forked from pool/ca-certificates-mozilla
Marcus Meissner
8edc6e871f
* new: CA_Disig_Root_R1:2.9.0.195.3.154.238.80.144.110.40.crt
server auth, code signing, email signing
* new: CA_Disig_Root_R2:2.9.0.146.184.136.219.176.138.193.99.crt
server auth, code signing, email signing
* new: China_Internet_Network_Information_Center_EV_Certificates_Root:2.4.72.159.0.1.crt
server auth
* changed: Digital_Signature_Trust_Co._Global_CA_1:2.4.54.112.21.150.crt
removed code signing and server auth abilities
* changed: Digital_Signature_Trust_Co._Global_CA_3:2.4.54.110.211.206.crt
removed code signing and server auth abilities
* new: D-TRUST_Root_Class_3_CA_2_2009:2.3.9.131.243.crt
server auth
* new: D-TRUST_Root_Class_3_CA_2_EV_2009:2.3.9.131.244.crt
server auth
* removed: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.185.102.crt
* new: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.222.248.crt
I think the missing flags were adjusted.
* removed: Equifax_Secure_eBusiness_CA_2:2.4.55.112.207.181.crt
* new: PSCProcert:2.1.11.crt
server auth, code signing, email signing
* new: Swisscom_Root_CA_2:2.16.30.158.40.232.72.242.229.239.195.124.74.30.90.24.103.182.crt
server auth, code signing, email signing
* new: Swisscom_Root_EV_CA_2:2.17.0.242.250.100.226.116.99.211.141.253.16.29.4.31.118.202.88.crt
server auth, code signing
* changed: TC_TrustCenter_Universal_CA_III:2.14.99.37.0.1.0.2.20.141.51.21.2.228.108.244.crt
removed all abilities
* new: TURKTRUST_Certificate_Services_Provider_Root_2007:2.1.1.crt
server auth, code signing
* changed: TWCA_Root_Certification_Authority:2.1.1.crt
OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=45
119 lines
3.8 KiB
RPMSpec
119 lines
3.8 KiB
RPMSpec
#
|
|
# spec file for package ca-certificates-mozilla
|
|
#
|
|
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define certdir %{trustdir_static}
|
|
BuildRequires: p11-kit-devel
|
|
|
|
BuildRequires: ca-certificates
|
|
BuildRequires: openssl
|
|
BuildRequires: python
|
|
|
|
Name: ca-certificates-mozilla
|
|
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
|
|
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
Version: 1.94
|
|
Release: 0
|
|
Summary: CA certificates for OpenSSL
|
|
License: MPL-2.0
|
|
Group: Productivity/Networking/Security
|
|
Url: http://www.mozilla.org
|
|
# IMPORTANT: procedure to update certificates:
|
|
# - Check the log of the cert file:
|
|
# http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
|
|
# - download the new certdata.txt
|
|
# wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
|
|
# - run compareoldnew to show fingerprints of new and changed certificates
|
|
# - check the bugs referenced in cvs log and compare the checksum
|
|
# to output of compareoldnew
|
|
# - Watch out that blacklisted or untrusted certificates are not
|
|
# accidentally included!
|
|
Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
|
|
Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval.
|
|
Source10: certdata2pem.py
|
|
Source11: %{name}.COPYING
|
|
Source12: compareoldnew
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
BuildArch: noarch
|
|
# for update-ca-certificates
|
|
Requires(post): ca-certificates
|
|
Requires(postun): ca-certificates
|
|
#
|
|
Provides: openssl-certs = 0.9.9
|
|
Obsoletes: openssl-certs < 0.9.9
|
|
|
|
%description
|
|
This package contains some CA root certificates for OpenSSL extracted
|
|
from MozillaFirefox
|
|
|
|
|
|
|
|
%prep
|
|
%setup -qcT
|
|
/bin/cp %{SOURCE0} .
|
|
install -m 644 %{SOURCE11} COPYING
|
|
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
|
|
if [ "%{version}" != "$ver" ]; then
|
|
echo "*** Version number mismatch: spec file should be version $ver"
|
|
false
|
|
fi
|
|
|
|
%build
|
|
python %{SOURCE10}
|
|
|
|
%install
|
|
mkdir -p %{buildroot}/%{trustdir_static}/anchors
|
|
set +x
|
|
for i in *.crt; do
|
|
args=()
|
|
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
|
|
distrust=`sed -n '/^# openssl-distrust=/{s/^.*=//;p;q;}' "$i"`
|
|
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"`
|
|
args+=('-trustout')
|
|
for t in $trust; do
|
|
args+=("-addtrust" "$t")
|
|
done
|
|
for t in $distrust; do
|
|
args+=("-addreject" "$t")
|
|
done
|
|
[ -z "$alias" ] || args+=('-setalias' "$alias")
|
|
|
|
echo "$i ${args[*]}"
|
|
{
|
|
grep '^#' "$i"
|
|
openssl x509 -in "$i" "${args[@]}"
|
|
} > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
|
|
done
|
|
for i in *.p11-kit ; do
|
|
install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
|
|
done
|
|
set -x
|
|
|
|
%post
|
|
update-ca-certificates || true
|
|
|
|
%postun
|
|
update-ca-certificates || true
|
|
|
|
%files
|
|
%defattr(-, root, root)
|
|
%doc COPYING
|
|
%{trustdir_static}
|
|
|
|
%changelog
|