Sync from SUSE:SLFO:Main ca-certificates revision f04083926c404e9f49a0762d9ab1388a

2024-05-03 11:28:17 +02:00 · 2024-05-03 11:28:17 +02:00 · 7da58eac4a
commit 7da58eac4a
7 changed files with 520 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/13
+++ b/13
@ -0,0 +1,13 @@
+<services>
+  <service name="obs_scm" mode="manual">
+    <param name="version">2</param>
+    <param name="versionformat">2+git%cd.%h</param>
+    <param name="url">https://github.com/openSUSE/ca-certificates.git</param>
+    <param name="scm">git</param>
+    <param name="changesgenerate">enable</param>
+    <param name="extract">ca-certificates.spec</param>
+  </service>
+  <service name="set_version" mode="manual"/>
+  <service mode="buildtime" name="tar"/>
+  <service mode="buildtime" name="set_version"/>
+</services>
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+<servicedata>
+<service name="tar_scm">
+            <param name="url">http://github.com/openSUSE/ca-certificates.git</param>
+          <param name="changesrevision">d16f02666b959e10f5bc64b6ab26b398f388ad0b</param></service><service name="tar_scm">
+                <param name="url">https://github.com/openSUSE/ca-certificates.git</param>
+              <param name="changesrevision">2dae8b77c250506dc1bf862351c3a5de89a08e90</param></service></servicedata>
--- a/ca-certificates-2+git20230406.2dae8b7.obscpio
+++ b/ca-certificates-2+git20230406.2dae8b7.obscpio
--- a/ca-certificates.changes
+++ b/ca-certificates.changes
@ -0,0 +1,322 @@
+-------------------------------------------------------------------
+Thu Apr 06 08:03:11 UTC 2023 - lnussel@suse.de
+
+- Update to version 2+git20230406.2dae8b7:
+  * Build in place support
+  * Fix up argument parsing
+  * merge spec file into git
+
+-------------------------------------------------------------------
+Mon Oct 04 08:21:06 UTC 2021 - lnussel@suse.de
+
+- Update to version 2+git20211004.3efbea9:
+  * Ensure --root option propagates prefix properly to other scripts
+
+-------------------------------------------------------------------
+Fri Jul 23 12:26:17 UTC 2021 - lnussel@suse.de
+
+- Update to version 2+git20210723.27a0476:
+  * Don't trigger path unit on /usr/share
+  * Use flock to serialize calls (boo#1188500)
+  * Add --root <directory> option
+
+-------------------------------------------------------------------
+Wed Jun 09 15:03:55 UTC 2021 - lnussel@suse.de
+
+- Update to version 2+git20210609.a4969d7:
+  * Restore /etc/ssl/ca-bundle.pem if it doesn't exist
+  * Get rid of ls
+  * Fix indent inconsistencies
+  * Create /var/lib/ca-certificates if needed
+  * Install hooks with correct number
+  * Remove legacy files
+  * Remove find from update-ca-certificates
+
+-------------------------------------------------------------------
+Thu Mar 18 17:22:38 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- openssl command line tools are no longer required, p11-kit does
+  the job.
+
+-------------------------------------------------------------------
+Tue Mar 09 10:43:52 UTC 2021 - lnussel@suse.de
+
+- Update to version 2+git20210309.8214505:
+  * Make sure to trigger in transactional mode (boo#1179884)
+
+-------------------------------------------------------------------
+Mon Jan 11 10:42:13 UTC 2021 - lnussel@suse.de
+
+- Update to version 2+git20210111.eeae41c:
+  * Make certbundle.run container friendly
+
+-------------------------------------------------------------------
+Fri Oct 02 12:53:48 UTC 2020 - lnussel@suse.de
+
+- Update to version 2+git20201002.34daf7f:
+  * Use relative symlink for /etc/ssl/certs (boo#1175340)
+
+-------------------------------------------------------------------
+Wed Apr 15 09:35:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Remove old migration code, we don't support migration from such
+  old products anymore.
+- Use file requires to support busybox container if possible
+
+-------------------------------------------------------------------
+Wed Jan 29 16:58:22 UTC 2020 - lnussel@suse.de
+
+- Update to version 2+git20200129.d1a437d:
+  * rewrite in bash
+  * java.run: don't set LANG=en_US
+- no longer require openssl, it's all done by p11-kit
+
+-------------------------------------------------------------------
+Thu Sep 20 18:23:03 UTC 2018 - Jason Sikes <jsikes@suse.de>
+
+- Changed "openssl" requirement to "openssl(cli)"
+  * (bsc#1101470)
+
+-------------------------------------------------------------------
+Tue Mar 20 13:39:33 CET 2018 - kukuk@suse.de
+
+- Use %license instead of %doc [bsc#1082318]
+
+-------------------------------------------------------------------
+Thu Dec 14 17:22:55 CET 2017 - kukuk@suse.de
+
+- Revert last change since we fixed systemd-preset-branding and
+  this requires is no longer needed.
