rpms / ca-certificates

Clone
Source Code
GIT

Blame ca-certificates.spec

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 main rawhide
  1.   f19
  2.   ca-certificates.spec
Blob History Raw
d01a981 
%define pkidir %{_sysconfdir}/pki
Kai Engert d538ada 
%define catrustdir %{_sysconfdir}/pki/ca-trust
Kai Engert d538ada 
%define classic_tls_bundle ca-bundle.crt
Kai Engert d538ada 
%define trusted_all_bundle ca-bundle.trust.crt
Kai Engert 7c4340c 
%define legacy_enable_bundle ca-bundle.legacy.enable.crt
Kai Engert 7c4340c 
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
Kai Engert a4c95d5 
%define neutral_bundle ca-bundle.neutral-trust.crt
Kai Engert a4c95d5 
%define bundle_supplement ca-bundle.supplement.p11-kit
Kai Engert d538ada 
%define java_bundle java/cacerts
d01a981
d01a981 
Summary: The Mozilla CA root certificate bundle
d01a981 
Name: ca-certificates
Kai Engert d538ada
Kai Engert d538ada 
# For the package version number, we use: year.{upstream version}
Kai Engert d538ada 
#
Kai Engert b55d193 
# The {upstream version} can be found as symbol
Kai Engert b55d193 
# NSS_BUILTINS_LIBRARY_VERSION in file nss/lib/ckfw/builtins/nssckbi.h
Kai Engert b55d193 
# which corresponds to the data in file nss/lib/ckfw/builtins/certdata.txt.
Kai Engert b55d193 
#
Kai Engert b55d193 
# The files should be taken from a released version of NSS, as published
Kai Engert b55d193 
# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
Kai Engert b55d193 
#
Kai Engert b55d193 
# The versions that are used by the latest released version of
Kai Engert b55d193 
# Mozilla Firefox should be available from:
Kai Engert 76ef429 
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
Kai Engert 76ef429 
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Kai Engert d538ada 
#
Kai Engert b55d193 
# The most recent development versions of the files can be found at
Kai Engert b55d193 
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
Kai Engert b55d193 
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
Kai Engert b55d193 
# (but these files might have not yet been released).
Kai Engert b55d193 
#
Kai Engert d538ada 
# (until 2012.87 the version was based on the cvs revision ID of certdata.txt,
Kai Engert d538ada 
# but in 2013 the NSS projected was migrated to HG. Old version 2012.87 is
Kai Engert d538ada 
# equivalent to new version 2012.1.93, which would break the requirement
Kai Engert d538ada 
# to have increasing version numbers. However, the new scheme will work,
Kai Engert d538ada 
# because all future versions will start with 2013 or larger.)
Kai Engert d538ada
Kai Engert 730e7c7 
Version: 2014.2.2
Kai Engert 25f2082 
# for Rawhide, please always use release >= 2
Kai Engert 25f2082 
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Kai Engert 730e7c7 
Release: 1.0%{?dist}
d01a981 
License: Public Domain
Kai Engert d538ada
d01a981 
Group: System Environment/Base
Kai Engert 730e7c7 
URL: https://fedoraproject.org/wiki/CA-Certificates
Kai Engert d538ada
Kai Engert 76ef429 
#Please always update both certdata.txt and nssckbi.h
5f392b3 
Source0: certdata.txt
Kai Engert 76ef429 
Source1: nssckbi.h
Kai Engert 76ef429 
Source2: update-ca-trust
Kai Engert 76ef429 
Source3: trust-fixes
Kai Engert 76ef429 
Source4: certdata2pem.py
Kai Engert 7c4340c 
Source5: ca-legacy.conf
Kai Engert 7c4340c 
Source6: ca-legacy
Kai Engert 48ecd0a 
Source10: update-ca-trust.8.txt
Kai Engert d538ada 
Source11: README.usr
Kai Engert d538ada 
Source12: README.etc
Kai Engert d538ada 
Source13: README.extr
Kai Engert d538ada 
Source14: README.java
Kai Engert d538ada 
Source15: README.openssl
Kai Engert d538ada 
Source16: README.pem
Kai Engert d538ada 
Source17: README.src
Kai Engert d538ada
d01a981 
BuildArch: noarch
d01a981
Kai Engert a4c95d5 
Requires: p11-kit >= 0.17.3
Kai Engert a4c95d5 
Requires: p11-kit-trust >= 0.17.3
Kai Engert 7c4340c 
Requires: coreutils
Kai Engert 7c4340c 
Requires(post): coreutils
Kai Engert d538ada 
BuildRequires: perl
Kai Engert d538ada 
BuildRequires: python
Kai Engert d538ada 
BuildRequires: openssl
Kai Engert 48ecd0a 
BuildRequires: asciidoc
Kai Engert 48ecd0a 
BuildRequires: libxslt
Kai Engert d538ada
d01a981 
%description
d01a981 
This package contains the set of CA certificates chosen by the
d01a981 
Mozilla Foundation for use with the Internet PKI.
