[arch-commits] Commit in nss/trunk (PKGBUILD legacy-certs.patch)

Jan Steffens heftig at archlinux.org
Sat Jun 27 22:49:16 UTC 2015 

    Date: Sunday, June 28, 2015 @ 00:49:16
  Author: heftig
Revision: 241303

FS#45479: Reenable two legacy certs

Added:
  nss/trunk/legacy-certs.patch
    (from rev 240589, nss/trunk/legacy-certs.patch)
Modified:
  nss/trunk/PKGBUILD

--------------------+
 PKGBUILD           |   12 +++++++++---
 legacy-certs.patch |   26 ++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-06-27 20:34:18 UTC (rev 241302)
+++ PKGBUILD	2015-06-27 22:49:16 UTC (rev 241303)
@@ -4,7 +4,7 @@
 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
 pkgver=3.19.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Mozilla Network Security Services"
 arch=(i686 x86_64)
 url="http://www.mozilla.org/projects/security/pki/nss/"
@@ -14,12 +14,13 @@
 makedepends=('perl' 'python2')
 options=('!strip' '!makeflags' 'staticlibs')
 source=("https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz"
-        certdata2pem.py bundle.sh nss.pc.in nss-config.in)
+        certdata2pem.py bundle.sh nss.pc.in nss-config.in legacy-certs.patch)
 sha256sums=('1306663e8f61d8449ad8cbcffab743a604dcd9f6f34232c210847c51dce2c9ae'
             'af13c30801a8a27623948206458432a4cf98061b75ff6e5b5e03912f93c034ee'
             '045f520403f715a4cc7f3607b4e2c9bcc88fee5bce58d462fddaa2fdb0e4c180'
             'b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd'
-            'e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9')
+            'e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9'
+            '22330fcde2dac5fa4733f7d77bffbbd31d91cbaa338738afdc2a8ebfccb61184')
 
 prepare() {
   mkdir certs
@@ -26,6 +27,11 @@
 
   cd nss-$pkgver
 
+  # FS#45479: Reenable two weak Verisign certificates used by login.live.com
+  # Otherwise, accessing this site via Epiphany (GnuTLS) or Skype (OpenSSL) fails
+  # Also see https://gist.github.com/grawity/15eabf67191e17080241
+  patch nss/lib/ckfw/builtins/certdata.txt ../legacy-certs.patch
+
   # Respect LDFLAGS
   sed -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/' \
       -i nss/coreconf/rules.mk

Copied: nss/trunk/legacy-certs.patch (from rev 240589, nss/trunk/legacy-certs.patch)
===================================================================
--- legacy-certs.patch	                        (rev 0)
+++ legacy-certs.patch	2015-06-27 22:49:16 UTC (rev 241303)
@@ -0,0 +1,26 @@
+--- certdata.txt	2015-06-27 23:31:01.419795911 +0200
++++ certdata-legacy-less.txt	2015-06-27 23:57:47.106199639 +0200
+@@ -577,9 +577,9 @@
+ \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
+ \272\277
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+@@ -17186,9 +17186,9 @@
+ \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
+ \022\276
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #

More information about the arch-commits mailing list