]> git.pld-linux.org Git - packages/ca-certificates.git/blobdiff - ca-certificates.spec
projects / packages / ca-certificates.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix %pretrans on first install; rel 3
[packages/ca-certificates.git] / ca-certificates.spec
diff --git a/ca-certificates.spec b/ca-certificates.spec
index a2ee45b200893d83ec4736a15bc44418d7eba6a0..4233376e34b56c3bf3ee7a96be4f1c25e79902c4 100644 (file)
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -11,13 +11,13 @@
 Summary:       Common CA Certificates PEM files
 Summary(pl.UTF-8):     Pliki PEM popularnych certyfikatów CA
 Name:          ca-certificates
-%define        ver_date        20210119
+%define        ver_date        20211016
 Version:       %{ver_date}
-Release:       5
+Release:       3
 License:       GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs)
 Group:         Base
 Source0:       http://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz
-# Source0-md5: c02582bf9ae338e558617291897615eb
+# Source0-md5: 5cce77de047611c4b9384d4ce52d9204
 Source2:       http://www.certum.pl/keys/CA.pem
 # Source2-md5: 35610177afc9c64e70f1ce62c1885496
 Source14:      http://www.certum.pl/CTNCA.pem
@@ -57,14 +57,17 @@ Source36:   http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_High_Ass
 Patch0:                %{name}-undebianize.patch
 Patch1:                %{name}-more-certs.patch
 Patch2:                %{name}-etc-certs.patch
-
+Patch3:                py_cryptography35.patch
+Patch4:                blacklist.patch
 Patch5:                %{name}-DESTDIR.patch
 Patch6:                %{name}.d.patch
 Patch7:                no-openssl-rehash.patch
 URL:           https://packages.debian.org/sid/ca-certificates
 BuildRequires: openssl-tools
-BuildRequires: python >= 1:2.6
-BuildRequires: python-modules
+BuildRequires: python3
+BuildRequires: python3-cryptography
+BuildRequires: python3-packaging
+BuildRequires: python3-modules
 BuildRequires: rpm >= 4.4.9-56
 BuildRequires: sed >= 4.0
 BuildRequires: tar >= 1:1.22
@@ -107,7 +110,8 @@ cd work
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
@@ -150,6 +154,27 @@ sed 's/\r//' %{SOURCE36} > terena/$(basename %{SOURCE36} .pem).crt
 # We have those and more in specific dirs
 %{__rm} mozilla/Certum*.crt
 
+make_sure_expired_and_rm() {
+       cert="$1"
+       rm -rf pld-tests
+       install -d pld-tests
+       cat "$cert" |  awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > "pld-tests/" i ".extracted.crt" }'
+       for tmpcert in pld-tests/*.extracted.crt; do
+               # check expiration date
+               EXPDATE=$(openssl x509 -enddate -noout -in "$tmpcert")
+               EXPDATE=${EXPDATE#notAfter=}
+               EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE")
+               NOWTIMESTAMP=$(date +"%s")
+               # mksh is 32bit only
+               if /usr/bin/test "$EXPDATETIMESTAMP" -ge "$NOWTIMESTAMP"; then
+                       echo "$cert ($tmpcert): not expired! ${EXPDATE}"
+                       return 1
+               fi
+       done
+       rm "$cert"
+       return 0
+}
+
 # See TODO
 # %{__rm} mozilla/RSA_Security_1024_v3.crt
 
@@ -182,7 +207,23 @@ cd pld-tests
 cat $RPM_BUILD_ROOT%{certsdir}/ca-certificates.crt | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > i ".extracted.crt" }'
 for cert in *.extracted.crt; do
        openssl x509 -in "$cert" -noout -sha1 -fingerprint > "$cert.fingerprint"
+
+
+       # check expiration date
+       EXPDATE=$(openssl x509 -enddate -noout -in "$cert")
+       EXPDATE=${EXPDATE#notAfter=}
+       EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE")
+       NOWTIMESTAMP=$(date +"%s")
+       # mksh is 32bit only
+       if /usr/bin/test "$EXPDATETIMESTAMP" -lt "$NOWTIMESTAMP"; then
+               echo "!!! Expired certificate: $cert"
+               openssl x509 -subject -issuer -startdate -enddate -email -alias -noout -in "$cert"
+               echo "Fingerprint: $(cat "$cert.fingerprint")"
+               echo "\n\n"
+               exit 1
+       fi
 done
+
 DUPLICATES=$(sort *.fingerprint | uniq -c | sort -nr | awk ' { if ($1 != 1) { print $0; } } ')
 if [ -n "$DUPLICATES" ]; then
        echo -e "\n\nFound duplicates for certificates (count, type, fingerprint):\n\n$DUPLICATES\n\nFailing..."
@@ -205,10 +246,11 @@ rm -rf $RPM_BUILD_ROOT
 %postun update
 /usr/bin/find "%{openssldir}" -xtype l -delete || :
 
-%pretrans
-if [ -L /etc/ssl/certs ]; then
-       rm -f /etc/ssl/certs
-fi
+%pretrans -p <lua>
+local mode = posix.stat("/etc/ssl/certs")
+if mode and mode["type"] == "link" then
+       posix.unlink("/etc/ssl/certs")
+end
 
 %files
 %defattr(644,root,root,755)
Common CA Certificates PEM files
This page took 0.071083 seconds and 4 git commands to generate.