rpms / ca-certificates

Clone
Source Code
GIT

Blame ca-certificates.spec

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   bba934e680cc9b86a75fd5b58a3d0ca1dbdb0b84
  2.   ca-certificates.spec
Blob History Raw
d01a981 
%define pkidir %{_sysconfdir}/pki
Kai Engert d538ada 
%define catrustdir %{_sysconfdir}/pki/ca-trust
Kai Engert d538ada 
%define classic_tls_bundle ca-bundle.crt
Kai Engert d538ada 
%define trusted_all_bundle ca-bundle.trust.crt
Kai Engert 541d091 
%define legacy_enable_bundle ca-bundle.legacy.enable.crt
Kai Engert 541d091 
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
Kai Engert 34f352d 
%define neutral_bundle ca-bundle.neutral-trust.crt
Kai Engert 34f352d 
%define bundle_supplement ca-bundle.supplement.p11-kit
Kai Engert d538ada 
%define java_bundle java/cacerts
d01a981
d01a981 
Summary: The Mozilla CA root certificate bundle
d01a981 
Name: ca-certificates
Kai Engert d538ada
Kai Engert d538ada 
# For the package version number, we use: year.{upstream version}
Kai Engert d538ada 
#
Kai Engert 5df4185 
# The {upstream version} can be found as symbol
Kai Engert 5df4185 
# NSS_BUILTINS_LIBRARY_VERSION in file nss/lib/ckfw/builtins/nssckbi.h
Kai Engert 5df4185 
# which corresponds to the data in file nss/lib/ckfw/builtins/certdata.txt.
Kai Engert 5df4185 
#
Kai Engert 5df4185 
# The files should be taken from a released version of NSS, as published
Kai Engert 5df4185 
# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
Kai Engert 5df4185 
#
Kai Engert 5df4185 
# The versions that are used by the latest released version of
Kai Engert 5df4185 
# Mozilla Firefox should be available from:
Kai Engert b2e71a9 
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
Kai Engert b2e71a9 
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Kai Engert d538ada 
#
Kai Engert 5df4185 
# The most recent development versions of the files can be found at
Kai Engert 5df4185 
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
Kai Engert 5df4185 
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
Kai Engert 5df4185 
# (but these files might have not yet been released).
Kai Engert 5df4185 
#
Kai Engert d538ada 
# (until 2012.87 the version was based on the cvs revision ID of certdata.txt,
Kai Engert d538ada 
# but in 2013 the NSS projected was migrated to HG. Old version 2012.87 is
Kai Engert d538ada 
# equivalent to new version 2012.1.93, which would break the requirement
Kai Engert d538ada 
# to have increasing version numbers. However, the new scheme will work,
Kai Engert d538ada 
# because all future versions will start with 2013 or larger.)
Kai Engert d538ada
Kai Engert 41b7150 
Version: 2014.2.1
Kai Engert 41b7150 
# for Rawhide, please always use release >= 2
Kai Engert 41b7150 
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
0114a2f 
Release: 1.4%{?dist}
d01a981 
License: Public Domain
Kai Engert d538ada
d01a981 
Group: System Environment/Base
d01a981 
URL: http://www.mozilla.org/
Kai Engert d538ada
Kai Engert b2e71a9 
#Please always update both certdata.txt and nssckbi.h
5f392b3 
Source0: certdata.txt
Kai Engert b2e71a9 
Source1: nssckbi.h
Kai Engert b2e71a9 
Source2: update-ca-trust
Kai Engert b2e71a9 
Source3: trust-fixes
Kai Engert b2e71a9 
Source4: certdata2pem.py
Kai Engert 541d091 
Source5: ca-legacy.conf
Kai Engert 541d091 
Source6: ca-legacy
Kai Engert 9ac574b 
Source10: update-ca-trust.8.txt
Kai Engert d538ada 
Source11: README.usr
Kai Engert d538ada 
Source12: README.etc
Kai Engert d538ada 
Source13: README.extr
Kai Engert d538ada 
Source14: README.java
Kai Engert d538ada 
Source15: README.openssl
Kai Engert d538ada 
Source16: README.pem
Kai Engert d538ada 
Source17: README.src
Kai Engert d538ada
d01a981 
BuildArch: noarch
d01a981
Kai Engert 10e748b 
Requires: p11-kit >= 0.19.2
Kai Engert 10e748b 
Requires: p11-kit-trust >= 0.19.2
d8e353c 
Requires(post): coreutils
Kai Engert d538ada 
BuildRequires: perl
Kai Engert d538ada 
BuildRequires: python
Kai Engert d538ada 
BuildRequires: openssl
Kai Engert 9ac574b 
BuildRequires: asciidoc
Kai Engert 9ac574b 
BuildRequires: libxslt
Kai Engert d538ada
d01a981 
%description
d01a981 
This package contains the set of CA certificates chosen by the
d01a981 
Mozilla Foundation for use with the Internet PKI.
