forked from pool/ca-certificates-mozilla
Marcus Meissner
7a4b756f81
- updated to 2.11 state of the Mozilla NSS Certificate store.
- removed CAs:
- Buypass_Class_2_CA_1:2.1.1.crt
serverAuth
- EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı:2.8.76.175.115.66.28.142.116.2.crt
codeSigning emailProtection serverAuth
- Equifax_Secure_CA:2.4.53.222.244.207.crt
emailProtection
- Equifax_Secure_eBusiness_CA_1:2.1.4.crt
emailProtection
- Equifax_Secure_Global_eBusiness_CA:2.1.1.crt
emailProtection
- IGC_A:2.5.57.17.69.16.148.crt
codeSigning emailProtection serverAuth
- Juur-SK:2.4.59.142.75.252.crt
codeSigning serverAuth
- Root_CA_Generalitat_Valenciana:2.4.59.69.229.104.crt
codeSigning emailProtection serverAuth
- RSA_Security_2048_v3:2.16.10.1.1.1.0.0.2.124.0.0.0.10.0.0.0.2.crt
codeSigning emailProtection serverAuth
- Sonera_Class_1_Root_CA:2.1.36.crt
emailProtection
- S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN:2.16.55.25.24.230.83.84.124.26.181.184.203.89.90.219.53.183.crt
emailProtection
- Verisign_Class_1_Public_Primary_Certification_Authority:2.16.63.105.30.129.156.240.154.74.243.115.255.185.72.162.228.221.crt
emailProtection
- Verisign_Class_2_Public_Primary_Certification_Authority_-_G2:2.17.0.185.47.96.204.136.159.161.122.70.9.184.91.112.108.138.175.crt
emailProtection
- Verisign_Class_3_Public_Primary_Certification_Authority:2.16.112.186.228.29.16.217.41.52.182.56.202.123.3.204.186.191.crt
emailProtection
OBS-URL: https://build.opensuse.org/request/show/452186
OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=79
131 lines
3.8 KiB
RPMSpec
131 lines
3.8 KiB
RPMSpec
#
|
|
# spec file for package ca-certificates-mozilla
|
|
#
|
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define certdir %{trustdir_static}
|
|
BuildRequires: p11-kit-devel
|
|
|
|
BuildRequires: ca-certificates
|
|
BuildRequires: openssl
|
|
BuildRequires: python
|
|
|
|
Name: ca-certificates-mozilla
|
|
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
|
|
# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
|
|
Version: 2.11
|
|
Release: 0
|
|
Summary: CA certificates for OpenSSL
|
|
License: MPL-2.0
|
|
Group: Productivity/Networking/Security
|
|
Url: http://www.mozilla.org
|
|
# IMPORTANT: procedure to update certificates:
|
|
# - Check the log of the cert file:
|
|
# http://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
|
|
# - download the new certdata.txt
|
|
# wget -O certdata.txt "http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/certdata.txt"
|
|
# - run compareoldnew to show fingerprints of new and changed certificates
|
|
# - check the bugs referenced in hg log and compare the checksum
|
|
# to output of compareoldnew
|
|
# - Watch out that blacklisted or untrusted certificates are not
|
|
# accidentally included!
|
|
Source: http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
|
|
Source1: http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
|
|
# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval.
|
|
Source10: certdata2pem.py
|
|
Source11: %{name}.COPYING
|
|
Source12: compareoldnew
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
BuildArch: noarch
|
|
# for update-ca-certificates
|
|
Requires(post): ca-certificates
|
|
Requires(postun): ca-certificates
|
|
#
|
|
# replaces this package from SLE11 times
|
|
Obsoletes: openssl-certs
|
|
|
|
%description
|
|
This package contains some CA root certificates for OpenSSL extracted
|
|
from MozillaFirefox
|
|
|
|
|
|
|
|
%prep
|
|
%setup -qcT
|
|
|
|
/bin/cp %{SOURCE0} .
|
|
|
|
install -m 644 %{SOURCE11} COPYING
|
|
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
|
|
if [ "%{version}" != "$ver" ]; then
|
|
echo "*** Version number mismatch: spec file should be version $ver"
|
|
false
|
|
fi
|
|
|
|
%build
|
|
python %{SOURCE10}
|
|
|
|
%install
|
|
mkdir -p %{buildroot}/%{trustdir_static}/anchors
|
|
set +x
|
|
for i in *.crt; do
|
|
args=()
|
|
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
|
|
distrust=`sed -n '/^# openssl-distrust=/{s/^.*=//;p;q;}' "$i"`
|
|
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"`
|
|
args+=('-trustout')
|
|
for t in $trust; do
|
|
args+=("-addtrust" "$t")
|
|
done
|
|
for t in $distrust; do
|
|
args+=("-addreject" "$t")
|
|
done
|
|
[ -z "$alias" ] || args+=('-setalias' "$alias")
|
|
|
|
echo "$i ${args[*]}"
|
|
fname="%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
|
|
if [ -e "$fname" ]; then
|
|
fname="${fname%.pem}"
|
|
j=1
|
|
while [ -e "$fname.$j.pem" ]; do
|
|
j=$((j+1))
|
|
done
|
|
fname="$fname.$j.pem"
|
|
fi
|
|
{
|
|
grep '^#' "$i"
|
|
openssl x509 -in "$i" "${args[@]}"
|
|
} > "$fname"
|
|
done
|
|
for i in *.p11-kit ; do
|
|
install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
|
|
done
|
|
set -x
|
|
|
|
%post
|
|
update-ca-certificates || true
|
|
|
|
%postun
|
|
update-ca-certificates || true
|
|
|
|
%files
|
|
%defattr(-, root, root)
|
|
%doc COPYING
|
|
%{trustdir_static}
|
|
|
|
%changelog
|