]>
Commit | Line | Data |
---|---|---|
1 | # TODO | |
2 | # - https://bugzilla.mozilla.org/show_bug.cgi?id=549701 and | |
3 | # http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998# | |
4 | # - make amsn use system certs | |
5 | # - make pidgin use system certs | |
6 | # - swap %{certsdir}/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt regards file vs symlink | |
7 | # | |
8 | # Conditional build: | |
9 | %bcond_without tests # skip duplicates check | |
10 | ||
11 | Summary: Common CA Certificates PEM files | |
12 | Summary(pl.UTF-8): Pliki PEM popularnych certyfikatów CA | |
13 | Name: ca-certificates | |
14 | %define ver_date 20240203 | |
15 | Version: %{ver_date} | |
16 | Release: 1 | |
17 | License: GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs) | |
18 | Group: Base | |
19 | Source0: http://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz | |
20 | # Source0-md5: 228129ccf8cd99b991d771c44dd4052c | |
21 | Source2: http://www.certum.pl/keys/CA.pem | |
22 | # Source2-md5: 35610177afc9c64e70f1ce62c1885496 | |
23 | Source14: http://www.certum.pl/CTNCA.pem | |
24 | # Source14-md5: 231b5b8bf05c5e93a9b2ebc4186eb6f7 | |
25 | Source15: http://repository.certum.pl/class1casha2.pem | |
26 | # Source15-md5: b52dde6e2618a21965afbe6d6676d09f | |
27 | Source16: http://repository.certum.pl/dvcasha2.pem | |
28 | # Source16-md5: 88ce64a84375c95ab6f7c8515dd2a117 | |
29 | Source17: http://repository.certum.pl/ovcasha2.pem | |
30 | # Source17-md5: 3149c923bd23469d6b14caa6334f8b63 | |
31 | Source18: http://repository.certum.pl/evcasha2.pem | |
32 | # Source18-md5: ac54dc6cf3af7e243879b1c8b4aca8a3 | |
33 | #Source19: http://repository.certum.pl/dvcasha2.pem | |
34 | ## Source19-md5: 88ce64a84375c95ab6f7c8515dd2a117 | |
35 | Source20: http://repository.certum.pl/gscasha2.pem | |
36 | # Source20-md5: a29d37f95dafc08cef36015922e3b0d3 | |
37 | Source23: http://crt.tcs.terena.org/TERENAPersonalCA.crt | |
38 | # Source23-md5: 53eaa497c8fb0b79f14fe9f69693689a | |
39 | Source24: http://crt.tcs.terena.org/TERENAeSciencePersonalCA.crt | |
40 | # Source24-md5: e25cc655d3ebe920ca9c187e3dde9191 | |
41 | Source29: http://www.sk.ee/upload/files/ESTEID-SK%202011.pem.cer?/ESTEID-SK_2011.pem.cer | |
42 | # Source29-md5: cfcc1e592cb0ff305158a7e32730546c | |
43 | Source30: http://www.terena.org/activities/tcs/repository/sha2/TERENA_SSL_CA_2.pem | |
44 | # Source30-md5: 96700974350cecfcfbd904d52c3a3942 | |
45 | Source31: http://www.terena.org/activities/tcs/repository/sha2/TERENA_Personal_CA_2.pem | |
46 | # Source31-md5: d40e5c821f8559faf5bcd55eac5e1371 | |
47 | Source32: http://www.terena.org/activities/tcs/repository/sha2/TERENA_Code_Signing_CA_2.pem | |
48 | # Source32-md5: 69ff653e730adf87ff59bf373950b357 | |
49 | Source33: http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_CA_3.pem | |
50 | # Source33-md5: b22ed904900ed6b3bc129f9a35ba5a66 | |