d01a981
d01a981 
%prep
d01a981 
rm -rf %{name}
Kai Engert d538ada 
mkdir %{name}
Kai Engert d538ada 
mkdir %{name}/certs
Kai Engert 541d091 
mkdir %{name}/certs/legacy-enable
Kai Engert 541d091 
mkdir %{name}/certs/legacy-disable
Kai Engert d538ada 
mkdir %{name}/java
d01a981
d01a981 
%build
5f392b3 
pushd %{name}/certs
Kai Engert 34f352d 
 pwd
Kai Engert d538ada 
 cp %{SOURCE0} .
Kai Engert b2e71a9 
 python %{SOURCE4} >c2p.log 2>c2p.err
5f392b3 
popd
d01a981 
pushd %{name}
5f392b3 
 (
5f392b3 
   cat <
5f392b3 
# This is a bundle of X.509 certificates of public Certificate
5f392b3 
# Authorities.  It was generated from the Mozilla root CA list.
708646c 
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
708646c 
# format and have trust bits set accordingly.
Kai Engert 41b7150 
# An exception are auxiliary certificates, without positive or negative
Kai Engert 41b7150 
# trust, but are used to assist in finding a preferred trust path.
Kai Engert 41b7150 
# Those neutral certificates use the plain BEGIN CERTIFICATE format.
708646c 
#
Kai Engert b2e71a9 
# Source: nss/lib/ckfw/builtins/certdata.txt
Kai Engert b2e71a9 
# Source: nss/lib/ckfw/builtins/nssckbi.h
708646c 
#
708646c 
# Generated from:
708646c 
EOF
Kai Engert b2e71a9 
   cat %{SOURCE1}  |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
708646c 
   echo '#';
Kai Engert d538ada 
 ) > %{trusted_all_bundle}
Kai Engert 541d091 
 touch %{neutral_bundle}
708646c 
 for f in certs/*.crt; do
Kai Engert 34f352d 
   echo "processing $f"
708646c 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
Kai Engert d538ada 
   distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
Kai Engert 9ac574b 
   alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
Kai Engert d538ada 
   targs=""
708646c 
   if [ -n "$tbits" ]; then
708646c 
      for t in $tbits; do
708646c 
         targs="${targs} -addtrust $t"
708646c 
      done
Kai Engert d538ada 
   fi
Kai Engert d538ada 
   if [ -n "$distbits" ]; then
Kai Engert d538ada 
      for t in $distbits; do
Kai Engert d538ada 
         targs="${targs} -addreject $t"
