123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255 |
- %define pkidir %{_sysconfdir}/pki
- # this year
- %define year 2021
- # latest nss release.
- # reference: https://hg.mozilla.org/projects/nss
- %define nss_version 3_63
- # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h
- %define ckbi_version 2.48
- %define java_version 1.8.0
- Summary: The Mozilla CA root certificate bundle
- Summary(ja): Mozilla の CA ルート証明書バンドル
- Name: ca-certificates
- Version: %{year}.%{ckbi_version}
- Release: 1%{?_dist_release}
- Group: system,security
- Vendor: Project Vine
- Distribution: Vine Linux.
- License: MPL2
- # see also: https://nss-crypto.org/
- URL: http://www.mozilla.org/
- Source0: https://hg.mozilla.org/projects/nss/raw-file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/certdata.txt
- Source1: blacklist.txt
- Source2: generate-cacerts.pl
- Source3: certdata2pem.py
- BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
- BuildRequires: perl, java-%{java_version}-openjdk-headless, python, rcs
- BuildArch: noarch
- %description
- This package contains the set of CA certificates chosen by the
- Mozilla Foundation for use with the Internet PKI.
- %prep
- rm -rf %{name}
- mkdir %{name} %{name}/certs %{name}/java
- %build
- pushd %{name}/certs
- cp %{SOURCE0} %{SOURCE1} .
- python %{SOURCE3}
- popd
- pushd %{name}
- (
- cat <<EOF
- # This is a bundle of X.509 certificates of public Certificate
- # Authorities. It was generated from the Mozilla root CA list.
- #
- # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
- #
- # Generated from:
- EOF
- ident -q %{SOURCE0} | sed '1d;s/^/#/';
- echo '#';
- ) > ca-bundle.crt
- (
- cat <<EOF
- # This is a bundle of X.509 certificates of public Certificate
- # Authorities. It was generated from the Mozilla root CA list.
- # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
- # format and have trust bits set accordingly.
- #
- # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
- #
- # Generated from:
- EOF
- ident -q %{SOURCE0} | sed '1d;s/^/#/';
- echo '#';
- ) > ca-bundle.trust.crt
- for f in certs/*.crt; do
- tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
- case $tbits in
- *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
- esac
- if [ -n "$tbits" ]; then
- targs=""
- for t in $tbits; do
- targs="${targs} -addtrust $t"
- done
- openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
- fi
- done
- popd
- pushd %{name}/java
- test -s ../ca-bundle.crt || exit 1
- %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
- touch -r %{SOURCE0} cacerts
- popd
- %install
- rm -rf $RPM_BUILD_ROOT
- mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
- install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
- install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
- ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
- touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
- touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
- # Install Java cacerts file.
- mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
- install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
- # /etc/ssl/certs symlink for 3rd-party tools
- mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
- ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
- %clean
- rm -rf $RPM_BUILD_ROOT
- %files
- %defattr(-,root,root,-)
- %dir %{pkidir}/java
- %config(noreplace) %{pkidir}/java/cacerts
- %dir %{pkidir}/tls
- %dir %{pkidir}/tls/certs
- %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
- %{pkidir}/tls/cert.pem
- %dir %{_sysconfdir}/ssl
- %{_sysconfdir}/ssl/certs
- %changelog
- * Mon Mar 22 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.48-1
- - updated to 2.48.
- * Thu Feb 25 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.46-1
- - updated to 2.46.
- * Sat Mar 21 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2020.2.40-1
- - updated to 2.40.
- * Tue Nov 20 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.28-1
- - updated to 2.28.
- * Tue Mar 13 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.22-1
- - updated to 2.22.
- * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-2
- - changed "License:" to MPL2.
- * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-1
- - updated to 2.6.
- * Thu Feb 06 2014 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.96-1
- - update to 1.96
- * Wed Sep 25 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.94-1
- - update to 1.94
- * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1
- - update to r1.85
- * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1
- - initial build for Vine Linux
- * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
- - update to r1.81
- * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
- - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
- * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
- - update to r1.80
- - fix handling of certs with dublicate Subject names (#733032)
- * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
- - update to r1.78, removing trust from DigiNotar root (#734679)
- * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
- - update to r1.75
- * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
- - update to r1.74
- * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
- - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
- * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
- - update to r1.70
- * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
- - update to r1.65
- * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
- - package /etc/ssl/certs symlink for third-party apps (#572725)
- * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
- - rebuild
- * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
- - update to certdata.txt r1.63
- - use upstream RCS version in Version
- * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
- - fix ca-bundle.crt (#575111)
- * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
- - update to certdata.txt r1.58
- - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
- - exclude ECC certs from the Java cacerts database
- - catch keytool failures
- - fail parsing certdata.txt on finding untrusted but not blacklisted cert
- * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
- - fix Java cacert database generation: use Subject rather than Issuer
- for alias name; add diagnostics; fix some alias names.
- * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
- - adopt Python certdata.txt parsing script from Debian
- * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
- - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
- * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
- - update to certdata.txt r1.53
- * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
- - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
- * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
- - update to certdata.txt r1.49
- * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
- - Change generate-cacerts.pl to produce pretty aliases.
- * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
- - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
- * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
- - use package name for temp dir, recreate it in prep
- * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
- - fix source script perms
- - mark packaged files as config(noreplace)
- * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
- - add (but don't use) mkcabundle.pl
- - tweak description
- - use /usr/bin/keytool directly; BR java-openjdk
- * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
- - Initial build (#448497)
|