Sync from SUSE:ALP:Source:Standard:1.0 ca-certificates revision f04083926c404e9f49a0762d9ab1388a

This commit is contained in:
Adrian Schröter 2024-10-14 14:00:33 +02:00
commit eba628c2f2
7 changed files with 520 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

13
_service Normal file
View File

@ -0,0 +1,13 @@
<services>
<service name="obs_scm" mode="manual">
<param name="version">2</param>
<param name="versionformat">2+git%cd.%h</param>
<param name="url">https://github.com/openSUSE/ca-certificates.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
<param name="extract">ca-certificates.spec</param>
</service>
<service name="set_version" mode="manual"/>
<service mode="buildtime" name="tar"/>
<service mode="buildtime" name="set_version"/>
</services>

6
_servicedata Normal file
View File

@ -0,0 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">http://github.com/openSUSE/ca-certificates.git</param>
<param name="changesrevision">d16f02666b959e10f5bc64b6ab26b398f388ad0b</param></service><service name="tar_scm">
<param name="url">https://github.com/openSUSE/ca-certificates.git</param>
<param name="changesrevision">2dae8b77c250506dc1bf862351c3a5de89a08e90</param></service></servicedata>

BIN
ca-certificates-2+git20230406.2dae8b7.obscpio (Stored with Git LFS) Normal file

Binary file not shown.