d01a981
d01a981 
%prep
d01a981 
rm -rf %{name}
Kai Engert d538ada 
mkdir %{name}
Kai Engert d538ada 
mkdir %{name}/certs
Kai Engert 7c4340c 
mkdir %{name}/certs/legacy-enable
Kai Engert 7c4340c 
mkdir %{name}/certs/legacy-disable
Kai Engert d538ada 
mkdir %{name}/java
d01a981
d01a981 
%build
5f392b3 
pushd %{name}/certs
Kai Engert a4c95d5 
 pwd
Kai Engert d538ada 
 cp %{SOURCE0} .
Kai Engert 76ef429 
 python %{SOURCE4} >c2p.log 2>c2p.err
5f392b3 
popd
d01a981 
pushd %{name}
5f392b3 
 (
5f392b3 
   cat <
5f392b3 
# This is a bundle of X.509 certificates of public Certificate
5f392b3 
# Authorities.  It was generated from the Mozilla root CA list.
708646c 
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
708646c 
# format and have trust bits set accordingly.
Kai Engert 25f2082 
# An exception are auxiliary certificates, without positive or negative
Kai Engert 25f2082 
# trust, but are used to assist in finding a preferred trust path.
Kai Engert 25f2082 
# Those neutral certificates use the plain BEGIN CERTIFICATE format.
708646c 
#
Kai Engert 76ef429 
# Source: nss/lib/ckfw/builtins/certdata.txt
Kai Engert 76ef429 
# Source: nss/lib/ckfw/builtins/nssckbi.h
708646c 
#
708646c 
# Generated from:
708646c 
EOF
Kai Engert 76ef429 
   cat %{SOURCE1}  |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
708646c 
   echo '#';
Kai Engert d538ada 
 ) > %{trusted_all_bundle}
Kai Engert 7c4340c 
 touch %{neutral_bundle}
708646c 
 for f in certs/*.crt; do
Kai Engert a4c95d5 
   echo "processing $f"
708646c 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
Kai Engert d538ada 
   distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
Kai Engert 48ecd0a 
   alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
Kai Engert d538ada 
   targs=""
708646c 
   if [ -n "$tbits" ]; then
708646c 
      for t in $tbits; do
708646c 
         targs="${targs} -addtrust $t"
708646c 
      done
Kai Engert d538ada 
   fi
Kai Engert d538ada 
   if [ -n "$distbits" ]; then
Kai Engert d538ada 
      for t in $distbits; do
Kai Engert d538ada 
         targs="${targs} -addreject $t"