Kai Engert d538ada 
      done
Kai Engert d538ada 
   fi
Kai Engert d538ada 
   if [ -n "$targs" ]; then
Kai Engert 34f352d 
      echo "trust flags $targs for $f" >> info.trust
Kai Engert 9ac574b 
      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{trusted_all_bundle}
Kai Engert 34f352d 
   else
Kai Engert 34f352d 
      echo "no trust flags for $f" >> info.notrust
Kai Engert 41b7150 
      # p11-kit-trust defines empty trust lists as "rejected for all purposes".
Kai Engert 41b7150 
      # That's why we use the simple file format
Kai Engert 41b7150 
      #   (BEGIN CERTIFICATE, no trust information)
Kai Engert 41b7150 
      # because p11-kit-trust will treat it as a certificate with neutral trust.
Kai Engert 41b7150 
      # This means we cannot use the -setalias feature for neutral trust certs.
Kai Engert 41b7150 
      openssl x509 -text -in "$f" >> %{neutral_bundle}
708646c 
   fi
708646c 
 done
Kai Engert 541d091
Kai Engert 541d091 
 for f in certs/legacy-enable/*.crt; do
Kai Engert 541d091 
   echo "processing $f"
Kai Engert 541d091 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
Kai Engert 541d091 
   alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
Kai Engert 541d091 
   targs=""
Kai Engert 541d091 
   if [ -n "$tbits" ]; then
Kai Engert 541d091 
      for t in $tbits; do
Kai Engert 541d091 
         targs="${targs} -addtrust $t"
Kai Engert 541d091 
      done
Kai Engert 541d091 
   fi
Kai Engert 541d091 
   if [ -n "$targs" ]; then
Kai Engert 541d091 
      echo "legacy enable flags $targs for $f" >> info.trust
Kai Engert 541d091 
      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle}
Kai Engert 541d091 
   fi
Kai Engert 34f352d 
 done
Kai Engert 541d091
Kai Engert 541d091 
 for f in certs/legacy-disable/*.crt; do
Kai Engert 541d091 
   echo "processing $f"
Kai Engert 541d091 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
Kai Engert 541d091 
   alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
Kai Engert 541d091 
   targs=""
Kai Engert 541d091 
   if [ -n "$tbits" ]; then
Kai Engert 541d091 
      for t in $tbits; do
Kai Engert 541d091 
         targs="${targs} -addtrust $t"
Kai Engert 541d091 
      done
Kai Engert 541d091 
   fi
Kai Engert 541d091 
   if [ -n "$targs" ]; then
Kai Engert 541d091 
      echo "legacy disable flags $targs for $f" >> info.trust
Kai Engert 541d091 
      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
Kai Engert 541d091 
   fi
Kai Engert 541d091 
 done
Kai Engert 541d091
Kai Engert 541d091 
 P11FILES=`find certs -name *.p11-kit | wc -l`
Kai Engert 541d091 
 if [ $P11FILES -ne 0 ]; then
Kai Engert 541d091 
   for p in certs/*.p11-kit; do
Kai Engert 541d091 
     cat "$p" >> %{bundle_supplement}
Kai Engert 541d091 
   done
Kai Engert 541d091 
 fi
Kai Engert 34f352d 
 # Append our trust fixes
Kai Engert b2e71a9 
 cat %{SOURCE3} >> %{bundle_supplement}
56a6866 
popd
Kai Engert d538ada
Kai Engert 9ac574b 
#manpage
Kai Engert 9ac574b 
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
Kai Engert 9ac574b 
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
Kai Engert 9ac574b 
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
Kai Engert 9ac574b
d01a981
d01a981 
%install
d01a981 
rm -rf $RPM_BUILD_ROOT
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
Kai Engert 34f352d 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
Kai Engert 34f352d 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
Kai Engert 34f352d 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
Kai Engert 34f352d 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
Kai Engert 541d091 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
Kai Engert d538ada 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
Kai Engert 9ac574b 
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
d01a981
Kai Engert 9ac574b 
install -p -m 644 %{name}/update-ca-trust.8 $RPM_BUILD_ROOT%{_mandir}/man8
Kai Engert d538ada 
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
Kai Engert d538ada 
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
Kai Engert 0ecb427
Kai Engert d538ada 
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
Kai Engert 34f352d 
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
Kai Engert 34f352d 
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
Kai Engert 541d091
Kai Engert 541d091 
install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
Kai Engert 541d091 
install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
Kai Engert 541d091
Kai Engert 541d091 
install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
Kai Engert 541d091
Kai Engert d538ada 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
Kai Engert 34f352d 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
Kai Engert 34f352d 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
Kai Engert 0ecb427
Kai Engert 541d091 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
Kai Engert 541d091 
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
Kai Engert 541d091
Kai Engert d538ada 
# TODO: consider to dynamically create the update-ca-trust script from within
Kai Engert d538ada 
#       this .spec file, in order to have the output file+directory names at once place only.
Kai Engert b2e71a9 
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
d01a981
Kai Engert 541d091 
install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy
Kai Engert 541d091
Kai Engert d538ada 
# touch ghosted files that will be extracted dynamically
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{trusted_all_bundle}
Kai Engert d538ada 
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
d01a981
c9fb114 
# /etc/ssl/certs symlink for 3rd-party tools
Kai Engert d538ada 
ln -s ../pki/tls/certs \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
Kai Engert d538ada 
# legacy filenames
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/openssl/%{trusted_all_bundle} \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{trusted_all_bundle}
