set of all trusted
-or distrusted certificates, including the associated trust flags.
-
-The directory /etc/ca-certificates/extracted contains 
-CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, 
-as decribed in the x509(1) manual page.
-Distrust information cannot be represented in this file format,
-and distrusted certificates are missing from these files.
-File tls-ca-bundle.pem contains CA certificates 
-trusted for TLS server authentication.
-File email-ca-bundle.pem contains CA certificates 
-trusted for E-Mail protection.
-File objsign-ca-bundle.pem contains CA certificates 
-trusted for code signing.
-
-
-COMMANDS
---------
-(absent/empty command)::
-    Same as the *extract* command described below. (However, the command may
-    print fewer warnings, as this command is being run during package 
-    installation, where non-fatal status output is undesired.)
-
-*extract*::
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
-    updated versions of the consolidated configuration files stored below
-    the /etc/ssl/certs and /etc/ca-certificates/extracted directory 
-    hierarchies.
-
-FILES
------
-/etc/ssl/certs::
-	Classic directory, contains individual CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage,
-	which are created by the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. 
-	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
-
-/etc/ssl/certs/ca-bundle.trust.crt::
-	Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
-	This file is consolidated output created by the update-ca-trust command.
-
-/etc/ssl/certs/ca-certificates.crt::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	This file is a symbolic link that refers to consolidated output created by the update-ca-trust command.
-
-/etc/ssl/cert.pem::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	This file is a symbolic link that refers to consolidated output created by the update-ca-trust command.
-
-/etc/ssl/java/cacerts::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
-	This file is consolidated output created by the update-ca-trust command.
-
-/usr/share/ca-certificates/trust-source::
-	Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
-
-/etc/ca-certificates/trust-source::
-	Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
-
-/etc/ca-certificates/extracted::
-	Contains consolidated and automatically generated configuration files for consumption by applications, 
-	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
-	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
-
-AUTHOR
-------
-Written by Kai Engert and Stef Walter.

Copied: ca-certificates/repos/testing-any/update-ca-trust.8.txt (from rev 235354, ca-certificates/trunk/update-ca-trust.8.txt)
===================================================================
--- update-ca-trust.8.txt	                        (rev 0)
+++ update-ca-trust.8.txt	2015-04-02 20:40:51 UTC (rev 235355)
@@ -0,0 +1,265 @@
+////
+Copyright (C) 2013 Red Hat, Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+////
+
+
+update-ca-trust(8)
+==================
+:doctype: manpage
+:man source: update-ca-trust
+
+
+NAME
+----
+update-ca-trust - manage consolidated and dynamic configuration of CA 
+certificates and associated trust
+
+
+SYNOPSIS
+--------
+*update-ca-trust* ['COMMAND']
+
+
+DESCRIPTION
+-----------
+update-ca-trust(8) is used to manage a consolidated and dynamic configuration 
+feature of Certificate Authority (CA) certificates and associated trust.
+
+The feature is available for new applications that read the
+consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
+or that load the PKCS#11 module p11-kit-trust.so
+
+Parts of the new feature are also provided in a way to make it useful
+for legacy applications.
+
+Many legacy applications expect CA certificates and trust configuration
+in a fixed location, contained in files with particular path and name,
+or by referring to a classic PKCS#11 trust module provided by the 
+NSS cryptographic library.
+
+The dynamic configuration feature provides functionally compatible replacements 
+for classic configuration files and for the classic NSS trust module named libnssckbi.
+
+In order to enable legacy applications, that read the classic files or 
+access the classic module, to make use of the new consolidated and dynamic configuration 
+feature, some classic filenames have been changed to symbolic links.
+The symbolic links refer to dynamically created and consolidated 
+output stored below the /etc/ca-certificates/extracted directory hierarchy.
+
+The output is produced using the 'update-ca-trust' command (without parameters),
+or using the 'update-ca-trust extract' command.
+In order to produce the output, a flexible set of source configuration
+is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
+
+In addition, the classic PKCS#11 module 
+is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically 
+reads the same source configuration.
+
+
+[[sourceconf]]
+SOURCE CONFIGURATION
+--------------------
+The dynamic configuration feature uses several source directories that
+will be scanned for any number of source files. *It is important to select 
+the correct subdirectory for adding files, as the subdirectory defines how 
+contained certificates will be trusted or distrusted, and which file formats are read.*
+
+Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and 
+trust settings in the PEM file format. The trust settings found here will be
+interpreted with a *low priority*.
+
+Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and 
+trust settings in the PEM file format. The trust settings found here will be
+interpreted with a *high priority*.
+
+.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:
+* If you are manually adding a configuration file to a system, you probably 
+want it to override any other default configuration, and you most likely should
+add it to the respective subdirectory in the /etc hierarchy.
+* If you are creating a package that provides additional root CA certificates,
+that is intended for distribution to several computer systems, but you still
+want to allow the administrator to override your list, then your package should 
+add your files to the respective subdirectory in the /usr hierarchy.
+* If you are creating a package that is supposed to override the default system
+trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective
+subdirectory in the /etc hierarchy.