+
+-------------------------------------------------------------------
+Fri Dec  8 07:20:49 UTC 2017 - kukuk@suse.com
+
+- Re-add systemd requires, else package will be installed to early
+  and services never enabled [bsc#1071776].
+
+-------------------------------------------------------------------
+Thu Nov 23 16:03:55 CET 2017 - kukuk@suse.de
+
+- Don't require systemd, since we could be used in environments
+  like container images, where we don't have systemd. If systemd
+  is installed the systemd units will be used, else they are not
+  needed.
+
+-------------------------------------------------------------------
+Mon Aug 07 13:58:01 UTC 2017 - lnussel@suse.de
+
+- Update to version 2+git20170807.10b2785:
+  * Check TRANSACTIONAL_UPDATE is set (boo#1045942)
+  * Add systemd units
+
+-------------------------------------------------------------------
+Mon Jun 19 13:31:02 CEST 2017 - kukuk@suse.de
+
+- Run update-ca-certificate by systemd unit when the content of
+  one of the paths changes. Needed for read-only root and/or
+  transactional updates.
+
+-------------------------------------------------------------------
+Wed Nov 11 08:18:47 UTC 2015 - lnussel@suse.de
+
+- Update to version 2+git20151110.c15593c:
+  + set proper umask (boo#948724)
+
+-------------------------------------------------------------------
+Wed Mar 25 08:12:28 UTC 2015 - lnussel@suse.de
+
+- require p11-kit-tools >= 0.23.1
+
+-------------------------------------------------------------------
+Tue Mar 24 10:30:21 UTC 2015 - lnussel@suse.de
+
+- Update to version 2+git20150324.e3ee392:
+  + p11-kit 0.23.1 supports pem-directory-hash now
+- use service file to generate tarball
+
+-------------------------------------------------------------------
+Sat Nov 08 04:32:00 UTC 2014 - Led <ledest@gmail.com>
+
+- fix bashism in postun script
+
+-------------------------------------------------------------------
+Tue Aug  5 11:09:24 UTC 2014 - lnussel@suse.de
+
+- use rpm -qf to determine if a ssl cert is owned by some other
+  package and therefore doesn't need to be migrated (related to
+  bnc#890205).
+
+-------------------------------------------------------------------
+Mon Aug  4 15:35:27 UTC 2014 - lnussel@suse.de
+
+- add p11 kit header to set label of migrated certificates to the
+  file name of the previous one (bnc#890205)
+
+-------------------------------------------------------------------
+Wed Jul 30 11:45:54 UTC 2014 - lnussel@suse.de
+
+- removed the version in the Obsoletes. The package in SLE11 got
+  version updated (bnc#887099).
+
+-------------------------------------------------------------------
+Thu Jul 17 09:51:16 UTC 2014 - meissner@suse.com
+
+- clarify the start order of the generators, as certbundle.run 
+  semi-depends on etc_ssl.run via a timestamp. (bnc#883386)
+
+-------------------------------------------------------------------
+Mon Jun 23 15:24:13 UTC 2014 - lnussel@suse.de
+
+- fix directory permissions for real this time (bnc#871639)
+
+-------------------------------------------------------------------
+Wed Jun  4 11:10:24 UTC 2014 - lnussel@suse.de
+
+- don't keep certificates with marker (bnc#875647)
+
+-------------------------------------------------------------------
+Thu May  8 15:41:43 UTC 2014 - lnussel@suse.de
+
+- copy custom pem files in /etc/ssl/certs to /etc/pki/anchors on
+  update (bnc#875647)
+
+-------------------------------------------------------------------
+Mon Apr  7 15:07:44 UTC 2014 - lnussel@suse.de
+
+- Fix typo in man page
+
+-------------------------------------------------------------------
+Fri Apr  4 11:38:17 UTC 2014 - lnussel@suse.de
+
+- package correct permissions of generated  directories (bnc#871639)
+
+-------------------------------------------------------------------
+Fri Dec  6 09:16:11 UTC 2013 - lnussel@suse.de
+
+- etc_ssl.run: fix typo
+- turn /etc/ssl/certs into a symlink to /var/lib/ca-certificates/pem
+
+-------------------------------------------------------------------
+Wed Oct 16 15:11:26 UTC 2013 - lnussel@suse.de
+
+- fix typo in README (bnc#845500)
+- remove old extractcerts.pl
+
+-------------------------------------------------------------------
+Tue Aug 27 12:53:44 UTC 2013 - lnussel@suse.de
+
+- re-enable the CA bundle again for glib-networking (bnc#825903)
+
+-------------------------------------------------------------------
+Tue Aug 27 07:11:04 UTC 2013 - lnussel@suse.de
+
+- make sure we have p11-kit >= 0.19.3 which has the 'trust' command
+  (bnc#836560)
+
+-------------------------------------------------------------------
+Mon Aug  5 11:24:04 UTC 2013 - lnussel@suse.de
+
+- don't remove symlinks to other locations in /etc/ssl/certs
+- use the trust binary instead of p11-kit to extract trust
+
+-------------------------------------------------------------------
+Thu Jun 27 16:17:51 UTC 2013 - lnussel@suse.de
+
+- disable generating ca-bundle for now again so people don't submit
+  new packages that use this file.
