Jonathan Nieder wrote: > A certificate not listed in $CERTS_AVAILABLE could be from an > older version of ca-certificates or it could be from the user. > This patch assumes that it is from the user and preserves it,
The following is only about the upgrade case, where /etc/ca-certificates.conf already exists. The initial install is simpler and works fine already. The config script sets CERTS_AVAILABLE to list all certs from /usr/share/ca-certificates. So there is no harm in enabling certificates not listed there, right? Well, no, there is --- if a certificate is removed on a machine and then added again, users that requested to be asked about new certificates should be told about it. Assuming the bzr repo lp:ubuntu/ca-certificates is trustworthy, the patch below reflects all certs that were removed since version 20080809 (=lenny). Still untested. v1 was obviously bogus (it used $ca before it is initialized), and maybe this one is to. This version at least has a fighting chance of working. Thoughts? Test reports? -- 8< -- Subject: postinst: do not remove unknown certs from ca-certificates.conf An admin might try to add local certificates to the /etc/ssl/certs/ca-certificates.crt file that is maintained by ca-certificates by editing /etc/ca-certificates.conf directly. Unfortunately, this configuration is destroyed when ca-certificates runs its postinst again. A certificate not listed in $CERTS_AVAILABLE could be from an older version of ca-certificates or it could be from the user. Distinguish the two cases by checking each cert against a list of known certificates that have been removed. Fixes: http://bugs.debian.org/514220 Reported-by: Peter Palfrader <wea...@debian.org> --- debian/postinst | 31 ++++++++++++++++++++++++++++++- 1 files changed, 30 insertions(+), 1 deletions(-) diff --git a/debian/postinst b/debian/postinst index ca6aab0..adb8a1a 100644 --- a/debian/postinst +++ b/debian/postinst @@ -36,6 +36,31 @@ delca() { echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//' } +CERTS_REMOVED="cacert.org/root.crt:20090708" +CERTS_REMOVED="$CERTS_REMOVED, cacert.org/class3.crt:20090708" +CERTS_REMOVED="$CERTS_REMOVED, quovadis.bm/QuoVadis_Root_Certification_Authority.crt:20090708" +CERTS_REMOVED="$CERTS_REMOVED, mozilla/UTN_USERFirst_Object_Root_CA.crt:20090624" + +removedp() { + cert="$1" + prev_version="$2" + if expr "$1" : '.*:.*' >/dev/null || expr "$1" : '[0-9]*' >/dev/null + then + return 1 + fi + each_value "$CERTS_REMOVED" | + { grep -F "$1" || test $? = 1; } | + cut -d: -f2- | + while read ver + do + if dpkg --compare-versions "$prev_version" lt-nl "$ver" + then + return 0 + fi + done + return 1 +} + case "$1" in configure) if [ ! -e /usr/local/share/ca-certificates ] @@ -66,12 +91,16 @@ case "$1" in do if echo "$line" | grep -q '^#'; then echo "$line" + elif removedp "$line"; then + echo "!$line" else case "$line" in !*) ca=$(echo "$line" | sed -e 's/^!//');; *) ca="$line";; esac - if memberp "$ca" "$CERTS_ENABLED"; then + if ! memberp "$ca" "$CERTS_AVAILABLE"; then + echo "$line" + elif memberp "$ca" "$CERTS_ENABLED"; then echo "$ca" # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED") else -- 1.7.1.rc1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
