|
|
96465e8 |
#!/bin/sh
|
|
|
605570b |
#
|
|
|
605570b |
# This script fetches the latest released certdata.txt and updates the
|
|
|
605570b |
# ca-certificates.spec file
|
|
|
605570b |
#
|
|
|
605570b |
baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
|
|
|
605570b |
force=0
|
|
|
6d164ae |
skip_signed_obj=0
|
|
|
605570b |
release_type="RTM"
|
|
|
6d164ae |
release="3_65"
|
|
|
605570b |
while [ -n "$1" ]; do
|
|
|
605570b |
case $1 in
|
|
|
605570b |
"-d")
|
|
|
605570b |
baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
|
|
|
605570b |
;;
|
|
|
605570b |
-t*)
|
|
|
605570b |
release_type=`echo $1 | sed -e 's;-t;;'`
|
|
|
605570b |
if [ "${release_type}" = "" ]; then
|
|
|
605570b |
shift
|
|
|
605570b |
release_type=$1
|
|
|
605570b |
fi
|
|
|
605570b |
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
|
|
605570b |
;;
|
|
|
605570b |
-n*)
|
|
|
605570b |
release=`echo $1 | sed -e 's;-n;;'`
|
|
|
605570b |
if [ "${release}" = "" ]; then
|
|
|
605570b |
shift
|
|
|
605570b |
release=$1
|
|
|
605570b |
fi
|
|
|
605570b |
release=`echo ${release} | sed -e 's;\\.;_;g'`
|
|
|
605570b |
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
|
|
605570b |
;;
|
|
|
605570b |
"-f")
|
|
|
605570b |
force=1
|
|
|
605570b |
;;
|
|
|
6d164ae |
"-s")
|
|
|
6d164ae |
skip_signed_obj=1
|
|
|
6d164ae |
;;
|
|
|
605570b |
*)
|
|
|
605570b |
echo "usage: $0 [-r] [-n release] [-f]"
|
|
|
605570b |
echo "-d use the development tip rather than the latest release"
|
|
|
605570b |
echo "-n release fetch a specific nss release"
|
|
|
605570b |
echo "-f skip the verify check"
|
|
|
6d164ae |
echo "-s skip fetching signed objects"
|
|
|
605570b |
exit 1
|
|
|
605570b |
;;
|
|
|
605570b |
esac
|
|
|
605570b |
shift
|
|
|
605570b |
done
|
|
|
605570b |
|
|
|
605570b |
# get the current certdata version number
|
|
|
605570b |
# nss version number
|
|
|
605570b |
# user making the change
|
|
|
605570b |
# email of user
|
|
|
605570b |
#
|
|
|
605570b |
# versions from the latest nss code in mozilla
|
|
|
605570b |
echo "Getting CKBI version number"
|
|
|
605570b |
ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
|
|
|
605570b |
if [ "${ckbi_version}" = "" ]; then
|
|
|
605570b |
echo "Didn't find ckbi version from ${baseurl}"
|
|
|
605570b |
exit 1;
|
|
|
605570b |
fi
|
|
|
605570b |
echo "Getting NSS version number"
|
|
|
605570b |
nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
|
|
|
605570b |
if [ "${nss_version}" = "" ]; then
|
|
|
605570b |
echo "Didn't find nss version from ${baseurl}"
|
|
|
605570b |
exit 1;
|
|
|
605570b |
fi
|
|
|
605570b |
# date from the current system date on this machine
|
|
|
605570b |
echo "Creating change log"
|
|
|
605570b |
export LANG=C
|
|
|
605570b |
year=`date +%Y`
|
|
|
605570b |
log_date=`date +"%a %b %d %Y"`
|
|
|
605570b |
# user name from the environment, fallback to git, fallback to the current user
|
|
|
605570b |
username=`whoami`
|
|
|
605570b |
name=${NAME}
|
|
|
605570b |
if [ "${name}" = "" ]; then
|
|
|
605570b |
name=`git config user.name`
|
|
|
605570b |
fi
|
|
|
605570b |
if [ "${name}" = "" ]; then
|
|
|
605570b |
name=`getent passwd $username`
|
|
|
605570b |
fi
|
|
|
605570b |
email=${EMAIL}
|
|
|
605570b |
if [ "${email}" = "" ]; then
|
|
|
605570b |
email=`git config user.email`
|
|
|
605570b |
fi
|
|
|
605570b |
if [ "${email}" = "" ]; then
|
|
|
605570b |
email=$username@`hostname`
|
|
|
605570b |
fi
|
|
|
605570b |
# rawhide >=2, branches 1.x
|
|
|
605570b |
cwd=$(pwd)
|
|
|
17e75b4 |
if [ `basename ${cwd}` = rawhide ]; then
|
|
|
605570b |
release="2"
|
|
|
605570b |
else
|
|
|
605570b |
release="1.0"
|
|
|
605570b |
fi
|
|
|
605570b |
version=${year}.${ckbi_version}
|
|
|
605570b |
|
|
|
605570b |
#make sure the the current version is newer than what is already there
|
|
|
605570b |
current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
|
|
|
605570b |
if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
|
|
|
605570b |
echo "Can't downgrade current version: ${current_version} new version: ${version}"
|
|
|
605570b |
exit 1;
|
|
|
605570b |
fi
|
|
|
605570b |
|
|
|
605570b |
# now get our new certdata.txt
|
|
|
605570b |
echo "Fetching new certdata.txt"
|
|
|
605570b |
wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
|
|
|
605570b |
if [ $? -ne 0 ]; then
|
|
|
605570b |
echo fetching certdata.text from ${baseurl} failed!