322
ca-certificates.changes Normal file
View File

@ -0,0 +1,322 @@
-------------------------------------------------------------------
Thu Apr 06 08:03:11 UTC 2023 - lnussel@suse.de
- Update to version 2+git20230406.2dae8b7:
* Build in place support
* Fix up argument parsing
* merge spec file into git
-------------------------------------------------------------------
Mon Oct 04 08:21:06 UTC 2021 - lnussel@suse.de
- Update to version 2+git20211004.3efbea9:
* Ensure --root option propagates prefix properly to other scripts
-------------------------------------------------------------------
Fri Jul 23 12:26:17 UTC 2021 - lnussel@suse.de
- Update to version 2+git20210723.27a0476:
* Don't trigger path unit on /usr/share
* Use flock to serialize calls (boo#1188500)
* Add --root <directory> option
-------------------------------------------------------------------
Wed Jun 09 15:03:55 UTC 2021 - lnussel@suse.de
- Update to version 2+git20210609.a4969d7:
* Restore /etc/ssl/ca-bundle.pem if it doesn't exist
* Get rid of ls
* Fix indent inconsistencies
* Create /var/lib/ca-certificates if needed
* Install hooks with correct number
* Remove legacy files
* Remove find from update-ca-certificates
-------------------------------------------------------------------
Thu Mar 18 17:22:38 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- openssl command line tools are no longer required, p11-kit does
the job.
-------------------------------------------------------------------
Tue Mar 09 10:43:52 UTC 2021 - lnussel@suse.de
- Update to version 2+git20210309.8214505:
* Make sure to trigger in transactional mode (boo#1179884)
-------------------------------------------------------------------
Mon Jan 11 10:42:13 UTC 2021 - lnussel@suse.de
- Update to version 2+git20210111.eeae41c:
* Make certbundle.run container friendly
-------------------------------------------------------------------
Fri Oct 02 12:53:48 UTC 2020 - lnussel@suse.de
- Update to version 2+git20201002.34daf7f:
* Use relative symlink for /etc/ssl/certs (boo#1175340)
-------------------------------------------------------------------
Wed Apr 15 09:35:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Remove old migration code, we don't support migration from such
old products anymore.
- Use file requires to support busybox container if possible
-------------------------------------------------------------------
Wed Jan 29 16:58:22 UTC 2020 - lnussel@suse.de
- Update to version 2+git20200129.d1a437d:
* rewrite in bash
* java.run: don't set LANG=en_US
- no longer require openssl, it's all done by p11-kit
-------------------------------------------------------------------
Thu Sep 20 18:23:03 UTC 2018 - Jason Sikes <jsikes@suse.de>
- Changed "openssl" requirement to "openssl(cli)"
* (bsc#1101470)
-------------------------------------------------------------------
Tue Mar 20 13:39:33 CET 2018 - kukuk@suse.de
- Use %license instead of %doc [bsc#1082318]
-------------------------------------------------------------------
Thu Dec 14 17:22:55 CET 2017 - kukuk@suse.de
- Revert last change since we fixed systemd-preset-branding and
this requires is no longer needed.
-------------------------------------------------------------------
Fri Dec 8 07:20:49 UTC 2017 - kukuk@suse.com
- Re-add systemd requires, else package will be installed to early
and services never enabled [bsc#1071776].
-------------------------------------------------------------------
Thu Nov 23 16:03:55 CET 2017 - kukuk@suse.de
- Don't require systemd, since we could be used in environments
like container images, where we don't have systemd. If systemd
is installed the systemd units will be used, else they are not
needed.
-------------------------------------------------------------------
Mon Aug 07 13:58:01 UTC 2017 - lnussel@suse.de
- Update to version 2+git20170807.10b2785:
* Check TRANSACTIONAL_UPDATE is set (boo#1045942)
* Add systemd units
-------------------------------------------------------------------
Mon Jun 19 13:31:02 CEST 2017 - kukuk@suse.de
- Run update-ca-certificate by systemd unit when the content of
one of the paths changes. Needed for read-only root and/or
transactional updates.
-------------------------------------------------------------------
Wed Nov 11 08:18:47 UTC 2015 - lnussel@suse.de
- Update to version 2+git20151110.c15593c:
+ set proper umask (boo#948724)
-------------------------------------------------------------------
Wed Mar 25 08:12:28 UTC 2015 - lnussel@suse.de
- require p11-kit-tools >= 0.23.1
-------------------------------------------------------------------
Tue Mar 24 10:30:21 UTC 2015 - lnussel@suse.de
- Update to version 2+git20150324.e3ee392:
+ p11-kit 0.23.1 supports pem-directory-hash now
- use service file to generate tarball
-------------------------------------------------------------------
Sat Nov 08 04:32:00 UTC 2014 - Led <ledest@gmail.com>
- fix bashism in postun script
-------------------------------------------------------------------
Tue Aug 5 11:09:24 UTC 2014 - lnussel@suse.de
- use rpm -qf to determine if a ssl cert is owned by some other
package and therefore doesn't need to be migrated (related to
bnc#890205).
-------------------------------------------------------------------
Mon Aug 4 15:35:27 UTC 2014 - lnussel@suse.de
- add p11 kit header to set label of migrated certificates to the
file name of the previous one (bnc#890205)
-------------------------------------------------------------------
Wed Jul 30 11:45:54 UTC 2014 - lnussel@suse.de
