forked from pool/ca-certificates-mozilla
Marcus Meissner
76f2437395
- Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado OBS-URL: https://build.opensuse.org/request/show/246743 OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=60
130 lines
4.0 KiB
RPMSpec
130 lines
4.0 KiB
RPMSpec
#
|
|
# spec file for package ca-certificates-mozilla
|
|
#
|
|
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define certdir %{trustdir_static}
|
|
BuildRequires: p11-kit-devel
|
|
|
|
BuildRequires: ca-certificates
|
|
BuildRequires: openssl
|
|
BuildRequires: python
|
|
|
|
Name: ca-certificates-mozilla
|
|
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
|
|
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
Version: 2.1
|
|
Release: 0
|
|
Summary: CA certificates for OpenSSL
|
|
License: MPL-2.0
|
|
Group: Productivity/Networking/Security
|
|
Url: http://www.mozilla.org
|
|
# IMPORTANT: procedure to update certificates:
|
|
# - Check the log of the cert file:
|
|
# http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
|
|
# - download the new certdata.txt
|
|
# wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
|
|
# - run compareoldnew to show fingerprints of new and changed certificates
|
|
# - check the bugs referenced in hg log and compare the checksum
|
|
# to output of compareoldnew
|
|
# The correct history of the file is actually in the nss repo:
|
|
# http://hg.mozilla.org/projects/nss/log/8f026c806587/lib/ckfw/builtins/certdata.txt
|
|
# - Watch out that blacklisted or untrusted certificates are not
|
|
# accidentally included!
|
|
Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
|
|
Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval.
|
|
Source10: certdata2pem.py
|
|
Source11: %{name}.COPYING
|
|
Source12: compareoldnew
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
BuildArch: noarch
|
|
# for update-ca-certificates
|
|
Requires(post): ca-certificates
|
|
Requires(postun): ca-certificates
|
|
#
|
|
# replaces this package from SLE11 times
|
|
Obsoletes: openssl-certs
|
|
|
|
%description
|
|
This package contains some CA root certificates for OpenSSL extracted
|
|
from MozillaFirefox
|
|
|
|
|
|
|
|
%prep
|
|
%setup -qcT
|
|
/bin/cp %{SOURCE0} .
|
|
install -m 644 %{SOURCE11} COPYING
|
|
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
|
|
if [ "%{version}" != "$ver" ]; then
|
|
echo "*** Version number mismatch: spec file should be version $ver"
|
|
false
|
|
fi
|
|
|
|
%build
|
|
python %{SOURCE10}
|
|
|
|
%install
|
|
mkdir -p %{buildroot}/%{trustdir_static}/anchors
|
|
set +x
|
|
for i in *.crt; do
|
|
args=()
|
|
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
|
|
distrust=`sed -n '/^# openssl-distrust=/{s/^.*=//;p;q;}' "$i"`
|
|
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"`
|
|
args+=('-trustout')
|
|
for t in $trust; do
|
|
args+=("-addtrust" "$t")
|
|
done
|
|
for t in $distrust; do
|
|
args+=("-addreject" "$t")
|
|
done
|
|
[ -z "$alias" ] || args+=('-setalias' "$alias")
|
|
|
|
echo "$i ${args[*]}"
|
|
fname="%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
|
|
if [ -e "$fname" ]; then
|
|
fname="${fname%.pem}"
|
|
j=1
|
|
while [ -e "$fname.$j.pem" ]; do
|
|
j=$((j+1))
|
|
done
|
|
fname="$fname.$j.pem"
|
|
fi
|
|
{
|
|
grep '^#' "$i"
|
|
openssl x509 -in "$i" "${args[@]}"
|
|
} > "$fname"
|
|
done
|
|
for i in *.p11-kit ; do
|
|
install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
|
|
done
|
|
set -x
|
|
|
|
%post
|
|
update-ca-certificates || true
|
|
|
|
%postun
|
|
update-ca-certificates || true
|
|
|
|
%files
|
|
%defattr(-, root, root)
|
|
%doc COPYING
|
|
%{trustdir_static}
|
|
|
|
%changelog
|