51 | Source34: http://www.terena.org/activities/tcs/repository-g3/TERENA_Personal_CA_3.pem | |
52 | # Source34-md5: eb5ddefe94750c2f8d4f11cb1f3af911 | |
53 | Source35: http://www.terena.org/activities/tcs/repository-g3/TERENA_Code_Signing_CA_3.pem | |
54 | # Source35-md5: 43375a208fba0a5e73f1912faa4db86d | |
55 | Source36: http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_High_Assurance_CA_3.pem | |
56 | # Source36-md5: 6e00d9ede4460e739eb285ea023299f0 | |
57 | Patch0: %{name}-undebianize.patch | |
58 | Patch1: %{name}-more-certs.patch | |
59 | Patch2: %{name}-etc-certs.patch | |
60 | Patch3: %{name}-DESTDIR.patch | |
61 | Patch4: %{name}.d.patch | |
62 | Patch5: no-openssl-rehash.patch | |
63 | Patch6: blacklist.patch | |
64 | URL: https://packages.debian.org/sid/ca-certificates | |
65 | BuildRequires: openssl-tools | |
66 | BuildRequires: python3 | |
67 | BuildRequires: python3-cryptography | |
68 | BuildRequires: python3-packaging | |
69 | BuildRequires: python3-modules | |
70 | BuildRequires: rpm >= 4.4.9-56 | |
71 | BuildRequires: sed >= 4.0 | |
72 | BuildRequires: tar >= 1:1.22 | |
73 | BuildRequires: unzip | |
74 | BuildRequires: xz | |
75 | Obsoletes: certificates < 1.2 | |
76 | BuildArch: noarch | |
77 | BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) | |
78 | ||
79 | %define certsdir /etc/certs | |
80 | %define openssldir /etc/openssl/certs | |
81 | ||
82 | %description | |
83 | Common CA Certificates PEM files. | |
84 | ||
85 | %description -l pl.UTF-8 | |
86 | Pliki PEM popularnych certyfikatów CA. | |
87 | ||
88 | %package update | |
89 | Summary: Script for updating CA Certificates database | |
90 | Summary(pl.UTF-8): Skrypt do odświeżania bazy certyfikatów CA | |
91 | Group: Libraries | |
92 | Requires: %{name} = %{version}-%{release} | |
93 | Requires: mktemp | |
94 | %if "%{pld_release}" == "ac" | |
95 | Requires: openssl-tools >= 0.9.7m-6.3 | |
96 | %else | |
97 | Requires: openssl-tools >= 0.9.8i-3 | |
98 | %endif | |
99 | ||
100 | %description update | |
101 | Script and data for updating CA Certificates database. | |
102 | ||
103 | %description update -l pl.UTF-8 | |
104 | Skrypt i dane do odświeżania bazy certyfikatów CA. | |
105 | ||
106 | %prep | |
107 | %setup -qc | |
108 | cd ca-certificates | |
109 | %patch0 -p1 | |
110 | %patch1 -p1 | |
111 | %patch2 -p1 | |
112 | %patch3 -p1 | |
113 | %patch4 -p1 | |
114 | %patch5 -p1 | |
115 | %patch6 -p1 | |
116 | ||
117 | %{__sed} -i -e 's,@openssldir@,%{openssldir},' sbin/update-ca-certificates* | |
118 | ||
119 | install -d certum | |
120 | cp -pi %{SOURCE2} certum | |
121 | cp -pi %{SOURCE14} certum | |
122 | cp -pi %{SOURCE15} certum | |
123 | cp -pi %{SOURCE16} certum | |
124 | cp -pi %{SOURCE17} certum | |
125 | cp -pi %{SOURCE18} certum | |
126 | #cp -pi %{SOURCE19} certum | |
127 | cp -pi %{SOURCE20} certum | |
128 | for a in certum/*.pem; do | |