+
+-------------------------------------------------------------------
+Mon Jun 24 21:09:16 UTC 2013 - hrvoje.senjan@gmail.com
+
+- Explicitly require p11-kit, otherwise trusted certificates won't
+  be generated
+
+-------------------------------------------------------------------
+Mon Jun 24 12:46:30 UTC 2013 - lnussel@suse.de
+
+- update manpage
+
+-------------------------------------------------------------------
+Thu Jun 20 09:15:52 UTC 2013 - lnussel@suse.de
+
+- use p11-kit to generate the files
+
+-------------------------------------------------------------------
+Fri May  4 11:55:14 UTC 2012 - lnussel@suse.de
+
+- give hint about SSL_CTX_set_default_verify_paths in cert bundle
+
+-------------------------------------------------------------------
+Mon Oct 24 11:57:53 UTC 2011 - coolo@suse.com
+
+- require coreutils for %post script
+
+-------------------------------------------------------------------
+Mon Jun 20 12:49:52 UTC 2011 - lnussel@suse.de
+
+- fix spurious rpm warning if no java exists (bnc#634793)
+- move java.run to java-ca-certificates
+
+-------------------------------------------------------------------
+Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de
+
+- catch FileNotFoundException (bnc#623365)
+
+-------------------------------------------------------------------
+Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz
+
+* Use the gcc-java and fastjar for build to avoid dependency problems
+* build keystore.class only to allow noarch package
+
+-------------------------------------------------------------------
+Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de
+
+- create java bundles
+
+-------------------------------------------------------------------
+Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de
+
+- also use hooks from /usr/lib/ca-certificates/update.d
+- replace bundle file with symlink to file in /var as it's auto
+  generated
+
+-------------------------------------------------------------------
+Wed Apr 21 13:20:07 UTC 2010 - lnussel@suse.de
+
+- force rebuilding all certificate stores in %post
+  This also makes sure we update the hash links in /etc/ssl/certs
+  as openssl changed the hash format between 0.9.8 and 1.0
+
+-------------------------------------------------------------------
+Thu Apr  8 13:16:43 UTC 2010 - lnussel@suse.de
+
+- actually install certbundle.run (bnc#594501)
+
+-------------------------------------------------------------------
+Thu Apr  8 09:15:28 UTC 2010 - lnussel@suse.de
+
+- it's ca-bundle.pem rather than cert.pem
+
+-------------------------------------------------------------------
+Thu Apr  8 07:51:25 UTC 2010 - lnussel@suse.de
+
+- obsolete openssl-certs (bnc#594434) 
+- update manpage (bnc#594501)
+
+-------------------------------------------------------------------
+Thu Apr  1 13:00:37 UTC 2010 - lnussel@suse.de
+
+- include /etc/ca-certificates.conf as %ghost
+
+-------------------------------------------------------------------
+Fri Mar 26 15:26:01 UTC 2010 - lnussel@suse.de
+
+- generate ca-bundle with hook script
+- don't use trusted certificates in ca-bundle file for compatibility
+  with gnutls
+
+-------------------------------------------------------------------
+Wed Mar 24 10:31:47 UTC 2010 - lnussel@suse.de
+
+- new package
+
--- a/ca-certificates.obsinfo
+++ b/ca-certificates.obsinfo
@ -0,0 +1,4 @@
+name: ca-certificates
+version: 2+git20230406.2dae8b7
+mtime: 1680768174
+commit: 2dae8b77c250506dc1bf862351c3a5de89a08e90
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -0,0 +1,149 @@
+#
+# spec file for package ca-certificates
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if 0%{?_build_in_place}
+%define git_version %(git log '-n1' '--date=format:%Y%m%d' '--no-show-signature' "--pretty=format:+git%cd.%h")
+BuildRequires:  git-core
+%else
+# this is required for obs' source validator. It's
+# 20-files-present-and-referenced ignores all conditionals. So the
+# definition of git_version actually happens always.
