Browse Source

use ca-certificates

git-svn-id: http://trac.vinelinux.org/repos/projects/specs@7835 ec354946-7b23-47d6-9f5a-488ba84defc7
daisuke 10 years ago
parent
commit
328cb07154
1 changed files with 48 additions and 41 deletions
  1. 48 41
      o/openssl/openssl-vl.spec

+ 48 - 41
o/openssl/openssl-vl.spec

@@ -1,7 +1,7 @@
 %define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
 %define soversion 10
 %define version 1.0.1e
-%define release 1%{_dist_release}
+%define release 2%{_dist_release}
 
 Summary: Secure Sockets Layer Toolkit
 Name: openssl
@@ -9,9 +9,9 @@ Version: %{version}
 Release: %{release}
 Source: openssl-%{version}.tar.gz
 Source2: Makefile.certificate
-Source3: ca-bundle.crt
-Source5: make-dummy-cert
-# Source6: openssl-%{version}.pc
+Source6: make-dummy-cert
+Source7: renew-dummy-cert
+
 Patch0: openssl-1.0.0-soversion.patch
 Patch2: openssl-1.0.0-rpm_opt.patch
 Patch4: openssl-1.0.0-enginesdir.patch
@@ -23,10 +23,13 @@ Patch5: openssl-0.9.8j-version-add-engines.patch
 License: BSDish
 Group: System Environment/Libraries
 URL: http://www.openssl.org/
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: perl, sed
 BuildRequires: zlib-devel, krb5-devel
+
 Requires: mktemp
+Requires: ca-certificates
 
 Vendor: Project Vine
 Distribution: Vine Linux
@@ -158,7 +161,7 @@ sslarch=linux-generic32
 # usable on all platforms.  The Configure script already knows to use -fPIC and
 # RPM_OPT_FLAGS, so we can skip specifiying them here.
 ./Configure  \
-	 --prefix=%{_prefix} --openssldir=%{_datadir}/ssl ${sslflags} \
+	 --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	 zlib-dynamic enable-camellia enable-seed enable-tlsext \
 	 enable-rfc3779 enable-cms enable-md2 \
 	 --enginesdir=%{_libdir}/openssl/engines \
@@ -194,8 +197,8 @@ install -m 755 *.so.* $RPM_BUILD_ROOT%{_libdir}
 mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl
 # mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :
 mv $RPM_BUILD_ROOT%{_libdir}/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/
-mv $RPM_BUILD_ROOT%{_datadir}/ssl/man/* $RPM_BUILD_ROOT%{_mandir}
-rmdir $RPM_BUILD_ROOT%{_datadir}/ssl/man
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}
+rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
 rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT/%{_lib}/*.so.%{soversion}
 for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do
 	chmod 755 ${lib}
@@ -206,9 +209,10 @@ done
 
 # Install a makefile for generating keys and self-signed certs, and a script
 # for generating them on the fly.
-mkdir -p $RPM_BUILD_ROOT%{_datadir}/ssl/certs
-install -m644 $RPM_SOURCE_DIR/Makefile.certificate $RPM_BUILD_ROOT%{_datadir}/ssl/certs/Makefile
-install -m644 $RPM_SOURCE_DIR/make-dummy-cert      $RPM_BUILD_ROOT%{_datadir}/ssl/certs/make-dummy-cert
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
+install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
+install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert
+install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
 
 # Make sure we actually include the headers we built against.
 for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
@@ -229,27 +233,19 @@ for section in 1 2 3 4 5 6 7 8 ; do
 done
 
 # Pick a CA script.
-pushd  $RPM_BUILD_ROOT%{_datadir}/ssl/misc
+pushd  $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc
 mv CA.sh CA
 popd
 
-# Install root CA stuffs.
-cat %{SOURCE3} > ca-bundle.crt
-install -m644 ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/certs/
-ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
+mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
 
-# Fix libdir.
-#sed 's,^libdir=${exec_prefix}/lib,libdir=${exec_prefix}/%{_lib},g' \
-# sed 's,^libdir=/usr/lib,libdir=%{_libdir},g' \
-#         $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/openssl.pc > \
-#         $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/openssl.pc.tmp && \
-# cat $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/openssl.pc.tmp > \
-#         $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/openssl.pc && \
-# rm -f $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/openssl.pc.tmp
-
-# remove file
-## moved docdir in openssl-perl sub package from 1.0.0c-3
-%__rm -f $RPM_BUILD_ROOT%{_datadir}/ssl/misc/tsget
+# Ensure the openssl.cnf timestamp is identical across builds to avoid
+# mulitlib conflicts and unnecessary renames on upgrade
+touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
 
