From 7da58eac4a96de3e7840ab989d0b23db48ebe81e8b24151ce3d535dcfa8ed462 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 11:28:17 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main ca-certificates revision f04083926c404e9f49a0762d9ab1388a --- .gitattributes | 23 ++ _service | 13 + _servicedata | 6 + ca-certificates-2+git20230406.2dae8b7.obscpio | 3 + ca-certificates.changes | 322 ++++++++++++++++++ ca-certificates.obsinfo | 4 + ca-certificates.spec | 149 ++++++++ 7 files changed, 520 insertions(+) create mode 100644 .gitattributes create mode 100644 _service create mode 100644 _servicedata create mode 100644 ca-certificates-2+git20230406.2dae8b7.obscpio create mode 100644 ca-certificates.changes create mode 100644 ca-certificates.obsinfo create mode 100644 ca-certificates.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_service b/_service new file mode 100644 index 0000000..7e719f2 --- /dev/null +++ b/_service @@ -0,0 +1,13 @@ + + + 2 + 2+git%cd.%h + https://github.com/openSUSE/ca-certificates.git + git + enable + ca-certificates.spec + + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..77a3261 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + http://github.com/openSUSE/ca-certificates.git + d16f02666b959e10f5bc64b6ab26b398f388ad0b + https://github.com/openSUSE/ca-certificates.git + 2dae8b77c250506dc1bf862351c3a5de89a08e90 \ No newline at end of file diff --git a/ca-certificates-2+git20230406.2dae8b7.obscpio b/ca-certificates-2+git20230406.2dae8b7.obscpio new file mode 100644 index 0000000..1d8f5d0 --- /dev/null +++ b/ca-certificates-2+git20230406.2dae8b7.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:761342aa25abae051436108d8db5c7d810759bed1c8a43b8f50eecde268c8c7e +size 75787 diff --git a/ca-certificates.changes b/ca-certificates.changes new file mode 100644 index 0000000..c37564f --- /dev/null +++ b/ca-certificates.changes @@ -0,0 +1,322 @@ +------------------------------------------------------------------- +Thu Apr 06 08:03:11 UTC 2023 - lnussel@suse.de + +- Update to version 2+git20230406.2dae8b7: + * Build in place support + * Fix up argument parsing + * merge spec file into git + +------------------------------------------------------------------- +Mon Oct 04 08:21:06 UTC 2021 - lnussel@suse.de + +- Update to version 2+git20211004.3efbea9: + * Ensure --root option propagates prefix properly to other scripts + +------------------------------------------------------------------- +Fri Jul 23 12:26:17 UTC 2021 - lnussel@suse.de + +- Update to version 2+git20210723.27a0476: + * Don't trigger path unit on /usr/share + * Use flock to serialize calls (boo#1188500) + * Add --root option + +------------------------------------------------------------------- +Wed Jun 09 15:03:55 UTC 2021 - lnussel@suse.de + +- Update to version 2+git20210609.a4969d7: + * Restore /etc/ssl/ca-bundle.pem if it doesn't exist + * Get rid of ls + * Fix indent inconsistencies + * Create /var/lib/ca-certificates if needed + * Install hooks with correct number + * Remove legacy files + * Remove find from update-ca-certificates + +------------------------------------------------------------------- +Thu Mar 18 17:22:38 UTC 2021 - Ludwig Nussel + +- openssl command line tools are no longer required, p11-kit does + the job. + +------------------------------------------------------------------- +Tue Mar 09 10:43:52 UTC 2021 - lnussel@suse.de + +- Update to version 2+git20210309.8214505: + * Make sure to trigger in transactional mode (boo#1179884) + +------------------------------------------------------------------- +Mon Jan 11 10:42:13 UTC 2021 - lnussel@suse.de + +- Update to version 2+git20210111.eeae41c: + * Make certbundle.run container friendly + +------------------------------------------------------------------- +Fri Oct 02 12:53:48 UTC 2020 - lnussel@suse.de + +- Update to version 2+git20201002.34daf7f: + * Use relative symlink for /etc/ssl/certs (boo#1175340) + +------------------------------------------------------------------- +Wed Apr 15 09:35:06 UTC 2020 - Thorsten Kukuk + +- Remove old migration code, we don't support migration from such + old products anymore. +- Use file requires to support busybox container if possible + +------------------------------------------------------------------- +Wed Jan 29 16:58:22 UTC 2020 - lnussel@suse.de + +- Update to version 2+git20200129.d1a437d: + * rewrite in bash + * java.run: don't set LANG=en_US +- no longer require openssl, it's all done by p11-kit + +------------------------------------------------------------------- +Thu Sep 20 18:23:03 UTC 2018 - Jason Sikes + +- Changed "openssl" requirement to "openssl(cli)" + * (bsc#1101470) + +------------------------------------------------------------------- +Tue Mar 20 13:39:33 CET 2018 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Thu Dec 14 17:22:55 CET 2017 - kukuk@suse.de + +- Revert last change since we fixed systemd-preset-branding and + this requires is no longer needed. + +------------------------------------------------------------------- +Fri Dec 8 07:20:49 UTC 2017 - kukuk@suse.com + +- Re-add systemd requires, else package will be installed to early + and services never enabled [bsc#1071776]. + +------------------------------------------------------------------- +Thu Nov 23 16:03:55 CET 2017 - kukuk@suse.de + +- Don't require systemd, since we could be used in environments + like container images, where we don't have systemd. If systemd + is installed the systemd units will be used, else they are not + needed. + +------------------------------------------------------------------- +Mon Aug 07 13:58:01 UTC 2017 - lnussel@suse.de + +- Update to version 2+git20170807.10b2785: + * Check TRANSACTIONAL_UPDATE is set (boo#1045942) + * Add systemd units + +------------------------------------------------------------------- +Mon Jun 19 13:31:02 CEST 2017 - kukuk@suse.de + +- Run update-ca-certificate by systemd unit when the content of + one of the paths changes. Needed for read-only root and/or + transactional updates. + +------------------------------------------------------------------- +Wed Nov 11 08:18:47 UTC 2015 - lnussel@suse.de + +- Update to version 2+git20151110.c15593c: + + set proper umask (boo#948724) + +------------------------------------------------------------------- +Wed Mar 25 08:12:28 UTC 2015 - lnussel@suse.de + +- require p11-kit-tools >= 0.23.1 + +------------------------------------------------------------------- +Tue Mar 24 10:30:21 UTC 2015 - lnussel@suse.de + +- Update to version 2+git20150324.e3ee392: + + p11-kit 0.23.1 supports pem-directory-hash now +- use service file to generate tarball + +------------------------------------------------------------------- +Sat Nov 08 04:32:00 UTC 2014 - Led + +- fix bashism in postun script + +------------------------------------------------------------------- +Tue Aug 5 11:09:24 UTC 2014 - lnussel@suse.de + +- use rpm -qf to determine if a ssl cert is owned by some other + package and therefore doesn't need to be migrated (related to + bnc#890205). + +------------------------------------------------------------------- +Mon Aug 4 15:35:27 UTC 2014 - lnussel@suse.de + +- add p11 kit header to set label of migrated certificates to the + file name of the previous one (bnc#890205) + +------------------------------------------------------------------- +Wed Jul 30 11:45:54 UTC 2014 - lnussel@suse.de + +- removed the version in the Obsoletes. The package in SLE11 got + version updated (bnc#887099). + +------------------------------------------------------------------- +Thu Jul 17 09:51:16 UTC 2014 - meissner@suse.com + +- clarify the start order of the generators, as certbundle.run + semi-depends on etc_ssl.run via a timestamp. (bnc#883386) + +------------------------------------------------------------------- +Mon Jun 23 15:24:13 UTC 2014 - lnussel@suse.de + +- fix directory permissions for real this time (bnc#871639) + +------------------------------------------------------------------- +Wed Jun 4 11:10:24 UTC 2014 - lnussel@suse.de + +- don't keep certificates with marker (bnc#875647) + +------------------------------------------------------------------- +Thu May 8 15:41:43 UTC 2014 - lnussel@suse.de + +- copy custom pem files in /etc/ssl/certs to /etc/pki/anchors on + update (bnc#875647) + +------------------------------------------------------------------- +Mon Apr 7 15:07:44 UTC 2014 - lnussel@suse.de + +- Fix typo in man page + +------------------------------------------------------------------- +Fri Apr 4 11:38:17 UTC 2014 - lnussel@suse.de + +- package correct permissions of generated directories (bnc#871639) + +------------------------------------------------------------------- +Fri Dec 6 09:16:11 UTC 2013 - lnussel@suse.de + +- etc_ssl.run: fix typo +- turn /etc/ssl/certs into a symlink to /var/lib/ca-certificates/pem + +------------------------------------------------------------------- +Wed Oct 16 15:11:26 UTC 2013 - lnussel@suse.de + +- fix typo in