- removed the version in the Obsoletes. The package in SLE11 got
version updated (bnc#887099).
-------------------------------------------------------------------
Thu Jul 17 09:51:16 UTC 2014 - meissner@suse.com
- clarify the start order of the generators, as certbundle.run
semi-depends on etc_ssl.run via a timestamp. (bnc#883386)
-------------------------------------------------------------------
Mon Jun 23 15:24:13 UTC 2014 - lnussel@suse.de
- fix directory permissions for real this time (bnc#871639)
-------------------------------------------------------------------
Wed Jun 4 11:10:24 UTC 2014 - lnussel@suse.de
- don't keep certificates with marker (bnc#875647)
-------------------------------------------------------------------
Thu May 8 15:41:43 UTC 2014 - lnussel@suse.de
- copy custom pem files in /etc/ssl/certs to /etc/pki/anchors on
update (bnc#875647)
-------------------------------------------------------------------
Mon Apr 7 15:07:44 UTC 2014 - lnussel@suse.de
- Fix typo in man page
-------------------------------------------------------------------
Fri Apr 4 11:38:17 UTC 2014 - lnussel@suse.de
- package correct permissions of generated directories (bnc#871639)
-------------------------------------------------------------------
Fri Dec 6 09:16:11 UTC 2013 - lnussel@suse.de
- etc_ssl.run: fix typo
- turn /etc/ssl/certs into a symlink to /var/lib/ca-certificates/pem
-------------------------------------------------------------------
Wed Oct 16 15:11:26 UTC 2013 - lnussel@suse.de
- fix typo in README (bnc#845500)
- remove old extractcerts.pl
-------------------------------------------------------------------
Tue Aug 27 12:53:44 UTC 2013 - lnussel@suse.de
- re-enable the CA bundle again for glib-networking (bnc#825903)
-------------------------------------------------------------------
Tue Aug 27 07:11:04 UTC 2013 - lnussel@suse.de
- make sure we have p11-kit >= 0.19.3 which has the 'trust' command
(bnc#836560)
-------------------------------------------------------------------
Mon Aug 5 11:24:04 UTC 2013 - lnussel@suse.de
- don't remove symlinks to other locations in /etc/ssl/certs
- use the trust binary instead of p11-kit to extract trust
-------------------------------------------------------------------
Thu Jun 27 16:17:51 UTC 2013 - lnussel@suse.de
- disable generating ca-bundle for now again so people don't submit
new packages that use this file.
-------------------------------------------------------------------
Mon Jun 24 21:09:16 UTC 2013 - hrvoje.senjan@gmail.com
- Explicitly require p11-kit, otherwise trusted certificates won't
be generated
-------------------------------------------------------------------
Mon Jun 24 12:46:30 UTC 2013 - lnussel@suse.de
- update manpage
-------------------------------------------------------------------
Thu Jun 20 09:15:52 UTC 2013 - lnussel@suse.de
- use p11-kit to generate the files
-------------------------------------------------------------------
Fri May 4 11:55:14 UTC 2012 - lnussel@suse.de
- give hint about SSL_CTX_set_default_verify_paths in cert bundle
-------------------------------------------------------------------
Mon Oct 24 11:57:53 UTC 2011 - coolo@suse.com
- require coreutils for %post script
-------------------------------------------------------------------
Mon Jun 20 12:49:52 UTC 2011 - lnussel@suse.de
- fix spurious rpm warning if no java exists (bnc#634793)
- move java.run to java-ca-certificates
-------------------------------------------------------------------
Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de
- catch FileNotFoundException (bnc#623365)
-------------------------------------------------------------------
Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz
* Use the gcc-java and fastjar for build to avoid dependency problems
* build keystore.class only to allow noarch package
-------------------------------------------------------------------
Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de
- create java bundles
-------------------------------------------------------------------
Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de
- also use hooks from /usr/lib/ca-certificates/update.d
- replace bundle file with symlink to file in /var as it's auto
generated
-------------------------------------------------------------------
Wed Apr 21 13:20:07 UTC 2010 - lnussel@suse.de
- force rebuilding all certificate stores in %post
This also makes sure we update the hash links in /etc/ssl/certs
as openssl changed the hash format between 0.9.8 and 1.0
-------------------------------------------------------------------
Thu Apr 8 13:16:43 UTC 2010 - lnussel@suse.de
- actually install certbundle.run (bnc#594501)
-------------------------------------------------------------------
Thu Apr 8 09:15:28 UTC 2010 - lnussel@suse.de
- it's ca-bundle.pem rather than cert.pem
-------------------------------------------------------------------
Thu Apr 8 07:51:25 UTC 2010 - lnussel@suse.de
- obsolete openssl-certs (bnc#594434)
- update manpage (bnc#594501)
-------------------------------------------------------------------
Thu Apr 1 13:00:37 UTC 2010 - lnussel@suse.de
- include /etc/ca-certificates.conf as %ghost
-------------------------------------------------------------------
Fri Mar 26 15:26:01 UTC 2010 - lnussel@suse.de
- generate ca-bundle with hook script
- don't use trusted certificates in ca-bundle file for compatibility
with gnutls
-------------------------------------------------------------------
Wed Mar 24 10:31:47 UTC 2010 - lnussel@suse.de
- new package