Kai Engert d538ada 
      done
Kai Engert d538ada 
   fi
Kai Engert d538ada 
   if [ -n "$targs" ]; then
Kai Engert a4c95d5 
      echo "trust flags $targs for $f" >> info.trust
Kai Engert 48ecd0a 
      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{trusted_all_bundle}
Kai Engert a4c95d5 
   else
Kai Engert a4c95d5 
      echo "no trust flags for $f" >> info.notrust
Kai Engert 25f2082 
      # p11-kit-trust defines empty trust lists as "rejected for all purposes".
Kai Engert 25f2082 
      # That's why we use the simple file format
Kai Engert 25f2082 
      #   (BEGIN CERTIFICATE, no trust information)
Kai Engert 25f2082 
      # because p11-kit-trust will treat it as a certificate with neutral trust.
Kai Engert 25f2082 
      # This means we cannot use the -setalias feature for neutral trust certs.
Kai Engert 25f2082 
      openssl x509 -text -in "$f" >> %{neutral_bundle}
708646c 
   fi
708646c 
 done
Kai Engert 7c4340c
Kai Engert 7c4340c 
 for f in certs/legacy-enable/*.crt; do
Kai Engert 7c4340c 
   echo "processing $f"
Kai Engert 7c4340c 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
Kai Engert 7c4340c 
   alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
Kai Engert 7c4340c 
   targs=""
Kai Engert 7c4340c 
   if [ -n "$tbits" ]; then
Kai Engert 7c4340c 
      for t in $tbits; do
Kai Engert 7c4340c 
         targs="${targs} -addtrust $t"
Kai Engert 7c4340c 
      done
Kai Engert 7c4340c 
   fi
Kai Engert 7c4340c 
   if [ -n "$targs" ]; then
Kai Engert 7c4340c 
      echo "legacy enable flags $targs for $f" >> info.trust
Kai Engert 7c4340c 
      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle}
Kai Engert 7c4340c 
   fi
Kai Engert a4c95d5 
 done
Kai Engert 7c4340c
Kai Engert 7c4340c 
 for f in certs/legacy-disable/*.crt; do
Kai Engert 7c4340c 
   echo "processing $f"
Kai Engert 7c4340c 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
Kai Engert 7c4340c 
   alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
Kai Engert 7c4340c 
   targs=""
Kai Engert 7c4340c 
   if [ -n "$tbits" ]; then
Kai Engert 7c4340c 
      for t in $tbits; do
Kai Engert 7c4340c 
         targs="${targs} -addtrust $t"