|
|
|
605570b |
echo " To restore the old certdata.txt use:"
|
|
|
605570b |
echo " git checkout -- certdata.txt"
|
|
|
605570b |
exit 1;
|
|
|
605570b |
fi
|
|
|
605570b |
|
|
|
6d164ae |
if [ ${skip_signed_obj} -eq 0 ]; then
|
|
|
6d164ae |
./fetch_objsign.sh
|
|
|
6d164ae |
fi
|
|
|
6d164ae |
|
|
|
605570b |
# Verify everything is good with the user
|
|
|
605570b |
echo -e "Upgrading ${current_version} -> ${version}:"
|
|
|
605570b |
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
|
|
605570b |
./check_certs.sh
|
|
|
605570b |
echo ""
|
|
|
605570b |
|
|
|
605570b |
yn=""
|
|
|
605570b |
if [ ! ${force} ]; then
|
|
|
605570b |
echo -n "Do you want to continue (Y/N default Y)? "
|
|
|
605570b |
read yn
|
|
|
605570b |
echo ""
|
|
|
605570b |
fi
|
|
|
605570b |
if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
|
|
|
605570b |
echo "Skipping ca-certificate.spec upgrade."
|
|
|
605570b |
echo " NOTE: certdata.txt has been upgraded."
|
|
|
605570b |
echo " To restore the old certdata.txt use:"
|
|
|
605570b |
echo " git checkout -- certdata.txt"
|
|
|
605570b |
exit 1;
|
|
|
605570b |
fi
|
|
|
605570b |
|
|
|
605570b |
echo "Updating .spec file"
|
|
|
605570b |
cat ca-certificates.spec | while IFS= read -r line
|
|
|
605570b |
do
|
|
|
605570b |
echo $line | grep "^Version: " 1>&2
|
|
|
605570b |
if [ $? -eq 0 ]; then
|
|
|
605570b |
echo "Version: ${version}"
|
|
|
605570b |
echo "New Version: ${version}" 1>&2
|
|
|
605570b |
continue
|
|
|
605570b |
fi
|
|
|
605570b |
echo $line | grep "^Release: " 1>&2
|
|
|
605570b |
if [ $? -eq 0 ]; then
|
|
|
605570b |
echo "Release: ${release}%{?dist}"
|
|
|
605570b |
echo "New Release: ${release}%{?dist}" 1>&2
|
|
|
605570b |
continue
|
|
|
605570b |
fi
|
|
|
605570b |
echo $line | grep "^%changelog" 1>&2
|
|
|
605570b |
if [ $? -eq 0 ]; then
|
|
|
605570b |
echo "$line"
|
|
|
605570b |
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
|
|
605570b |
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" 1>&2
|
|
|
605570b |
./check_certs.sh
|
|
|
605570b |
echo ""
|
|
|
605570b |
continue
|
|
|
605570b |
fi
|
|
|
605570b |
echo "$line"
|
|
|
605570b |
done > /tmp/ca-certificates.spec.$$
|
|
|
605570b |
mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
|
|
|
605570b |
git status
|
|
|
605570b |
exit 0
|