4
ca-certificates.obsinfo Normal file
View File

@ -0,0 +1,4 @@
name: ca-certificates
version: 2+git20230406.2dae8b7
mtime: 1680768174
commit: 2dae8b77c250506dc1bf862351c3a5de89a08e90

149
ca-certificates.spec Normal file
View File

@ -0,0 +1,149 @@
#
# spec file for package ca-certificates
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?_build_in_place}
%define git_version %(git log '-n1' '--date=format:%Y%m%d' '--no-show-signature' "--pretty=format:+git%cd.%h")
BuildRequires: git-core
%else
# this is required for obs' source validator. It's
# 20-files-present-and-referenced ignores all conditionals. So the
# definition of git_version actually happens always.
%define git_version %{nil}
%endif
# the ca bundle file was meant as compat option for e.g.
# proprietary packages. It's not meant to be used at all.
# unfortunately glib-networking has such a complicated abstraction
# on top of gnutls that we have to live with the bundle for now
%bcond_without cabundle
BuildRequires: p11-kit-devel
Name: ca-certificates
%define ssletcdir %{_sysconfdir}/ssl
%define cabundle /var/lib/ca-certificates/ca-bundle.pem
%define sslcerts %{ssletcdir}/certs
Version: 2+git20230406.2dae8b7%{git_version}
Release: 0
Summary: Utilities for system wide CA certificate installation
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Source0: ca-certificates-%{version}.tar
BuildRoot: %{_tmppath}/%{name}-%{version}-build
URL: https://github.com/openSUSE/ca-certificates
#
Requires: /usr/bin/readlink
Requires: p11-kit
Requires: p11-kit-tools >= 0.23.1
# needed for post
Requires(post): p11-kit-tools /usr/bin/readlink
Recommends: ca-certificates-mozilla
# no need for a separate Java package anymore. The bundle is
# created by C code.
Obsoletes: java-ca-certificates = 1
Provides: java-ca-certificates = %version-%release
BuildArch: noarch
%description
Update-ca-certificates is intended to keep the certificate stores of
SSL libraries like OpenSSL or GnuTLS in sync with the system's CA
certificate store that is managed by p11-kit.
%prep
%setup -q
%build
%install
%if %{without cabundle}
rm -f certbundle.run
%endif
%make_install
ln -s service %{buildroot}%{_sbindir}/rcca-certificates
install -d -m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist}
install -d -m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist}
install -d -m 755 %{buildroot}%{ssletcdir}
install -d -m 755 %{buildroot}/etc/ca-certificates/update.d
install -d -m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d
install -d -m 555 %{buildroot}/var/lib/ca-certificates/pem
install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl
install -d -m 755 %{buildroot}/%{_prefix}/lib/systemd/system
ln -s ../../var/lib/ca-certificates/pem %{buildroot}%{sslcerts}
%if %{with cabundle}
install -D -m 444 /dev/null %{buildroot}/%{cabundle}
ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
%endif
install -D -m 444 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
%pre
%service_add_pre ca-certificates.path ca-certificates.service
%post
# force rebuilding all certificate stores.
update-ca-certificates -f || true
%service_add_post ca-certificates.path ca-certificates.service
%preun
%service_del_preun ca-certificates.path ca-certificates.service
%postun
if [ "$1" -eq 0 ]; then
rm -rf /var/lib/ca-certificates/pem /var/lib/ca-certificates/openssl
fi
%service_del_postun ca-certificates.path ca-certificates.service
%clean
rm -rf %{buildroot}
%files
%defattr(-, root, root)
%license COPYING
%doc README
%dir %{pkidir_cfg}
%dir %{trustdir_cfg}
%dir %{trustdir_cfg}/anchors
%dir %{trustdir_cfg}/blacklist
%dir %{pkidir_static}
%dir %{trustdir_static}
%dir %{trustdir_static}/anchors
%dir %{trustdir_static}/blacklist
%dir %ssletcdir
%sslcerts
%ghost /var/lib/ca-certificates/java-cacerts
%dir /etc/ca-certificates
%dir /etc/ca-certificates/update.d
%dir %{_prefix}/lib/ca-certificates
%dir %{_prefix}/lib/ca-certificates/update.d
%{_prefix}/lib/systemd/system/*
%dir /var/lib/ca-certificates
%dir /var/lib/ca-certificates/pem
%dir /var/lib/ca-certificates/openssl
%{_sbindir}/rcca-certificates
%{_sbindir}/update-ca-certificates
%{_mandir}/man8/update-ca-certificates.8*
%{_prefix}/lib/ca-certificates/update.d/*java.run
%{_prefix}/lib/ca-certificates/update.d/*etc_ssl.run
%{_prefix}/lib/ca-certificates/update.d/*openssl.run
#
%if %{with cabundle}
%{ssletcdir}/ca-bundle.pem
%ghost %{cabundle}
%{_prefix}/lib/ca-certificates/update.d/*certbundle.run
%endif
%changelog