Kai Engert 7c4340c 
      done
Kai Engert 7c4340c 
   fi
Kai Engert 7c4340c 
   if [ -n "$targs" ]; then
Kai Engert 7c4340c 
      echo "legacy disable flags $targs for $f" >> info.trust
Kai Engert 7c4340c 
      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
Kai Engert 7c4340c 
   fi
Kai Engert 7c4340c 
 done
Kai Engert 7c4340c
Kai Engert 7c4340c 
 P11FILES=`find certs -name *.p11-kit | wc -l`
Kai Engert 7c4340c 
 if [ $P11FILES -ne 0 ]; then
Kai Engert 7c4340c 
   for p in certs/*.p11-kit; do
Kai Engert 7c4340c 
     cat "$p" >> %{bundle_supplement}
Kai Engert 7c4340c 
   done
Kai Engert 7c4340c 
 fi
Kai Engert a4c95d5 
 # Append our trust fixes
Kai Engert 76ef429 
 cat %{SOURCE3} >> %{bundle_supplement}
56a6866 
popd
Kai Engert d538ada
Kai Engert 48ecd0a 
#manpage
Kai Engert 48ecd0a 
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
Kai Engert 48ecd0a 
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
Kai Engert 48ecd0a 
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
Kai Engert 48ecd0a
d01a981
d01a981 
%install
d01a981 
rm -rf $RPM_BUILD_ROOT
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
Kai Engert a4c95d5 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
Kai Engert a4c95d5 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
Kai Engert a4c95d5 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
Kai Engert a4c95d5 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
Kai Engert 7c4340c 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
Kai Engert 48ecd0a 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
d01a981
Kai Engert 48ecd0a 
install -p -m 644 %{name}/update-ca-trust.8 $RPM_BUILD_ROOT%{_mandir}/man8
Kai Engert d538ada 
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
Kai Engert 0ecb427
Kai Engert d538ada 
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
Kai Engert a4c95d5 
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
Kai Engert a4c95d5 
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
Kai Engert 7c4340c
Kai Engert 7c4340c 
install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
Kai Engert 7c4340c 
install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
Kai Engert 7c4340c
Kai Engert 7c4340c 
install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
Kai Engert 7c4340c
Kai Engert d538ada 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
Kai Engert a4c95d5 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
Kai Engert a4c95d5 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
Kai Engert 0ecb427
Kai Engert 7c4340c 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
Kai Engert 7c4340c 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
Kai Engert 7c4340c
Kai Engert d538ada 
# TODO: consider to dynamically create the update-ca-trust script from within
Kai Engert d538ada 
#       this .spec file, in order to have the output file+directory names at once place only.
Kai Engert 76ef429 
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
d01a981
Kai Engert 7c4340c 
install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy
Kai Engert 7c4340c
Kai Engert d538ada 
# touch ghosted files that will be extracted dynamically
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{trusted_all_bundle}
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
d01a981
c9fb114 
# /etc/ssl/certs symlink for 3rd-party tools
Kai Engert d538ada 
ln -s ../pki/tls/certs \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
Kai Engert d538ada 
# legacy filenames
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/openssl/%{trusted_all_bundle} \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{trusted_all_bundle}
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/%{java_bundle} \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
Kai Engert d538ada
c9fb114
d01a981 
%clean
d01a981 
rm -rf $RPM_BUILD_ROOT
d01a981
Kai Engert d538ada
Kai Engert d538ada 
%pre
Kai Engert d538ada 
if [ $1 -gt 1 ] ; then
Kai Engert d538ada 
  # Upgrade or Downgrade.
Kai Engert d538ada 
  # If the classic filename is a regular file, then we are upgrading
Kai Engert d538ada 
  # from an old package and we will move it to an .rpmsave backup file.
Kai Engert d538ada 
  # If the filename is a symbolic link, then we are good already.
Kai Engert d538ada 
  # If the system will later be downgraded to an old package with regular
Kai Engert d538ada 
  # files, and afterwards updated again to a newer package with symlinks,
Kai Engert d538ada 
  # and the old .rpmsave backup file didn't get cleaned up,
Kai Engert d538ada 
  # then we don't backup again. We keep the older backup file.
Kai Engert d538ada 
  # In other words, if an .rpmsave file already exists, we don't overwrite it.
Kai Engert d538ada 
  #
Kai Engert d538ada 