+%define git_version %{nil}
+%endif
+
+# the ca bundle file was meant as compat option for e.g.
+# proprietary packages. It's not meant to be used at all.
+# unfortunately glib-networking has such a complicated abstraction
+# on top of gnutls that we have to live with the bundle for now
+%bcond_without cabundle
+
+BuildRequires:  p11-kit-devel
+
+Name:           ca-certificates
+%define ssletcdir %{_sysconfdir}/ssl
+%define cabundle  /var/lib/ca-certificates/ca-bundle.pem
+%define sslcerts  %{ssletcdir}/certs
+Version:        2+git20230406.2dae8b7%{git_version}
+Release:        0
+Summary:        Utilities for system wide CA certificate installation
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+Source0:        ca-certificates-%{version}.tar
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+URL:            https://github.com/openSUSE/ca-certificates
+#
+Requires:       /usr/bin/readlink
+Requires:       p11-kit
+Requires:       p11-kit-tools >= 0.23.1
+# needed for post
+Requires(post): p11-kit-tools /usr/bin/readlink
+Recommends:     ca-certificates-mozilla
+# no need for a separate Java package anymore. The bundle is
+# created by C code.
+Obsoletes:      java-ca-certificates = 1
+Provides:       java-ca-certificates = %version-%release
+BuildArch:      noarch
+
+%description
+Update-ca-certificates is intended to keep the certificate stores of
+SSL libraries like OpenSSL or GnuTLS in sync with the system's CA
+certificate store that is managed by p11-kit.
+
+%prep
+%setup -q
+
+%build
+
+%install
+%if %{without cabundle}
+rm -f certbundle.run
+%endif
+%make_install
+ln -s service %{buildroot}%{_sbindir}/rcca-certificates
+install -d -m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist}
+install -d -m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist}
+install -d -m 755 %{buildroot}%{ssletcdir}
+install -d -m 755 %{buildroot}/etc/ca-certificates/update.d
+install -d -m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d
+install -d -m 555 %{buildroot}/var/lib/ca-certificates/pem
+install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl
+install -d -m 755 %{buildroot}/%{_prefix}/lib/systemd/system
+ln -s ../../var/lib/ca-certificates/pem %{buildroot}%{sslcerts}
+%if %{with cabundle}
+install -D -m 444 /dev/null %{buildroot}/%{cabundle}
+ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
+%endif
+install -D -m 444 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
+
+%pre
+%service_add_pre ca-certificates.path ca-certificates.service
+
+%post
+# force rebuilding all certificate stores.
+update-ca-certificates -f || true
+%service_add_post ca-certificates.path ca-certificates.service
+
+%preun
+%service_del_preun ca-certificates.path ca-certificates.service
+
+%postun
+if [ "$1" -eq 0 ]; then
+	rm -rf /var/lib/ca-certificates/pem /var/lib/ca-certificates/openssl
+fi
+%service_del_postun ca-certificates.path ca-certificates.service
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%defattr(-, root, root)
+%license COPYING
+%doc README
+%dir %{pkidir_cfg}
+%dir %{trustdir_cfg}
+%dir %{trustdir_cfg}/anchors
+%dir %{trustdir_cfg}/blacklist
+%dir %{pkidir_static}
+%dir %{trustdir_static}
+%dir %{trustdir_static}/anchors
+%dir %{trustdir_static}/blacklist
+%dir %ssletcdir
+%sslcerts
+%ghost /var/lib/ca-certificates/java-cacerts
+%dir /etc/ca-certificates
+%dir /etc/ca-certificates/update.d
+%dir %{_prefix}/lib/ca-certificates
+%dir %{_prefix}/lib/ca-certificates/update.d
+%{_prefix}/lib/systemd/system/*
+%dir /var/lib/ca-certificates
+%dir /var/lib/ca-certificates/pem
+%dir /var/lib/ca-certificates/openssl
+%{_sbindir}/rcca-certificates
+%{_sbindir}/update-ca-certificates
+%{_mandir}/man8/update-ca-certificates.8*
+%{_prefix}/lib/ca-certificates/update.d/*java.run
+%{_prefix}/lib/ca-certificates/update.d/*etc_ssl.run
+%{_prefix}/lib/ca-certificates/update.d/*openssl.run
+#
+%if %{with cabundle}
+%{ssletcdir}/ca-bundle.pem
+%ghost %{cabundle}
+%{_prefix}/lib/ca-certificates/update.d/*certbundle.run
+%endif
+
+%changelog