+
+.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
+* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/
+* run 'update-ca-trust extract'
+
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+* add it as a new file to directory /etc/ca-certificates/trust-source/
+* run 'update-ca-trust extract'
+
+.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
+* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
+* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
+* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+
+.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats:
+* certificate files that include trust flags,
+  in the BEGIN/END TRUSTED CERTIFICATE file format
+  (any file name), which have been created using the openssl x509 tool
+  and the -addreject -addtrust options.
+  Bundle files with multiple certificates are supported.
+* files in the p11-kit file format using the .p11-kit file name
+  extension, which can (e.g.) be used to distrust certificates
+  based on serial number and issuer name, without having the
+  full certificate available.
+  (This is currently an undocumented format, to be extended later.
+   For examples of the supported formats, see the files
+   shipped with the ca-certificates-mozilla package.)
+* certificate files without trust flags in either the DER file format or in
+  the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files 
+  will be added with neutral trust, neither trusted nor distrusted.
+  They will simply be known to the system, which might be helpful to
+  assist cryptographic software in constructing chains of certificates.
+  (If you want a CA certificate in these file formats to be trusted, you 
+   should remove it from this directory and move it to the 
+   ./anchors subdirectory instead.)
+
+In the anchors subdirectories /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
+you may install one or multiple certificates in either the DER file
+format or in the PEM (BEGIN/END CERTIFICATE) file format.
+Each certificate will be treated as *trusted* for all purposes.
+
+In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
+you may install one or multiple certificates in either the DER file
+format or in the PEM (BEGIN/END CERTIFICATE) file format.
+Each certificate will be treated as *distrusted* for all purposes.
+
+Please refer to the x509(1) manual page for the documentation of the 
+BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
+
+Applications that rely on a static file for a list of trusted CAs
+may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
+directory. After modifying any file in the
+/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+directories or in any of their subdirectories, or after adding a file, 
+it is necessary to run the 'update-ca-trust extract' command,
+in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
+
+Applications that load the classic PKCS#11 module using filename libnssckbi.so 
+(which has been converted into a symbolic link pointing to the new module)
+and any application capable of 
+loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
+the dynamically merged set of certificates and trust information stored in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ directories.
+
+
+[[extractconf]]
+EXTRACTED CONFIGURATION
+-----------------------
+The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate 
+bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> 
+by running the 'update-ca-trust extract' command.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in these directories,
+because your changes will be lost and the files automatically overwritten,
+each time the 'update-ca-trust extract' command gets executed.
+
+In order to install new trusted or distrusted certificates,
+please rather install them in the respective subdirectory below the
+/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
+directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
+
+The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm.
+Distrust information cannot be represented in this format,
+and distrusted certificates are missing from these files.
+
+The directory /etc/ssl/certs/java contains 
+a CA certificate bundle in the java keystore file format.
+Distrust information cannot be represented in this file format,
+and distrusted certificates are missing from these files.
+File cacerts contains CA certificates trusted for TLS server authentication.
+
+The directory /etc/ca-certificates/extracted contains 
+CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, 
+as decribed in the x509(1) manual page.
+Distrust information cannot be represented in this file format,
+and distrusted certificates are missing from these files.
+File tls-ca-bundle.pem contains CA certificates 
+trusted for TLS server authentication.
+File email-ca-bundle.pem contains CA certificates 
+trusted for E-Mail protection.
+File objsign-ca-bundle.pem contains CA certificates 
+trusted for code signing.
+File ca-bundle.trust.crt contains certificates in the extended
+BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page.
+This bundle contains the full set of all trusted
+and distrusted certificates, including the associated trust flags.
+
+
+COMMANDS
+--------
+(absent/empty command)::
+    Same as the *extract* command described below. (However, the command may
+    print fewer warnings, as this command is being run during package 
+    installation, where non-fatal status output is undesired.)
+
+*extract*::
+    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
+    updated versions of the consolidated configuration files stored below
+    the /etc/ssl/certs and /etc/ca-certificates/extracted directory 
+    hierarchies.
+
+FILES
+-----
+/usr/share/ca-certificates/trust-source::
+	Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
+
+/etc/ca-certificates/trust-source::
+	Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
+
+/etc/ca-certificates/extracted::
+	Contains consolidated and automatically generated configuration files for consumption by applications, 
+	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
+	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
+
+/etc/ca-certificates/extracted/tls-ca-bundle.pem::
+	Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+
+/etc/ca-certificates/extracted/email-ca-bundle.pem::
+	Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+
+/etc/ca-certificates/extracted/objsign-ca-bundle.pem::
+	Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+
+/etc/ca-certificates/extracted/ca-bundle.trust.crt::
+	Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+
+/etc/ca-certificates/extracted/cadir::
+	Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+        Also includes the necessary hash symlinks expected by OpenSSL.
+
+/etc/ssl/certs::
+	Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command.
+
+/etc/ssl/certs/ca-certificates.crt::
+	Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
+
+/etc/ssl/cert.pem::
+	Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
+
+/etc/ssl/java/cacerts::
+	Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+	This file is consolidated output created by the update-ca-trust command.
+
+AUTHOR
+------
+Written by Kai Engert and Stef Walter.

More information about the arch-commits mailing list