README (bnc#845500) +- remove old extractcerts.pl + +------------------------------------------------------------------- +Tue Aug 27 12:53:44 UTC 2013 - lnussel@suse.de + +- re-enable the CA bundle again for glib-networking (bnc#825903) + +------------------------------------------------------------------- +Tue Aug 27 07:11:04 UTC 2013 - lnussel@suse.de + +- make sure we have p11-kit >= 0.19.3 which has the 'trust' command + (bnc#836560) + +------------------------------------------------------------------- +Mon Aug 5 11:24:04 UTC 2013 - lnussel@suse.de + +- don't remove symlinks to other locations in /etc/ssl/certs +- use the trust binary instead of p11-kit to extract trust + +------------------------------------------------------------------- +Thu Jun 27 16:17:51 UTC 2013 - lnussel@suse.de + +- disable generating ca-bundle for now again so people don't submit + new packages that use this file. + +------------------------------------------------------------------- +Mon Jun 24 21:09:16 UTC 2013 - hrvoje.senjan@gmail.com + +- Explicitly require p11-kit, otherwise trusted certificates won't + be generated + +------------------------------------------------------------------- +Mon Jun 24 12:46:30 UTC 2013 - lnussel@suse.de + +- update manpage + +------------------------------------------------------------------- +Thu Jun 20 09:15:52 UTC 2013 - lnussel@suse.de + +- use p11-kit to generate the files + +------------------------------------------------------------------- +Fri May 4 11:55:14 UTC 2012 - lnussel@suse.de + +- give hint about SSL_CTX_set_default_verify_paths in cert bundle + +------------------------------------------------------------------- +Mon Oct 24 11:57:53 UTC 2011 - coolo@suse.com + +- require coreutils for %post script + +------------------------------------------------------------------- +Mon Jun 20 12:49:52 UTC 2011 - lnussel@suse.de + +- fix spurious rpm warning if no java exists (bnc#634793) +- move java.run to java-ca-certificates + +------------------------------------------------------------------- +Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de + +- catch FileNotFoundException (bnc#623365) + +------------------------------------------------------------------- +Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz + +* Use the gcc-java and fastjar for build to avoid dependency problems +* build keystore.class only to allow noarch package + +------------------------------------------------------------------- +Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de + +- create java bundles + +------------------------------------------------------------------- +Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de + +- also use hooks from /usr/lib/ca-certificates/update.d +- replace bundle file with symlink to file in /var as it's auto + generated + +------------------------------------------------------------------- +Wed Apr 21 13:20:07 UTC 2010 - lnussel@suse.de + +- force rebuilding all certificate stores in %post + This also makes sure we update the hash links in /etc/ssl/certs + as openssl changed the hash format between 0.9.8 and 1.0 + +------------------------------------------------------------------- +Thu Apr 8 13:16:43 UTC 2010 - lnussel@suse.de + +- actually install certbundle.run (bnc#594501) + +------------------------------------------------------------------- +Thu Apr 8 09:15:28 UTC 2010 - lnussel@suse.de + +- it's ca-bundle.pem rather than cert.pem + +------------------------------------------------------------------- +Thu Apr 8 07:51:25 UTC 2010 - lnussel@suse.de + +- obsolete openssl-certs (bnc#594434) +- update manpage (bnc#594501) + +------------------------------------------------------------------- +Thu Apr 1 13:00:37 UTC 2010 - lnussel@suse.de + +- include /etc/ca-certificates.conf as %ghost + +------------------------------------------------------------------- +Fri Mar 26 15:26:01 UTC 2010 - lnussel@suse.de + +- generate ca-bundle with hook script +- don't use trusted certificates in ca-bundle file for compatibility + with gnutls + +------------------------------------------------------------------- +Wed Mar 24 10:31:47 UTC 2010 - lnussel@suse.de + +- new package + diff --git a/ca-certificates.obsinfo b/ca-certificates.obsinfo new file mode 100644 index 0000000..c5ac13a --- /dev/null +++ b/ca-certificates.obsinfo @@ -0,0 +1,4 @@ +name: ca-certificates +version: 2+git20230406.2dae8b7 +mtime: 1680768174 +commit: 2dae8b77c250506dc1bf862351c3a5de89a08e90 diff --git a/ca-certificates.spec b/ca-certificates.spec new file mode 100644 index 0000000..7595116 --- /dev/null +++ b/ca-certificates.spec @@ -0,0 +1,149 @@ +# +# spec file for package ca-certificates +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if 0%{?