129 | mv -i "$a" "${a%.pem}.crt" | |
130 | done | |
131 | ||
132 | # http://www.sk.ee/en/Repository/certs/rootcertificates | |
133 | # ESTEID-SK 2011 | |
134 | install -d esteid | |
135 | cp -pi %{SOURCE29} esteid/ESTEID-SK_2011.crt | |
136 | ||
137 | %build | |
138 | cd ca-certificates | |
139 | install -d terena | |
140 | openssl x509 -inform DER -in %{SOURCE23} -outform PEM -out terena/$(basename %{SOURCE23}) | |
141 | openssl x509 -inform DER -in %{SOURCE24} -outform PEM -out terena/$(basename %{SOURCE24}) | |
142 | cp %{SOURCE30} terena/$(basename %{SOURCE30} .pem).crt | |
143 | cp %{SOURCE31} terena/$(basename %{SOURCE31} .pem).crt | |
144 | cp %{SOURCE32} terena/$(basename %{SOURCE32} .pem).crt | |
145 | sed 's/\r//' %{SOURCE33} > terena/$(basename %{SOURCE33} .pem).crt | |
146 | sed 's/\r//' %{SOURCE34} > terena/$(basename %{SOURCE34} .pem).crt | |
147 | sed 's/\r//' %{SOURCE35} > terena/$(basename %{SOURCE35} .pem).crt | |
148 | sed 's/\r//' %{SOURCE36} > terena/$(basename %{SOURCE36} .pem).crt | |
149 | ||
150 | %{__make} | |
151 | ||
152 | # We have those and more in specific dirs | |
153 | %{__rm} mozilla/Certum*.crt | |
154 | ||
155 | make_sure_expired_and_rm() { | |
156 | cert="$1" | |
157 | rm -rf pld-tests | |
158 | install -d pld-tests | |
159 | cat "$cert" | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > "pld-tests/" i ".extracted.crt" }' | |
160 | for tmpcert in pld-tests/*.extracted.crt; do | |
161 | # check expiration date | |
162 | EXPDATE=$(openssl x509 -enddate -noout -in "$tmpcert") | |
163 | EXPDATE=${EXPDATE#notAfter=} | |
164 | EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE") | |
165 | NOWTIMESTAMP=$(date +"%s") | |
166 | # mksh is 32bit only | |
167 | if /usr/bin/test "$EXPDATETIMESTAMP" -ge "$NOWTIMESTAMP"; then | |
168 | echo "$cert ($tmpcert): not expired! ${EXPDATE}" | |
169 | return 1 | |
170 | fi | |
171 | done | |
172 | rm "$cert" | |
173 | return 0 | |
174 | } | |
175 | ||
176 | # See TODO | |
177 | # %{__rm} mozilla/RSA_Security_1024_v3.crt | |
178 | ||
179 | %install | |
180 | rm -rf $RPM_BUILD_ROOT | |
181 | cd ca-certificates | |
182 | install -d $RPM_BUILD_ROOT{%{_datadir}/%{name},%{_sbindir},%{certsdir},/etc/pki/tls/certs,%{_sysconfdir}/ca-certificates.d} | |
183 | %{__make} install \ | |
184 | DESTDIR=$RPM_BUILD_ROOT | |
185 | ||
186 | find $RPM_BUILD_ROOT%{_datadir}/ca-certificates -name '*.crt' -exec sed -i -e 's/\r$//' {} \; | |
187 | ||
188 | ( | |
189 | cd $RPM_BUILD_ROOT%{_datadir}/ca-certificates | |
190 | find . -name '*.crt' | sort | cut -b3- | |
191 | ) > $RPM_BUILD_ROOT%{_sysconfdir}/ca-certificates.conf | |
192 | ||
193 | # build %{certsdir}/ca-certificates.crt | |
194 | install -d $RPM_BUILD_ROOT%{openssldir} | |
195 | ./sbin/update-ca-certificates --destdir $RPM_BUILD_ROOT | |
196 | rm -rf $RPM_BUILD_ROOT%{openssldir} | |
197 | ||
198 | ln -s %{certsdir}/ca-certificates.crt $RPM_BUILD_ROOT/etc/pki/tls/certs/ca-bundle.crt | |