  if ! test -e %{pkidir}/%{java_bundle}.rpmsave; then
Kai Engert d538ada 
    # no backup yet
Kai Engert d538ada 
    if ! test -L %{pkidir}/%{java_bundle}; then
Kai Engert d538ada 
      # it's an old regular file, not a link
Kai Engert d538ada 
      mv -f %{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}.rpmsave
Kai Engert d538ada 
    fi
Kai Engert d538ada 
  fi
Kai Engert d538ada
Kai Engert d538ada 
  if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then
Kai Engert d538ada 
    # no backup yet
Kai Engert d538ada 
    if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then
Kai Engert d538ada 
      # it's an old regular file, not a link
Kai Engert d538ada 
      mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave
Kai Engert d538ada 
    fi
Kai Engert d538ada 
  fi
Kai Engert d538ada
Kai Engert d538ada 
  if ! test -e %{pkidir}/tls/certs/%{trusted_all_bundle}.rpmsave; then
Kai Engert d538ada 
    # no backup yet
Kai Engert d538ada 
    if ! test -L %{pkidir}/tls/certs/%{trusted_all_bundle}; then
Kai Engert d538ada 
      # it's an old regular file, not a link
Kai Engert d538ada 
      mv -f %{pkidir}/tls/certs/%{trusted_all_bundle} %{pkidir}/tls/certs/%{trusted_all_bundle}.rpmsave
Kai Engert d538ada 
    fi
Kai Engert d538ada 
  fi
Kai Engert d538ada 
fi
Kai Engert d538ada
Kai Engert d538ada
Kai Engert d538ada 
%post
Kai Engert d538ada 
#if [ $1 -gt 1 ] ; then
Kai Engert d538ada 
#  # when upgrading or downgrading
Kai Engert d538ada 
#fi
Kai Engert 7c4340c 
%{_bindir}/ca-legacy install
Kai Engert d538ada 
%{_bindir}/update-ca-trust
Kai Engert d538ada
Kai Engert d538ada
d01a981 
%files
d01a981 
%defattr(-,root,root,-)
Kai Engert d538ada
Kai Engert d538ada 
%dir %{_sysconfdir}/ssl
d01a981 
%dir %{pkidir}/tls
d01a981 
%dir %{pkidir}/tls/certs
Kai Engert d538ada 
%dir %{pkidir}/java
Kai Engert d538ada 
%dir %{catrustdir}
Kai Engert d538ada 
%dir %{catrustdir}/source
Kai Engert a4c95d5 
%dir %{catrustdir}/source/anchors
Kai Engert a4c95d5 
%dir %{catrustdir}/source/blacklist
Kai Engert d538ada 
%dir %{catrustdir}/extracted
Kai Engert d538ada 
%dir %{catrustdir}/extracted/pem
Kai Engert d538ada 
%dir %{catrustdir}/extracted/openssl
Kai Engert d538ada 
%dir %{catrustdir}/extracted/java
Kai Engert a4c95d5 
%dir %{_datadir}/pki/ca-trust-source
Kai Engert a4c95d5 
%dir %{_datadir}/pki/ca-trust-source/anchors
Kai Engert a4c95d5 
%dir %{_datadir}/pki/ca-trust-source/blacklist
Kai Engert 7c4340c 
%dir %{_datadir}/pki/ca-trust-legacy
Kai Engert 7c4340c
Kai Engert 7c4340c 
%config(noreplace) %{catrustdir}/ca-legacy.conf
Kai Engert d538ada
Kai Engert 48ecd0a 
%{_mandir}/man8/update-ca-trust.8.gz
Kai Engert d538ada 
%{_datadir}/pki/ca-trust-source/README
Kai Engert d538ada 
%{catrustdir}/README
Kai Engert d538ada 
%{catrustdir}/extracted/README
Kai Engert d538ada 
%{catrustdir}/extracted/java/README
Kai Engert d538ada 
%{catrustdir}/extracted/openssl/README
Kai Engert d538ada 
%{catrustdir}/extracted/pem/README
Kai Engert d538ada 
%{catrustdir}/source/README
Kai Engert d538ada
Kai Engert d538ada 
# symlinks for old locations
866d688 
%{pkidir}/tls/cert.pem
Kai Engert d538ada 
%{pkidir}/tls/certs/%{classic_tls_bundle}
Kai Engert d538ada 
%{pkidir}/tls/certs/%{trusted_all_bundle}
Kai Engert d538ada 
%{pkidir}/%{java_bundle}
Kai Engert d538ada 
# symlink directory
c9fb114 
%{_sysconfdir}/ssl/certs
Kai Engert d538ada 
# master bundle file with trust
Kai Engert d538ada 
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
Kai Engert a4c95d5 
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
Kai Engert a4c95d5 
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
Kai Engert 7c4340c 
%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
Kai Engert 7c4340c 
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
Kai Engert d538ada 
# update/extract tool
Kai Engert d538ada 
%{_bindir}/update-ca-trust
Kai Engert 7c4340c 
%{_bindir}/ca-legacy
Kai Engert 7c4340c 
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
Kai Engert d538ada 
# files extracted files
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/openssl/%{trusted_all_bundle}
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/%{java_bundle}
Kai Engert d538ada
d01a981
d01a981 
%changelog
Kai Engert 730e7c7 
* Tue Dec 16 2014 Kai Engert <kaie@redhat.com> - 2014.2.2-1.0
Kai Engert 730e7c7 
- Update to CKBI 2.2 from NSS 3.17.3 with legacy modifications
Kai Engert 730e7c7 
- Update project URL
Kai Engert 730e7c7
Kai Engert 7c4340c 
* Thu Nov 20 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.5
Kai Engert 7c4340c 
- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
Kai Engert 7c4340c 
  By default, legacy roots required for OpenSSL/GnuTLS compatibility
Kai Engert 7c4340c 
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
Kai Engert 7c4340c 
