[arch-commits] Commit in ca-certificates/trunk (9 files)
Jan Steffens
heftig at gemini.archlinux.org
Mon Sep 5 22:03:22 UTC 2022
Date: Monday, September 5, 2022 @ 22:03:22
Author: heftig
Revision: 455097
20220905-1
Added:
ca-certificates/trunk/README.etc
ca-certificates/trunk/README.etcssl
ca-certificates/trunk/README.extr
ca-certificates/trunk/README.java
ca-certificates/trunk/README.src
ca-certificates/trunk/README.usr
Modified:
ca-certificates/trunk/PKGBUILD
ca-certificates/trunk/ca-certificates-utils.install
ca-certificates/trunk/update-ca-trust.8.txt
-------------------------------+
PKGBUILD | 35 ++++++++++++++++++++++++-----------
README.etc | 4 ++++
README.etcssl | 21 +++++++++++++++++++++
README.extr | 33 +++++++++++++++++++++++++++++++++
README.java | 16 ++++++++++++++++
README.src | 20 ++++++++++++++++++++
README.usr | 20 ++++++++++++++++++++
ca-certificates-utils.install | 2 +-
update-ca-trust.8.txt | 6 +++---
9 files changed, 142 insertions(+), 15 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-09-05 21:48:45 UTC (rev 455096)
+++ PKGBUILD 2022-09-05 22:03:22 UTC (rev 455097)
@@ -3,21 +3,27 @@
pkgbase=ca-certificates
pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20210603
+pkgver=20220905
pkgrel=1
pkgdesc="Common CA certificates"
url="https://src.fedoraproject.org/rpms/ca-certificates"
arch=(any)
-license=(GPL2)
+license=(GPL)
makedepends=(asciidoc p11-kit)
-source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook)
+source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
+ README.{etc,etcssl,extr,java,src,usr})
sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
- 'acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751'
- '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748')
+ '7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763'
+ '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748'
+ 'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a'
+ 'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10'
+ 'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78'
+ '5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d'
+ 'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f'
+ '3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc')
build() {
- asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
- xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
+ a2x -v -f manpage update-ca-trust.8.txt
}
package_ca-certificates-utils() {
@@ -33,18 +39,25 @@
install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook
# Trust source directories
- # Upstream also adds "blocklist" but that's useless without support in p11-kit
+ install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
+ install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
+ install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
# Directories used by update-ca-trust (aka "trust extract-compat")
- install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted}
+ install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
+ install -Dm644 README.java "$pkgdir/etc/ssl/certs/java/README"
+ install -Dm644 README.extr "$pkgdir/etc/$pkgbase/extracted/README"
# Compatibility link for OpenSSL using /etc/ssl as CAdir
# Used in preference to the individual links in /etc/ssl/certs
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
- # Compatiblity link for legacy bundle
+ # Compatibility link for legacy bundle (Debian)
ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
+
+ # Compatibility link for legacy bundle (RHEL/Fedora)
+ ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
}
package_ca-certificates() {
@@ -54,4 +67,4 @@
replaces=("${conflicts[@]}")
}
-# vim:set et sw=2:
+# vim:set sw=2 sts=-1 et:
Added: README.etc
===================================================================
--- README.etc (rev 0)
+++ README.etc 2022-09-05 22:03:22 UTC (rev 455097)
@@ -0,0 +1,4 @@
+This directory /etc/ca-certificates/ is used by a system of consolidated
+CA certificates.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Added: README.etcssl
===================================================================
--- README.etcssl (rev 0)
+++ README.etcssl 2022-09-05 22:03:22 UTC (rev 455097)
@@ -0,0 +1,21 @@
+This directory (/etc/ssl) is provided as a courtesy attempt to provide
+compatibility with software which assumes its existence. It is not a
+supported or canonical location. Software which assumes and relies on
+the existence and layout of this directory is making a wrong assumption
+(this directory is not any kind of 'standard', it is a configuration
+detail of Debian and its derivatives) and should be improved. No
+software packaged in this distribution should use this directory.
+
+An attempt is made to make the layout of /etc/ssl/certs match that
+provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
+of individual certificate files, and also contains a certificate bundle
+file named ca-certificates.crt, as Debian does. It also contains a
+bundle named ca-bundle.crt, as RHEL and Fedora have long provided
+such a file, and it is possible some software has come to expect its
+existence. Similarly, a bundle named cert.pem is placed in /etc/ssl, as
+this was the historical bundle used by Arch Linux.