199 | ||
200 | %if %{with tests} | |
201 | install -d pld-tests | |
202 | cd pld-tests | |
203 | ||
204 | # check for duplicates (to avoid X509_STORE_add_cert "cert already in hash table" problem) | |
205 | cat $RPM_BUILD_ROOT%{certsdir}/ca-certificates.crt | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > i ".extracted.crt" }' | |
206 | for cert in *.extracted.crt; do | |
207 | openssl x509 -in "$cert" -noout -sha1 -fingerprint > "$cert.fingerprint" | |
208 | ||
209 | ||
210 | # check expiration date | |
211 | EXPDATE=$(openssl x509 -enddate -noout -in "$cert") | |
212 | EXPDATE=${EXPDATE#notAfter=} | |
213 | EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE") | |
214 | NOWTIMESTAMP=$(date +"%s") | |
215 | # mksh is 32bit only | |
216 | if /usr/bin/test "$EXPDATETIMESTAMP" -lt "$NOWTIMESTAMP"; then | |
217 | echo "!!! Expired certificate: $cert" | |
218 | openssl x509 -subject -issuer -startdate -enddate -email -alias -noout -in "$cert" | |
219 | echo "Fingerprint: $(cat "$cert.fingerprint")" | |
220 | echo "\n\n" | |
221 | exit 1 | |
222 | fi | |
223 | done | |
224 | ||
225 | DUPLICATES=$(sort *.fingerprint | uniq -c | sort -nr | awk ' { if ($1 != 1) { print $0; } } ') | |
226 | if [ -n "$DUPLICATES" ]; then | |
227 | echo -e "\n\nFound duplicates for certificates (count, type, fingerprint):\n\n$DUPLICATES\n\nFailing..." | |
228 | exit 1 | |
229 | fi | |
230 | cd .. | |
231 | %endif | |
232 | ||
233 | # The Debian path might be hard-coded in some binaries we cannot fix | |
234 | # like the Steam client | |
235 | install -d $RPM_BUILD_ROOT/etc/ssl/certs | |
236 | ln -s %{certsdir}/ca-certificates.crt $RPM_BUILD_ROOT/etc/ssl/certs | |
237 | ||
238 | %clean | |
239 | rm -rf $RPM_BUILD_ROOT | |
240 | ||
241 | %post update | |
242 | %{_sbindir}/update-ca-certificates --fresh || : | |
243 | ||
244 | %postun update | |
245 | /usr/bin/find "%{openssldir}" -xtype l -delete || : | |
246 | ||
247 | %pretrans -p <lua> | |
248 | local mode = posix.stat("/etc/ssl/certs") | |
249 | if mode and mode["type"] == "link" then | |
250 | posix.unlink("/etc/ssl/certs") | |
251 | end | |
252 | ||
253 | %files | |
254 | %defattr(644,root,root,755) | |
255 | %doc ca-certificates/debian/{README.Debian,changelog} | |
256 | %dir /etc/pki/tls | |
257 | %dir /etc/pki/tls/certs | |
258 | %dir /etc/ssl | |
259 | %dir /etc/ssl/certs | |
260 | /etc/ssl/certs/ca-certificates.crt | |
261 | %config(noreplace) %verify(not md5 mtime size) /etc/pki/tls/certs/ca-bundle.crt | |
262 | %verify(not md5 mtime size) %{certsdir}/ca-certificates.crt | |
263 | ||
264 | %files update | |
265 | %defattr(644,root,root,755) | |
266 | %attr(755,root,root) %{_sbindir}/update-ca-certificates | |
267 | %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ca-certificates.conf | |
268 | %dir %{_sysconfdir}/ca-certificates.d | |
269 | %{_datadir}/ca-certificates |