  disabled. If disabled, the system will use the trust set as provided
Kai Engert 7c4340c 
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
Kai Engert 7c4340c 
- Includes the fixes for rhbz#1158343
Kai Engert 7c4340c
Kai Engert 3927dee 
* Sun Sep 21 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.1
Kai Engert 3927dee 
- Temporarily re-enable several legacy root CA certificates because of
Kai Engert 3927dee 
  compatibility issues with software based on OpenSSL/GnuTLS,
Kai Engert 3927dee 
  see rhbz#1144808
Kai Engert 3927dee
Kai Engert 25f2082 
* Thu Aug 14 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.0
Kai Engert 25f2082 
- Update to CKBI 2.1 from NSS 3.16.4
Kai Engert 25f2082 
- Fix rhbz#1130226
Kai Engert 25f2082
Kai Engert 55c058d 
* Wed Mar 19 2014 Kai Engert <kaie@redhat.com> - 2013.1.97-1
Kai Engert 55c058d 
- Update to CKBI 1.97 from NSS 3.16
Kai Engert 55c058d 
- Remove openjdk build dependency
Kai Engert 55c058d
Kai Engert b55d193 
* Thu Jan 09 2014 Kai Engert <kaie@redhat.com> - 2013.1.96-1
Kai Engert b55d193 
- Update to CKBI 1.96 from NSS 3.15.4
Kai Engert b55d193
Kai Engert 1fd8952 
* Tue Dec 17 2013 Kai Engert <kaie@redhat.com> - 2013.1.95-1
Kai Engert 1fd8952 
- Update to CKBI 1.95 from NSS 3.15.3.1
Kai Engert 1fd8952
Kai Engert 66f49df 
* Tue Sep 03 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-1
Kai Engert 66f49df 
- update to version 1.94 provided by NSS 3.15
Kai Engert a3f03ee 
- improve manpage
Kai Engert a3f03ee
Kai Engert 52a5513 
* Tue Jul 09 2013 Kai Engert <kaie@redhat.com> - 2012.87-10.4
Kai Engert 52a5513 
- clarification updates to manual page
Kai Engert 52a5513
Kai Engert 48ecd0a 
* Mon Jul 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-10.3
Kai Engert 48ecd0a 
- added a manual page and related build requirements
Kai Engert 48ecd0a 
- simplify the README files now that we have a manual page
Kai Engert 48ecd0a 
- set a certificate alias in trusted bundle (thanks to Ludwig Nussel)
Kai Engert 48ecd0a
Kai Engert 5fe2f62 
* Mon May 27 2013 Kai Engert <kaie@redhat.com> - 2012.87-10.2
Kai Engert 5fe2f62 
- use correct command in README files, rhbz#961809
Kai Engert 5fe2f62
Kai Engert 76ef429 
* Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-10.1
Kai Engert 76ef429 
- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
Kai Engert 76ef429 
  (thanks to Michael Shuler for suggesting to do so)
Kai Engert 76ef429 
- Update source URLs and comments, add source file for version information.
Kai Engert 76ef429
Kai Engert f5bd743 
* Wed Mar 27 2013 Kai Engert <kaie@redhat.com> - 2012.87-10.0
Kai Engert f5bd743 
- Use both label and serial to identify cert during conversion, rhbz#927601
Kai Engert f5bd743
Kai Engert a4c95d5 
* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-9.fc19.1
Kai Engert a4c95d5 
- adjust to changed and new functionality provided by p11-kit 0.17.3
Kai Engert a4c95d5 
- updated READMEs to describe the new directory-specific treatment of files
Kai Engert a4c95d5 
- ship a new file that contains certificates with neutral trust
Kai Engert a4c95d5 
- ship a new file that contains distrust objects, and also staple a
Kai Engert a4c95d5 
  basic constraint extension to one legacy root contained in the
Kai Engert a4c95d5 
  Mozilla CA list
Kai Engert a4c95d5 
- adjust the build script to dynamically produce most of above files
Kai Engert a4c95d5 
- add and own the anchors and blacklist subdirectories
Kai Engert a4c95d5 
- file generate-cacerts.pl is no longer required
Kai Engert a4c95d5
Kai Engert d538ada 
* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
Kai Engert d538ada 
- Major rework for the Fedora SharedSystemCertificates feature.
Kai Engert d538ada 
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
Kai Engert d538ada 
- Require the p11-kit package that contains tools to automatically create
Kai Engert d538ada 
  other file format bundles.
Kai Engert d538ada 
- Convert old file locations to symbolic links that point to dynamically
Kai Engert d538ada 
  generated files.
Kai Engert d538ada 
- Old files, which might have been locally modified, will be saved in backup
Kai Engert d538ada 
  files with .rpmsave extension.
Kai Engert d538ada 
- Added a update-ca-certificates script which can be used to regenerate
Kai Engert d538ada 
  the merged trusted output.
Kai Engert d538ada 
- Refer to the various README files that have been added for more detailed
Kai Engert d538ada 
  explanation of the new system.
Kai Engert d538ada 
- No longer require rsc for building.
Kai Engert d538ada 
- Add explanation for the future version numbering scheme,
Kai Engert d538ada 
  because the old numbering scheme was based on upstream using cvs,
Kai Engert d538ada 
  which is no longer true, and therefore can no longer be used.
