X-Git-Url: http://git.pld-linux.org/?p=packages%2Fca-certificates.git;a=blobdiff_plain;f=ca-certificates.spec;h=6315b9f26e75a8f475d5fdcc4ff3b21b9f6365bf;hp=2e315b9c97093e48def3653f1b31095bce61a8f6;hb=460ad8a7ea22dd9f24e57e175722e67390716171;hpb=354e0f44b3a1e04a0de856c91d2ccb07a243e19d diff --git a/ca-certificates.spec b/ca-certificates.spec index 2e315b9..6315b9f 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -2,18 +2,22 @@ # - cleanup dead links from /etc/openssl/certs after -update uninstall # - https://bugzilla.mozilla.org/show_bug.cgi?id=549701 and # http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998# -# - add certs noted in TODO file +# - make amsn use system certs +# - make pidgin use system certs # - swap %{certsdir}/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt regards file vs symlink # +# Conditional build: +%bcond_without tests # skip duplicates check +# Summary: Common CA Certificates PEM files Summary(pl.UTF-8): Pliki PEM popularnych certyfikatów CA Name: ca-certificates -Version: 20141019 -Release: 3 +Version: 20160104 +Release: 2 License: GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs) Group: Libraries Source0: ftp://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz -# Source0-md5: f619282081c8bfc65ea64c37fa5285ed +# Source0-md5: d9665a83d0d3ef8176a38e6aa20458e9 Source1: https://www.verisign.com/support/thawte-roots.zip # Source1-md5: 21a284ebdc6e8f4178d5cc10fb9e1ef2 Source2: http://www.certum.pl/keys/CA.pem @@ -72,14 +76,27 @@ Source28: http://www.sk.ee/upload/files/ESTEID-SK%202007.PEM.cer?/ESTEID-SK_2007 # Source28-md5: 2b1a2a77f565d68fdf5f19f6cc3a5600 Source29: http://www.sk.ee/upload/files/ESTEID-SK%202011.pem.cer?/ESTEID-SK_2011.pem.cer # Source29-md5: cfcc1e592cb0ff305158a7e32730546c - +Source30: http://www.terena.org/activities/tcs/repository/sha2/TERENA_SSL_CA_2.pem +# Source30-md5: 96700974350cecfcfbd904d52c3a3942 +Source31: http://www.terena.org/activities/tcs/repository/sha2/TERENA_Personal_CA_2.pem +# Source31-md5: d40e5c821f8559faf5bcd55eac5e1371 +Source32: http://www.terena.org/activities/tcs/repository/sha2/TERENA_Code_Signing_CA_2.pem +# Source32-md5: 69ff653e730adf87ff59bf373950b357 +Source33: http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_CA_3.pem +# Source33-md5: b22ed904900ed6b3bc129f9a35ba5a66 +Source34: http://www.terena.org/activities/tcs/repository-g3/TERENA_Personal_CA_3.pem +# Source34-md5: eb5ddefe94750c2f8d4f11cb1f3af911 +Source35: http://www.terena.org/activities/tcs/repository-g3/TERENA_Code_Signing_CA_3.pem +# Source35-md5: 43375a208fba0a5e73f1912faa4db86d +Source36: http://www.terena.org/activities/tcs/repository-g3/TERENA_SSL_High_Assurance_CA_3.pem +# Source36-md5: 6e00d9ede4460e739eb285ea023299f0 Patch0: %{name}-undebianize.patch Patch1: %{name}-more-certs.patch Patch2: %{name}-etc-certs.patch Patch3: %{name}-c_rehash.sh.patch Patch5: %{name}-DESTDIR.patch Patch6: %{name}.d.patch -URL: http://www.cacert.org/ +URL: https://packages.debian.org/sid/ca-certificates BuildRequires: openssl-tools BuildRequires: python BuildRequires: python-modules @@ -120,7 +137,8 @@ Script and data for updating CA Certificates database. Skrypt i dane do odświeżania bazy certyfikatów CA. %prep -%setup -q +%setup -qc +mv %{name}/* . %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -186,14 +204,24 @@ openssl x509 -inform DER -in %{SOURCE22} -outform PEM -out terena/$(basename %{S openssl x509 -inform DER -in %{SOURCE23} -outform PEM -out terena/$(basename %{SOURCE23}) openssl x509 -inform DER -in %{SOURCE24} -outform PEM -out terena/$(basename %{SOURCE24}) openssl x509 -inform DER -in %{SOURCE25} -outform PEM -out terena/$(basename %{SOURCE25}) +cp %{SOURCE30} terena/$(basename %{SOURCE30} .pem).crt +cp %{SOURCE31} terena/$(basename %{SOURCE31} .pem).crt +cp %{SOURCE32} terena/$(basename %{SOURCE32} .pem).crt +sed 's/\r//' %{SOURCE33} > terena/$(basename %{SOURCE33} .pem).crt +sed 's/\r//' %{SOURCE34} > terena/$(basename %{SOURCE34} .pem).crt +sed 's/\r//' %{SOURCE35} > terena/$(basename %{SOURCE35} .pem).crt +sed 's/\r//' %{SOURCE36} > terena/$(basename %{SOURCE36} .pem).crt %{__make} # We have those and more in specific dirs -rm mozilla/{Thawte,thawte,Certum,IGC_A,Deutsche_Telekom_Root_CA_2,Juur-SK}*.crt +%{__rm} mozilla/{thawte,Certum,IGC_A,Deutsche_Telekom_Root_CA_2,Juur-SK}*.crt + +# Duplicate with Verisign_Class_3_Public_Primary_Certification_Authority_2.crt +%{__rm} thawte/Class_3_Public_Primary_Certification_Authority.crt # See TODO -# rm mozilla/RSA_Security_1024_v3.crt +# %{__rm} mozilla/RSA_Security_1024_v3.crt %install rm -rf $RPM_BUILD_ROOT @@ -215,6 +243,23 @@ rm -rf $RPM_BUILD_ROOT%{openssldir} ln -s %{certsdir}/ca-certificates.crt $RPM_BUILD_ROOT/etc/pki/tls/certs/ca-bundle.crt +%if %{with tests} +install -d pld-tests +cd pld-tests + +# check for duplicates (to avoid X509_STORE_add_cert "cert already in hash table" problem) +cat $RPM_BUILD_ROOT/%{certsdir}/ca-certificates.crt | awk '/BEGIN/ { i++; } /BEGIN/, /END/ { print > i ".extracted.crt" }' +for cert in *.extracted.crt; do + openssl x509 -in "$cert" -noout -sha1 -fingerprint > "$cert.fingerprint" +done +DUPLICATES=$(sort *.fingerprint | uniq -c | sort -nr | awk ' { if ($1 != 1) { print $0; } } ') +if [ -n "$DUPLICATES" ]; then + echo -e "\n\nFound duplicates for certificates (count, type, fingerprint):\n\n$DUPLICATES\n\nFailing..." + exit 1 +fi +cd .. +%endif + %clean rm -rf $RPM_BUILD_ROOT