_build_in_place} +%define git_version %(git log '-n1' '--date=format:%Y%m%d' '--no-show-signature' "--pretty=format:+git%cd.%h") +BuildRequires: git-core +%else +# this is required for obs' source validator. It's +# 20-files-present-and-referenced ignores all conditionals. So the +# definition of git_version actually happens always. +%define git_version %{nil} +%endif + +# the ca bundle file was meant as compat option for e.g. +# proprietary packages. It's not meant to be used at all. +# unfortunately glib-networking has such a complicated abstraction +# on top of gnutls that we have to live with the bundle for now +%bcond_without cabundle + +BuildRequires: p11-kit-devel + +Name: ca-certificates +%define ssletcdir %{_sysconfdir}/ssl +%define cabundle /var/lib/ca-certificates/ca-bundle.pem +%define sslcerts %{ssletcdir}/certs +Version: 2+git20230406.2dae8b7%{git_version} +Release: 0 +Summary: Utilities for system wide CA certificate installation +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +Source0: ca-certificates-%{version}.tar +BuildRoot: %{_tmppath}/%{name}-%{version}-build +URL: https://github.com/openSUSE/ca-certificates +# +Requires: /usr/bin/readlink +Requires: p11-kit +Requires: p11-kit-tools >= 0.23.1 +# needed for post +Requires(post): p11-kit-tools /usr/bin/readlink +Recommends: ca-certificates-mozilla +# no need for a separate Java package anymore. The bundle is +# created by C code. +Obsoletes: java-ca-certificates = 1 +Provides: java-ca-certificates = %version-%release +BuildArch: noarch + +%description +Update-ca-certificates is intended to keep the certificate stores of +SSL libraries like OpenSSL or GnuTLS in sync with the system's CA +certificate store that is managed by p11-kit. + +%prep +%setup -q + +%build + +%install +%if %{without cabundle} +rm -f certbundle.run +%endif +%make_install +ln -s service %{buildroot}%{_sbindir}/rcca-certificates +install -d -m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist} +install -d -m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist} +install -d -m 755 %{buildroot}%{ssletcdir} +install -d -m 755 %{buildroot}/etc/ca-certificates/update.d +install -d -m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -d -m 555 %{buildroot}/var/lib/ca-certificates/pem +install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl +install -d -m 755 %{buildroot}/%{_prefix}/lib/systemd/system +ln -s ../../var/lib/ca-certificates/pem %{buildroot}%{sslcerts} +%if %{with cabundle} +install -D -m 444 /dev/null %{buildroot}/%{cabundle} +ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem +%endif +install -D -m 444 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts + +%pre +%service_add_pre ca-certificates.path ca-certificates.service + +%post +# force rebuilding all certificate stores. +update-ca-certificates -f || true +%service_add_post ca-certificates.path ca-certificates.service + +%preun +%service_del_preun ca-certificates.path ca-certificates.service + +%postun +if [ "$1" -eq 0 ]; then + rm -rf /var/lib/ca-certificates/pem /var/lib/ca-certificates/openssl +fi +%service_del_postun ca-certificates.path ca-certificates.service + +%clean +rm -rf %{buildroot} + +%files +%defattr(-, root, root) +%license COPYING +%doc README +%dir %{pkidir_cfg} +%dir %{trustdir_cfg} +%dir %{trustdir_cfg}/anchors +%dir %{trustdir_cfg}/blacklist +%dir %{pkidir_static} +%dir %{trustdir_static} +%dir %{trustdir_static}/anchors +%dir %{trustdir_static}/blacklist +%dir %ssletcdir +%sslcerts +%ghost /var/lib/ca-certificates/java-cacerts +%dir /etc/ca-certificates +%dir /etc/ca-certificates/update.d +%dir %{_prefix}/lib/ca-certificates +%dir %{_prefix}/lib/ca-certificates/update.d +%{_prefix}/lib/systemd/system/* +%dir /var/lib/ca-certificates +%dir /var/lib/ca-certificates/pem +%dir /var/lib/ca-certificates/openssl +%{_sbindir}/rcca-certificates +%{_sbindir}/update-ca-certificates +%{_mandir}/man8/update-ca-certificates.8* +%{_prefix}/lib/ca-certificates/update.d/*java.run +%{_prefix}/lib/ca-certificates/update.d/*etc_ssl.run +%{_prefix}/lib/ca-certificates/update.d/*openssl.run +# +%if %{with cabundle} +%{ssletcdir}/ca-bundle.pem +%ghost %{cabundle} +%{_prefix}/lib/ca-certificates/update.d/*certbundle.run +%endif + +%changelog