Kai Engert d538ada 
ln -s %{catrustdir}/extracted/%{java_bundle} \
Kai Engert d538ada 
      $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
Kai Engert d538ada
c9fb114
d01a981 
%clean
d01a981 
rm -rf $RPM_BUILD_ROOT
d01a981
Kai Engert d538ada
Kai Engert d538ada 
%pre
Kai Engert d538ada 
if [ $1 -gt 1 ] ; then
Kai Engert d538ada 
  # Upgrade or Downgrade.
Kai Engert d538ada 
  # If the classic filename is a regular file, then we are upgrading
Kai Engert d538ada 
  # from an old package and we will move it to an .rpmsave backup file.
Kai Engert d538ada 
  # If the filename is a symbolic link, then we are good already.
Kai Engert d538ada 
  # If the system will later be downgraded to an old package with regular
Kai Engert d538ada 
  # files, and afterwards updated again to a newer package with symlinks,
Kai Engert d538ada 
  # and the old .rpmsave backup file didn't get cleaned up,
Kai Engert d538ada 
  # then we don't backup again. We keep the older backup file.
Kai Engert d538ada 
  # In other words, if an .rpmsave file already exists, we don't overwrite it.
Kai Engert d538ada 
  #
Kai Engert d538ada 
  if ! test -e %{pkidir}/%{java_bundle}.rpmsave; then
Kai Engert d538ada 
    # no backup yet
Kai Engert d538ada 
    if ! test -L %{pkidir}/%{java_bundle}; then
Kai Engert d538ada 
      # it's an old regular file, not a link
Kai Engert d538ada 
      mv -f %{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}.rpmsave
Kai Engert d538ada 
    fi
Kai Engert d538ada 
  fi
Kai Engert d538ada
Kai Engert d538ada 
  if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then
Kai Engert d538ada 
    # no backup yet
Kai Engert d538ada 
    if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then
Kai Engert d538ada 
      # it's an old regular file, not a link
Kai Engert d538ada 
      mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave
Kai Engert d538ada 
    fi
Kai Engert d538ada 
  fi
Kai Engert d538ada
Kai Engert d538ada 
  if ! test -e %{pkidir}/tls/certs/%{trusted_all_bundle}.rpmsave; then
Kai Engert d538ada 
    # no backup yet
Kai Engert d538ada 
    if ! test -L %{pkidir}/tls/certs/%{trusted_all_bundle}; then
Kai Engert d538ada 
      # it's an old regular file, not a link
Kai Engert d538ada 
      mv -f %{pkidir}/tls/certs/%{trusted_all_bundle} %{pkidir}/tls/certs/%{trusted_all_bundle}.rpmsave
Kai Engert d538ada 
    fi
Kai Engert d538ada 
  fi
Kai Engert d538ada 
fi
Kai Engert d538ada
Kai Engert d538ada
Kai Engert d538ada 
%post
Kai Engert d538ada 
#if [ $1 -gt 1 ] ; then
Kai Engert d538ada 
#  # when upgrading or downgrading
Kai Engert d538ada 
#fi
Kai Engert 541d091 
%{_bindir}/ca-legacy install
Kai Engert d538ada 
%{_bindir}/update-ca-trust
Kai Engert d538ada
Kai Engert d538ada
d01a981 
%files
d01a981 
%defattr(-,root,root,-)
Kai Engert d538ada
Kai Engert d538ada 
%dir %{_sysconfdir}/ssl
d01a981 
%dir %{pkidir}/tls
d01a981 
%dir %{pkidir}/tls/certs
Kai Engert d538ada 
%dir %{pkidir}/java
Kai Engert d538ada 
%dir %{catrustdir}
Kai Engert d538ada 
%dir %{catrustdir}/source
Kai Engert 34f352d 
%dir %{catrustdir}/source/anchors
Kai Engert 34f352d 
%dir %{catrustdir}/source/blacklist
Kai Engert d538ada 
%dir %{catrustdir}/extracted
Kai Engert d538ada 
%dir %{catrustdir}/extracted/pem
Kai Engert d538ada 
%dir %{catrustdir}/extracted/openssl
Kai Engert d538ada 
%dir %{catrustdir}/extracted/java
a14dcb4 
%dir %{_datadir}/pki
Kai Engert 34f352d 
%dir %{_datadir}/pki/ca-trust-source
Kai Engert 34f352d 
%dir %{_datadir}/pki/ca-trust-source/anchors
Kai Engert 34f352d 
%dir %{_datadir}/pki/ca-trust-source/blacklist
Kai Engert 541d091 
%dir %{_datadir}/pki/ca-trust-legacy
