rpm/ca-certificates-mozilla
SHA256
1
0
Fork 0
forked from pool/ca-certificates-mozilla
Code Pull Requests Activity
b4c0f97a4b
ca-certificates-mozilla/ca-certificates-mozilla.spec
Marcus Meissner b4c0f97a4b - certdata-temporary-1024.patch: restore some certificates removed 
from NSS as these are still used for some major sites.
  openssl is not as clever as NSS in selecting the new ones in the
  chain correctly.

OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=66
2015-01-12 15:58:35 +00:00

135 lines
4.1 KiB
RPMSpec
Raw Blame History

#
# spec file for package ca-certificates-mozilla
#
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define certdir %{trustdir_static}
BuildRequires: p11-kit-devel
BuildRequires: ca-certificates
BuildRequires: openssl
BuildRequires: python
Name: ca-certificates-mozilla
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
Version: 2.1
Release: 0
Summary: CA certificates for OpenSSL
License: MPL-2.0
Group: Productivity/Networking/Security
Url: http://www.mozilla.org
# IMPORTANT: procedure to update certificates:
# - Check the log of the cert file:
# http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
# - download the new certdata.txt
# wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
# - run compareoldnew to show fingerprints of new and changed certificates
# - check the bugs referenced in hg log and compare the checksum
# to output of compareoldnew
# The correct history of the file is actually in the nss repo:
# http://hg.mozilla.org/projects/nss/log/8f026c806587/lib/ckfw/builtins/certdata.txt
# - Watch out that blacklisted or untrusted certificates are not
# accidentally included!
Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval.
Source10: certdata2pem.py
Source11: %{name}.COPYING
Source12: compareoldnew
Patch0: certdata-temporary-1024.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
# for update-ca-certificates
Requires(post): ca-certificates
Requires(postun): ca-certificates
#
# replaces this package from SLE11 times
Obsoletes: openssl-certs
%description
This package contains some CA root certificates for OpenSSL extracted
from MozillaFirefox
%prep
%setup -qcT
%patch0 -p1
/bin/cp %{SOURCE0} .
install -m 644 %{SOURCE11} COPYING
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
if [ "%{version}" != "$ver" ]; then
echo "*** Version number mismatch: spec file should be version $ver"
false
fi
%build
python %{SOURCE10}
%install
mkdir -p %{buildroot}/%{trustdir_static}/anchors
set +x
for i in *.crt; do
args=()
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
distrust=`sed -n '/^# openssl-distrust=/{s/^.*=//;p;q;}' "$i"`
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"`
args+=('-trustout')
for t in $trust; do
args+=("-addtrust" "$t")
done
for t in $distrust; do
args+=("-addreject" "$t")
done
[ -z "$alias" ] || args+=('-setalias' "$alias")
echo "$i ${args[*]}"
fname="%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
if [ -e "$fname" ]; then
fname="${fname%.pem}"
j=1
while [ -e "$fname.$j.pem" ]; do
j=$((j+1))
done
fname="$fname.$j.pem"
fi
{
grep '^#' "$i"
openssl x509 -in "$i" "${args[@]}"
} > "$fname"
done
for i in *.p11-kit ; do
install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
done
set -x
%post
update-ca-certificates || true
%postun
update-ca-certificates || true
%files
%defattr(-, root, root)
%doc COPYING
%{trustdir_static}
%changelog
View Git Blame Copy Permalink