Kai Engert d538ada 
- Includes changes from rhbz#873369.
Kai Engert d538ada
Kai Engert 0ecb427 
* Thu Mar 07 2013 Kai Engert <kaie@redhat.com> - 2012.87-2.fc19.1
Kai Engert 0ecb427 
- Ship trust bundle file in /usr/share/pki/ca-trust-source/, temporarily in addition.
Kai Engert 0ecb427 
  This location will soon become the only place containing this file.
Kai Engert 0ecb427
dc13997 
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2012.87-2
dc13997 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
dc13997
73800e1 
* Fri Jan 04 2013 Paul Wouters <pwouters@redhat.com> - 2012.87-1
73800e1 
- Updated to r1.87 to blacklist mis-issued turktrust CA certs
73800e1
829cbef 
* Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
829cbef 
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
829cbef 
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED
829cbef
b65d8a8 
* Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
b65d8a8 
- update to r1.86
b65d8a8
bc18e50 
* Mon Jul 23 2012 Joe Orton <jorton@redhat.com> - 2012.85-2
bc18e50 
- add openssl to BuildRequires
bc18e50
df639e3 
* Mon Jul 23 2012 Joe Orton <jorton@redhat.com> - 2012.85-1
df639e3 
- update to r1.85
df639e3
816ae11 
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2012.81-2
816ae11 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
816ae11
229976a 
* Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
229976a 
- update to r1.81
229976a
8c27f26 
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
8c27f26 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
8c27f26
229976a 
* Wed Nov  9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
Joe Orton 5968244 
- update to r1.80
Joe Orton 5968244 
- fix handling of certs with dublicate Subject names (#733032)
Joe Orton 5968244
f098063 
* Thu Sep  1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
f098063 
- update to r1.78, removing trust from DigiNotar root (#734679)
f098063
fbef645 
* Wed Aug  3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
fbef645 
- update to r1.75
fbef645
37d25f7 
* Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
37d25f7 
- update to r1.74
37d25f7
9ee01c7 
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
9ee01c7 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
9ee01c7
bf4a1f1 
* Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
bf4a1f1 
- update to r1.70
bf4a1f1
96465e8 
* Tue Nov  9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
96465e8 
- update to r1.65
96465e8
c9fb114 
* Wed Apr  7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
c9fb114 
- package /etc/ssl/certs symlink for third-party apps (#572725)
c9fb114
58bb64f 
* Wed Apr  7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
58bb64f 
- rebuild
58bb64f
b62ba6e 
* Wed Apr  7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
b62ba6e 
- update to certdata.txt r1.63
b62ba6e 
- use upstream RCS version in Version
b62ba6e
dc70b1f 
* Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
dc70b1f 
- fix ca-bundle.crt (#575111)
dc70b1f
708646c 
* Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
708646c 
- update to certdata.txt r1.58
708646c 
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
708646c 
- exclude ECC certs from the Java cacerts database
708646c 
- catch keytool failures
708646c 
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
708646c
56a6866 
* Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
56a6866 
- fix Java cacert database generation: use Subject rather than Issuer
56a6866 
  for alias name; add diagnostics; fix some alias names.
56a6866
5f392b3 
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
5f392b3 
- adopt Python certdata.txt parsing script from Debian
5f392b3
0bfc15e 
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
0bfc15e 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
0bfc15e
5406f40 
* Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
5406f40 
- update to certdata.txt r1.53
5406f40
a42172d 
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
a42172d 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
a42172d
e908127 
* Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
e908127 
- update to certdata.txt r1.49
e908127
Thomas Fitzsimmons 180c47e 
* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
Thomas Fitzsimmons 180c47e 
- Change generate-cacerts.pl to produce pretty aliases.
Thomas Fitzsimmons 180c47e
65c3b04 
* Mon Jun  2 2008 Joe Orton <jorton@redhat.com> 2008-5
65c3b04 
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
65c3b04
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
d01a981 
- use package name for temp dir, recreate it in prep
d01a981
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
d01a981 
- fix source script perms
d01a981 
- mark packaged files as config(noreplace)
d01a981
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
d01a981 
- add (but don't use) mkcabundle.pl
d01a981 
- tweak description
d01a981 
- use /usr/bin/keytool directly; BR java-openjdk
d01a981
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
d01a981 
- Initial build (#448497)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.