Kai Engert 541d091
Kai Engert 541d091 
%config(noreplace) %{catrustdir}/ca-legacy.conf
Kai Engert d538ada
Kai Engert 9ac574b 
%{_mandir}/man8/update-ca-trust.8.gz
Kai Engert d538ada 
%{_datadir}/pki/ca-trust-source/README
Kai Engert d538ada 
%{catrustdir}/README
Kai Engert d538ada 
%{catrustdir}/extracted/README
Kai Engert d538ada 
%{catrustdir}/extracted/java/README
Kai Engert d538ada 
%{catrustdir}/extracted/openssl/README
Kai Engert d538ada 
%{catrustdir}/extracted/pem/README
Kai Engert d538ada 
%{catrustdir}/source/README
Kai Engert d538ada
Kai Engert d538ada 
# symlinks for old locations
866d688 
%{pkidir}/tls/cert.pem
Kai Engert d538ada 
%{pkidir}/tls/certs/%{classic_tls_bundle}
Kai Engert d538ada 
%{pkidir}/tls/certs/%{trusted_all_bundle}
Kai Engert d538ada 
%{pkidir}/%{java_bundle}
Kai Engert d538ada 
# symlink directory
c9fb114 
%{_sysconfdir}/ssl/certs
Kai Engert d538ada 
# master bundle file with trust
Kai Engert d538ada 
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
Kai Engert 34f352d 
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
Kai Engert 34f352d 
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
Kai Engert 541d091 
%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
Kai Engert 541d091 
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
Kai Engert d538ada 
# update/extract tool
Kai Engert d538ada 
%{_bindir}/update-ca-trust
Kai Engert 541d091 
%{_bindir}/ca-legacy
Kai Engert 541d091 
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
Kai Engert d538ada 
# files extracted files
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/openssl/%{trusted_all_bundle}
Kai Engert d538ada 
%ghost %{catrustdir}/extracted/%{java_bundle}
Kai Engert d538ada
d01a981
d01a981 
%changelog
0114a2f 
* Fri Nov 14 2014 Peter Lemenkov <lemenkov@gmail.com> - 2014.2.1-1.4
d8e353c 
- A proper fix for rhbz#1158343
d8e353c
Kai Engert af71f10 
* Wed Oct 29 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.3
Kai Engert af71f10 
- add Requires: coreutils (rhbz#1158343)
Kai Engert af71f10
Kai Engert 541d091 
* Tue Oct 28 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.2
Kai Engert 541d091 
- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
Kai Engert 541d091 
  By default, legacy roots required for OpenSSL/GnuTLS compatibility
Kai Engert 541d091 
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
Kai Engert 541d091 
  disabled. If disabled, the system will use the trust set as provided
Kai Engert 541d091 
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
Kai Engert 541d091
Kai Engert 36bc5c6 
* Sun Sep 21 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.1
Kai Engert 36bc5c6 
- Temporarily re-enable several legacy root CA certificates because of
Kai Engert 36bc5c6 
  compatibility issues with software based on OpenSSL/GnuTLS,
Kai Engert 36bc5c6 
  see rhbz#1144808
Kai Engert 36bc5c6
Kai Engert 41b7150 
* Thu Aug 14 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-1.0
Kai Engert 41b7150 
- Update to CKBI 2.1 from NSS 3.16.4
Kai Engert 41b7150 
- Fix rhbz#1130226
Kai Engert 41b7150
b0943c5 
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2013.1.97-3
b0943c5 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
b0943c5
Kai Engert f176bca 
* Wed Mar 19 2014 Kai Engert <kaie@redhat.com> - 2013.1.97-2
Kai Engert f176bca 
- Update to CKBI 1.97 from NSS 3.16
Kai Engert f176bca
Kai Engert 4a1396f 
* Mon Feb 10 2014 Kai Engert <kaie@redhat.com> - 2013.1.96-3
Kai Engert 278ac24 
- Remove openjdk build dependency
Kai Engert 278ac24
a14dcb4 
* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 2013.1.96-2
a14dcb4 
- Own the %%{_datadir}/pki dir.