 %clean
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
@@ -260,14 +256,22 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 %doc doc/README doc/c-indentation.el doc/openssl.txt
 %doc doc/openssl_button.html doc/openssl_button.gif
 %doc doc/ssleay.txt
-%dir %{_datadir}/ssl
-%{_datadir}/ssl/certs
-%{_datadir}/ssl/cert.pem
-%{_datadir}/ssl/misc/CA
-%{_datadir}/ssl/misc/c_*
-%{_datadir}/ssl/private
 
-%config(noreplace) %{_datadir}/ssl/openssl.cnf
+%{_sysconfdir}/pki/tls/certs/make-dummy-cert
+%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
+%{_sysconfdir}/pki/tls/certs/Makefile
+%{_sysconfdir}/pki/tls/misc/CA
+%dir %{_sysconfdir}/pki/CA
+%dir %{_sysconfdir}/pki/CA/private
+%dir %{_sysconfdir}/pki/CA/certs
+%dir %{_sysconfdir}/pki/CA/crl
+%dir %{_sysconfdir}/pki/CA/newcerts
+%{_sysconfdir}/pki/tls/misc/c_*
+%dir %{_sysconfdir}/pki/tls
+%dir %{_sysconfdir}/pki/tls/certs
+%dir %{_sysconfdir}/pki/tls/misc
+%dir %{_sysconfdir}/pki/tls/private
+%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
 
 %attr(0755,root,root) %{_bindir}/openssl
 %attr(0755,root,root) /%{_lib}/*.so.*
@@ -297,8 +301,8 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 %attr(0755,root,root) %{_bindir}/c_rehash
 %attr(0755,root,root) %dir %{_mandir}/man1*
 %attr(0644,root,root) %{_mandir}/man1*/*.pl*
-%{_datadir}/ssl/misc/*.pl
-# %{_datadir}/ssl/misc/tsget
+%{_sysconfdir}/pki/tls/misc/*.pl
+#%{_sysconfdir}/pki/tls/misc/tsget
 %doc apps/tsget
 
 ## to build compat32 for x86_64 architecture support
@@ -323,7 +327,10 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 %postun -n compat32-%{name} -p /sbin/ldconfig
 
 %changelog
-* Tue Feb 12 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2.1.4-1
+* Tue Sep 24 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1e-2
+- move root CA bundle to ca-certificates package
+
+* Tue Feb 12 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1e-1
 - update to 1.0.1e
   - 1.0.1d has major regressions from 1.0.1c
 
@@ -414,7 +421,7 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 - new upstream release
 - new versioning policy
 
-* Fri Oct 27 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8g-0vl1
+* Sat Oct 27 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8g-0vl1
 - new upstream release
 - drop patch10,20 which is merged in upstream
 
@@ -430,7 +437,7 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 * Tue May 15 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8e-0vl1
 - new upstream release
 
-* Sat Dec 24 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl2
+* Sun Dec 24 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl2
 - update (fix) openssl.pc <BTS:437>
 
 * Fri Sep 29 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl1
@@ -484,7 +491,7 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 * Wed Jun 04 2003 HOTTA Michihide <hotta@net-newbie.com> 0.9.6j-0vl2
 - add openssl.pc for pkgconfig
 
-* Fri Mar 11 2003 Satoshi MACHINO <machino@vinelinux.org> 0.9.6j-0vl1
+* Tue Mar 11 2003 Satoshi MACHINO <machino@vinelinux.org> 0.9.6j-0vl1
 - New upstream version
 - dropped patch10, 11
 	-- merged upstream version
@@ -574,7 +581,7 @@ ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{_datadir}/ssl/cert.pem
 - adjust the hobble script to not disturb symlinks in include/ (fix from
   Joe Orton)
 
-* Fri Apr 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+* Thu Apr 26 2001 Nalin Dahyabhai <nalin@redhat.com>
 - drop the m2crypo patch we weren't using
 
 * Tue Apr 24 2001 Nalin Dahyabhai <nalin@redhat.com>