+
+The certificates files and the bundle files are in fact symlinks to
+some of the output of the 'update-ca-trust' script which forms a part
+of a system of consolidated CA certificates. Please refer to the
+update-ca-trust(8) manual page for additional information.
Added: README.extr
===================================================================
--- README.extr (rev 0)
+++ README.extr 2022-09-05 22:03:22 UTC (rev 455097)
@@ -0,0 +1,33 @@
+This directory /etc/ca-certificates/extracted/ contains CA certificate bundle
+files which are automatically created based on the information found in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/
+directories.
+
+The files are as follows:
+
+ - ca-bundle.trust.crt:
+
+ This file is in the BEGIN/END TRUSTED CERTIFICATE file format,
+ as described in the x509(1) manual page.
+
+ - edk2-cacerts.bin:
+
+ This file is in the EDK2 (EFI Development Kit II) file format.
+
+ - email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem:
+
+ All files are in the BEGIN/END CERTIFICATE file format,
+ as described in the x509(1) manual page.
+
+ Distrust information cannot be represented in this file format,
+ and distrusted certificates are missing from these files.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the update-ca-trust command gets executed.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Added: README.java
===================================================================
--- README.java (rev 0)
+++ README.java 2022-09-05 22:03:22 UTC (rev 455097)
@@ -0,0 +1,16 @@
+This directory /etc/ssl/certs/java/ contains CA certificate bundle
+files which are automatically created based on the information found in the
+/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/
+directories.
+
+All files are in the java keystore file format.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the update-ca-trust command gets executed.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Added: README.src
===================================================================
--- README.src (rev 0)
+++ README.src 2022-09-05 22:03:22 UTC (rev 455097)
@@ -0,0 +1,20 @@
+This directory /etc/ca-certificates/trust-source/ contains CA certificates
+and trust settings in the PEM file format. The trust settings found here will be
+interpreted with a high priority - higher than the ones found in
+/usr/share/ca-certificates/trust-source/ .
+
+=============================================================================
+QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
+ list of CAs trusted on the system:
+
+ Copy it to the
+ /etc/ca-certificates/trust-source/anchors/
+ subdirectory, and run the
+ update-ca-trust
+ command.
+
+ If your certificate is in the extended BEGIN TRUSTED file format,
+ then place it into the main trust-source/ directory instead.
+=============================================================================
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Added: README.usr
===================================================================
--- README.usr (rev 0)
+++ README.usr 2022-09-05 22:03:22 UTC (rev 455097)
@@ -0,0 +1,20 @@
+This directory /usr/share/ca-certificates/trust-source/ contains CA certificates
+and trust settings in the PEM file format. The trust settings found here will be
+interpreted with a low priority - lower than the ones found in
+/etc/ca-certificates/trust-source/ .
+
+=============================================================================
+QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
+ list of CAs trusted on the system:
+
+ Copy it to the
+ /usr/share/ca-certificates/trust-source/anchors/
+ subdirectory, and run the
+ update-ca-trust
+ command.
+
+ If your certificate is in the extended BEGIN TRUSTED file format,
+ then place it into the main trust-source/ directory instead.
+=============================================================================
+
+Please refer to the update-ca-trust(8) manual page for additional information.
Modified: ca-certificates-utils.install
===================================================================
--- ca-certificates-utils.install 2022-09-05 21:48:45 UTC (rev 455096)
+++ ca-certificates-utils.install 2022-09-05 22:03:22 UTC (rev 455097)
@@ -20,4 +20,4 @@
fi
}
-# vim:set ts=2 sw=2 et:
+# vim:set sw=2 sts=-1 et:
Modified: update-ca-trust.8.txt
===================================================================
--- update-ca-trust.8.txt 2022-09-05 21:48:45 UTC (rev 455096)
+++ update-ca-trust.8.txt 2022-09-05 22:03:22 UTC (rev 455097)
@@ -98,13 +98,13 @@
* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/
* run 'update-ca-trust extract'
-.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/ca-certificates/trust-source/
* run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/
-* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
+* simple blocklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/
* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats:
@@ -134,7 +134,7 @@
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
-In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/
+In the blocklist subdirectories /usr/share/ca-certificates/trust-source/blocklist/ or /etc/ca-certificates/trust-source/blocklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
More information about the arch-commits
mailing list