a14dcb4
Kai Engert 5df4185 
* Thu Jan 09 2014 Kai Engert <kaie@redhat.com> - 2013.1.96-1
Kai Engert 5df4185 
- Update to CKBI 1.96 from NSS 3.15.4
Kai Engert 5df4185
Kai Engert 9a4d41a 
* Tue Dec 17 2013 Kai Engert <kaie@redhat.com> - 2013.1.95-1
Kai Engert 9a4d41a 
- Update to CKBI 1.95 from NSS 3.15.3.1
Kai Engert 9a4d41a
Kai Engert 10e748b 
* Fri Sep 06 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-18
Kai Engert 10e748b 
- Update the Entrust root stapled extension for compatibility with
Kai Engert 10e748b 
  p11-kit version 0.19.2, patch by Stef Walter, rhbz#988745
Kai Engert 10e748b
Kai Engert e3e96c2 
* Tue Sep 03 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-17
Kai Engert e3e96c2 
- merge manual improvement from f19
Kai Engert e3e96c2
04d3dc5 
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2013.1.94-16
04d3dc5 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
04d3dc5
Kai Engert 540618e 
* Tue Jul 09 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-15
Kai Engert 540618e 
- clarification updates to manual page
Kai Engert 540618e
Kai Engert 9ac574b 
* Mon Jul 08 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-14
Kai Engert 9ac574b 
- added a manual page and related build requirements
Kai Engert 9ac574b 
- simplify the README files now that we have a manual page
Kai Engert 9ac574b 
- set a certificate alias in trusted bundle (thanks to Ludwig Nussel)
Kai Engert 9ac574b
Kai Engert 6c5dbfb 
* Mon May 27 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-13
Kai Engert 6c5dbfb 
- use correct command in README files, rhbz#961809
Kai Engert 6c5dbfb
Kai Engert 6c5dbfb 
* Mon May 27 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-12
Kai Engert 2dc4526 
- update to version 1.94 provided by NSS 3.15 (beta)
Kai Engert 2dc4526
Kai Engert b2e71a9 
* Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12
Kai Engert b2e71a9 
- Use both label and serial to identify cert during conversion, rhbz#927601
Kai Engert b2e71a9 
- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
Kai Engert b2e71a9 
  (thanks to Michael Shuler for suggesting to do so)
Kai Engert b2e71a9 
- Update source URLs and comments, add source file for version information.
Kai Engert b2e71a9
Kai Engert 34f352d 
* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
Kai Engert 34f352d 
- adjust to changed and new functionality provided by p11-kit 0.17.3
Kai Engert 34f352d 
- updated READMEs to describe the new directory-specific treatment of files
Kai Engert 34f352d 
- ship a new file that contains certificates with neutral trust
Kai Engert 34f352d 
- ship a new file that contains distrust objects, and also staple a
Kai Engert 34f352d 
  basic constraint extension to one legacy root contained in the
Kai Engert 34f352d 
  Mozilla CA list
Kai Engert 34f352d 
- adjust the build script to dynamically produce most of above files
Kai Engert 34f352d 
- add and own the anchors and blacklist subdirectories
Kai Engert 34f352d 
- file generate-cacerts.pl is no longer required
Kai Engert 34f352d
Kai Engert d538ada 
* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
Kai Engert d538ada 
- Major rework for the Fedora SharedSystemCertificates feature.
Kai Engert d538ada 
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
Kai Engert d538ada 
- Require the p11-kit package that contains tools to automatically create
Kai Engert d538ada 
  other file format bundles.
Kai Engert d538ada 
- Convert old file locations to symbolic links that point to dynamically
Kai Engert d538ada 
  generated files.
Kai Engert d538ada 
- Old files, which might have been locally modified, will be saved in backup
Kai Engert d538ada 
  files with .rpmsave extension.
Kai Engert d538ada 
- Added a update-ca-certificates script which can be used to regenerate
Kai Engert d538ada 
  the merged trusted output.
Kai Engert d538ada 
- Refer to the various README files that have been added for more detailed
Kai Engert d538ada 
  explanation of the new system.
Kai Engert d538ada 
- No longer require rsc for building.
Kai Engert d538ada 
- Add explanation for the future version numbering scheme,
Kai Engert d538ada 
  because the old numbering scheme was based on upstream using cvs,
Kai Engert d538ada 
  which is no longer true, and therefore can no longer be used.
