Date: Thursday, April 2, 2015 @ 22:39:35 Author: heftig Revision: 235354
Some updates and simplifications Remove pre_upgrade symlink handling. update-ca-trust already cleans out broken links, so this is unneeded. Move ca-bundle.trust.crt to ca-certificates/extracted. This file has so far been left unused, so no need to put it in the compat dir. Create ca-certificates.crt from the install file instead of update-ca-trust. Reorder update-ca-trust a bit. Update the documentation. Modified: ca-certificates/trunk/PKGBUILD ca-certificates/trunk/ca-certificates-utils.install ca-certificates/trunk/update-ca-trust ca-certificates/trunk/update-ca-trust.8.txt -------------------------------+ PKGBUILD | 18 ++++++----- ca-certificates-utils.install | 28 +++++++++-------- update-ca-trust | 23 ++++++-------- update-ca-trust.8.txt | 64 +++++++++++++++++++++++----------------- 4 files changed, 73 insertions(+), 60 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-04-02 20:36:24 UTC (rev 235353) +++ PKGBUILD 2015-04-02 20:39:35 UTC (rev 235354) @@ -1,10 +1,11 @@ # $Id$ -# Maintainer: Pierre Schmitz <pie...@archlinux.de> +# Maintainer: Jan Alexander Steffens (heftig) <jan.steff...@gmail.com> +# Contributor: Pierre Schmitz <pie...@archlinux.de> pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20140923 -pkgrel=10 +pkgver=20150402 +pkgrel=1 pkgdesc='Common CA certificates' arch=('any') url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git' @@ -11,8 +12,8 @@ license=('GPL2') makedepends=('asciidoc' 'p11-kit') source=(update-ca-trust update-ca-trust.8.txt) -sha256sums=('6337e487cdf691d33a3c07c894f133b280093a2c60d267a534b56c316c5d7370' - '916bc0582b5230aedc7fdada70bc387fbd605dbc9d3d421621e4736c60a8ef41') +sha256sums=('746d2cce8ec107fa3b7aaa246d69a7e238c3d2ac5cd82c5aeed996fe9cb0a874' + '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929') build() { asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt @@ -36,8 +37,9 @@ # Directories used by update-ca-trust (aka "trust extract-compat") install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted} - # Contrary to Fedora, the /etc/ssl/certs dir is generated - ln -srT "${pkgdir}"/etc/ssl/{certs/ca-certificates.crt,cert.pem} + # Compatibility link for OpenSSL using /etc/ssl as CAdir + # Used in preference to the individual links in /etc/ssl/certs + ln -s ../${pkgbase}/extracted/tls-ca-bundle.pem "${pkgdir}/etc/ssl/cert.pem" } package_ca-certificates() { @@ -45,4 +47,4 @@ depends=(ca-certificates-{mozilla,cacert}) } -# vim:set noet ts=8 sw=8: +# vim:set noet ts=8 sw=8 sts=0: Modified: ca-certificates-utils.install =================================================================== --- ca-certificates-utils.install 2015-04-02 20:36:24 UTC (rev 235353) +++ ca-certificates-utils.install 2015-04-02 20:39:35 UTC (rev 235354) @@ -2,19 +2,11 @@ post_install() { usr/bin/update-ca-trust -} -pre_upgrade() { - if (( $(vercmp $2 20140923-2) < 0 )); then - find /etc/ssl/certs -type l -print | while read symlink; do - case $(readlink $symlink) in - /usr/share/ca-certificates*) rm -f $symlink;; - esac - done - find /etc/ssl/certs -type l -print | while read symlink; do - test -f $symlink || rm -f $symlink - done - fi + # This should be a normally packaged file, but that would + # require user intervention at upgrade + ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \ + etc/ssl/certs/ca-certificates.crt } post_upgrade() { @@ -33,10 +25,20 @@ Also see \`man 8 update-ca-trust\` and \`trust --help\`. MSG fi + + if (( $(vercmp $2 20150402) < 0 )); then + ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \ + etc/ssl/certs/ca-certificates.crt + + # Moved to etc/ca-certificates/extracted + rm -f etc/ssl/certs/ca-bundle.trust.crt + fi } pre_remove() { usr/bin/update-ca-trust + + rm -f etc/ssl/certs/{ca-certificates.crt,java/cacerts} } -# vim:set noet ts=8 sw=8: +# vim:set noet ts=8 sw=8 sts=0: Modified: update-ca-trust =================================================================== --- update-ca-trust 2015-04-02 20:36:24 UTC (rev 235353) +++ update-ca-trust 2015-04-02 20:39:35 UTC (rev 235354) @@ -6,23 +6,22 @@ # files in $DEST. DEST=/etc/ca-certificates/extracted -trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth $DEST/tls-ca-bundle.pem -trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email $DEST/email-ca-bundle.pem -trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem -# Removes all files in the target directory, but not directories or files therein -trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth $DEST/cadir +# The directory-format extractors remove all files in the target directory, but not directories or files therein +trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth $DEST/cadir +trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth $DEST/tls-ca-bundle.pem +trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email $DEST/email-ca-bundle.pem +trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem +trust extract --overwrite --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt -SSL=/etc/ssl/certs -trust extract --overwrite --format=openssl-bundle --filter=certificates $SSL/ca-bundle.trust.crt -trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth $SSL/java/cacerts -ln -fsrT $DEST/tls-ca-bundle.pem $SSL/ca-certificates.crt - # We don't want to have to remove everything from the certs directory but neither # do we want to leave stale certs around, so symlink it all from somewhere else for f in $DEST/cadir/*; do - ln -fsr -t $SSL "$f" + ln -fsr -t /etc/ssl/certs "$f" done # Now find and remove all broken symlinks -find -L $SSL -maxdepth 1 -type l -delete +find -L /etc/ssl/certs -maxdepth 1 -type l -delete + +# Java bundle +trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts Modified: update-ca-trust.8.txt =================================================================== --- update-ca-trust.8.txt 2015-04-02 20:36:24 UTC (rev 235353) +++ update-ca-trust.8.txt 2015-04-02 20:39:35 UTC (rev 235354) @@ -178,6 +178,10 @@ /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section. +The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm. +Distrust information cannot be represented in this format, +and distrusted certificates are missing from these files. + The directory /etc/ssl/certs/java contains a CA certificate bundle in the java keystore file format. Distrust information cannot be represented in this file format, @@ -184,12 +188,6 @@ and distrusted certificates are missing from these files. File cacerts contains CA certificates trusted for TLS server authentication. -The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm, as well -as a ca-bundle.trust.crt bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, -as described in the x509(1) manual page. -The dir or the bundle contain the full set of all trusted -or distrusted certificates, including the associated trust flags. - The directory /etc/ca-certificates/extracted contains CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1) manual page. @@ -201,6 +199,10 @@ trusted for E-Mail protection. File objsign-ca-bundle.pem contains CA certificates trusted for code signing. +File ca-bundle.trust.crt contains certificates in the extended +BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page. +This bundle contains the full set of all trusted +and distrusted certificates, including the associated trust flags. COMMANDS @@ -218,27 +220,6 @@ FILES ----- -/etc/ssl/certs:: - Classic directory, contains individual CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage, - which are created by the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. - See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details. - -/etc/ssl/certs/ca-bundle.trust.crt:: - Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. - This file is consolidated output created by the update-ca-trust command. - -/etc/ssl/certs/ca-certificates.crt:: - Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. - This file is a symbolic link that refers to consolidated output created by the update-ca-trust command. - -/etc/ssl/cert.pem:: - Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. - This file is a symbolic link that refers to consolidated output created by the update-ca-trust command. - -/etc/ssl/java/cacerts:: - Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. - This file is consolidated output created by the update-ca-trust command. - /usr/share/ca-certificates/trust-source:: Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories. @@ -250,6 +231,35 @@ which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details. +/etc/ca-certificates/extracted/tls-ca-bundle.pem:: + Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + +/etc/ca-certificates/extracted/email-ca-bundle.pem:: + Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + +/etc/ca-certificates/extracted/objsign-ca-bundle.pem:: + Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + +/etc/ca-certificates/extracted/ca-bundle.trust.crt:: + Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + +/etc/ca-certificates/extracted/cadir:: + Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + Also includes the necessary hash symlinks expected by OpenSSL. + +/etc/ssl/certs:: + Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command. + +/etc/ssl/certs/ca-certificates.crt:: + Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. + +/etc/ssl/cert.pem:: + Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. + +/etc/ssl/java/cacerts:: + Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. + AUTHOR ------ Written by Kai Engert and Stef Walter.