Kai Engert d538ada 
- Includes changes from rhbz#873369.
Kai Engert d538ada
Kai Engert 0ecb427 
* Thu Mar 07 2013 Kai Engert <kaie@redhat.com> - 2012.87-2.fc19.1
Kai Engert 0ecb427 
- Ship trust bundle file in /usr/share/pki/ca-trust-source/, temporarily in addition.
Kai Engert 0ecb427 
  This location will soon become the only place containing this file.
Kai Engert 0ecb427
dc13997 
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2012.87-2
dc13997 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
dc13997
73800e1 
* Fri Jan 04 2013 Paul Wouters <pwouters@redhat.com> - 2012.87-1
73800e1 
- Updated to r1.87 to blacklist mis-issued turktrust CA certs
73800e1
829cbef 
* Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
829cbef 
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
829cbef 
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED
829cbef
b65d8a8 
* Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
b65d8a8 
- update to r1.86
b65d8a8
bc18e50 
* Mon Jul 23 2012 Joe Orton <jorton@redhat.com> - 2012.85-2
bc18e50 
- add openssl to BuildRequires
bc18e50
df639e3 
* Mon Jul 23 2012 Joe Orton <jorton@redhat.com> - 2012.85-1
df639e3 
- update to r1.85
df639e3
816ae11 
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2012.81-2
816ae11 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
816ae11
229976a 
* Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
229976a 
- update to r1.81
229976a
8c27f26 
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
8c27f26 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
8c27f26
229976a 
* Wed Nov  9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
Joe Orton 5968244 
- update to r1.80
Joe Orton 5968244 
- fix handling of certs with dublicate Subject names (#733032)
Joe Orton 5968244
f098063 
* Thu Sep  1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
f098063 
- update to r1.78, removing trust from DigiNotar root (#734679)
f098063
fbef645 
* Wed Aug  3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
fbef645 
- update to r1.75
fbef645
37d25f7 
* Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
37d25f7 
- update to r1.74
37d25f7
9ee01c7 
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
9ee01c7 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
9ee01c7
bf4a1f1 
* Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
bf4a1f1 
- update to r1.70
bf4a1f1
96465e8 
* Tue Nov  9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
96465e8 
- update to r1.65
96465e8
c9fb114 
* Wed Apr  7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
c9fb114 
- package /etc/ssl/certs symlink for third-party apps (#572725)
c9fb114
58bb64f 
* Wed Apr  7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
58bb64f 
- rebuild
58bb64f
b62ba6e 
* Wed Apr  7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
b62ba6e 
- update to certdata.txt r1.63
b62ba6e 
- use upstream RCS version in Version
b62ba6e
dc70b1f 
* Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
dc70b1f 
- fix ca-bundle.crt (#575111)
dc70b1f
708646c 
* Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
708646c 
- update to certdata.txt r1.58
708646c 
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
708646c 
- exclude ECC certs from the Java cacerts database
708646c 
- catch keytool failures
708646c 
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
708646c
56a6866 
* Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
56a6866 
- fix Java cacert database generation: use Subject rather than Issuer
56a6866 
  for alias name; add diagnostics; fix some alias names.
56a6866
5f392b3 
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
5f392b3 
- adopt Python certdata.txt parsing script from Debian
5f392b3
0bfc15e 
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
0bfc15e 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
0bfc15e
5406f40 
* Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
5406f40 
- update to certdata.txt r1.53
5406f40
a42172d 
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
a42172d 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
a42172d
e908127 
* Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
e908127 
- update to certdata.txt r1.49
e908127
Thomas Fitzsimmons 180c47e 
* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
Thomas Fitzsimmons 180c47e 
- Change generate-cacerts.pl to produce pretty aliases.
Thomas Fitzsimmons 180c47e
65c3b04 
* Mon Jun  2 2008 Joe Orton <jorton@redhat.com> 2008-5
65c3b04 
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
65c3b04
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
d01a981 
- use package name for temp dir, recreate it in prep
d01a981
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
d01a981 
- fix source script perms
d01a981 
- mark packaged files as config(noreplace)
d01a981
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
d01a981 
- add (but don't use) mkcabundle.pl
d01a981 
- tweak description
d01a981 
- use /usr/bin/keytool directly; BR java-openjdk
d01a981
d01a981 
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
d01a981 
- Initial build (#448497)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.