ca-certificates-vl.spec 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. %define pkidir %{_sysconfdir}/pki
  2. # this year
  3. %define year 2021
  4. # latest nss release.
  5. # reference: https://hg.mozilla.org/projects/nss
  6. %define nss_version 3_63
  7. # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h
  8. %define ckbi_version 2.48
  9. %define java_version 1.8.0
  10. Summary: The Mozilla CA root certificate bundle
  11. Summary(ja): Mozilla の CA ルート証明書バンドル
  12. Name: ca-certificates
  13. Version: %{year}.%{ckbi_version}
  14. Release: 1%{?_dist_release}
  15. Group: system,security
  16. Vendor: Project Vine
  17. Distribution: Vine Linux.
  18. License: MPL2
  19. # see also: https://nss-crypto.org/
  20. URL: http://www.mozilla.org/
  21. Source0: https://hg.mozilla.org/projects/nss/raw-file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/certdata.txt
  22. Source1: blacklist.txt
  23. Source2: generate-cacerts.pl
  24. Source3: certdata2pem.py
  25. BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
  26. BuildRequires: perl, java-%{java_version}-openjdk-headless, python, rcs
  27. BuildArch: noarch
  28. %description
  29. This package contains the set of CA certificates chosen by the
  30. Mozilla Foundation for use with the Internet PKI.
  31. %prep
  32. rm -rf %{name}
  33. mkdir %{name} %{name}/certs %{name}/java
  34. %build
  35. pushd %{name}/certs
  36. cp %{SOURCE0} %{SOURCE1} .
  37. python %{SOURCE3}
  38. popd
  39. pushd %{name}
  40. (
  41. cat <<EOF
  42. # This is a bundle of X.509 certificates of public Certificate
  43. # Authorities. It was generated from the Mozilla root CA list.
  44. #
  45. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  46. #
  47. # Generated from:
  48. EOF
  49. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  50. echo '#';
  51. ) > ca-bundle.crt
  52. (
  53. cat <<EOF
  54. # This is a bundle of X.509 certificates of public Certificate
  55. # Authorities. It was generated from the Mozilla root CA list.
  56. # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
  57. # format and have trust bits set accordingly.
  58. #
  59. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  60. #
  61. # Generated from:
  62. EOF
  63. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  64. echo '#';
  65. ) > ca-bundle.trust.crt
  66. for f in certs/*.crt; do
  67. tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
  68. case $tbits in
  69. *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
  70. esac
  71. if [ -n "$tbits" ]; then
  72. targs=""
  73. for t in $tbits; do
  74. targs="${targs} -addtrust $t"
  75. done
  76. openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
  77. fi
  78. done
  79. popd
  80. pushd %{name}/java
  81. test -s ../ca-bundle.crt || exit 1
  82. %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
  83. touch -r %{SOURCE0} cacerts
  84. popd
  85. %install
  86. rm -rf $RPM_BUILD_ROOT
  87. mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
  88. install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  89. install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  90. ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
  91. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  92. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  93. # Install Java cacerts file.
  94. mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
  95. install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
  96. # /etc/ssl/certs symlink for 3rd-party tools
  97. mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
  98. ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
  99. %clean
  100. rm -rf $RPM_BUILD_ROOT
  101. %files
  102. %defattr(-,root,root,-)
  103. %dir %{pkidir}/java
  104. %config(noreplace) %{pkidir}/java/cacerts
  105. %dir %{pkidir}/tls
  106. %dir %{pkidir}/tls/certs
  107. %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
  108. %{pkidir}/tls/cert.pem
  109. %dir %{_sysconfdir}/ssl
  110. %{_sysconfdir}/ssl/certs
  111. %changelog
  112. * Mon Mar 22 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.48-1
  113. - updated to 2.48.
  114. * Thu Feb 25 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.46-1
  115. - updated to 2.46.
  116. * Sat Mar 21 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2020.2.40-1
  117. - updated to 2.40.
  118. * Tue Nov 20 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.28-1
  119. - updated to 2.28.
  120. * Tue Mar 13 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.22-1
  121. - updated to 2.22.
  122. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-2
  123. - changed "License:" to MPL2.
  124. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-1
  125. - updated to 2.6.
  126. * Thu Feb 06 2014 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.96-1
  127. - update to 1.96
  128. * Wed Sep 25 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.94-1
  129. - update to 1.94
  130. * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1
  131. - update to r1.85
  132. * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1
  133. - initial build for Vine Linux
  134. * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
  135. - update to r1.81
  136. * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
  137. - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
  138. * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
  139. - update to r1.80
  140. - fix handling of certs with dublicate Subject names (#733032)
  141. * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
  142. - update to r1.78, removing trust from DigiNotar root (#734679)
  143. * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
  144. - update to r1.75
  145. * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
  146. - update to r1.74
  147. * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
  148. - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
  149. * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
  150. - update to r1.70
  151. * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
  152. - update to r1.65
  153. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
  154. - package /etc/ssl/certs symlink for third-party apps (#572725)
  155. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
  156. - rebuild
  157. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
  158. - update to certdata.txt r1.63
  159. - use upstream RCS version in Version
  160. * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
  161. - fix ca-bundle.crt (#575111)
  162. * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
  163. - update to certdata.txt r1.58
  164. - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
  165. - exclude ECC certs from the Java cacerts database
  166. - catch keytool failures
  167. - fail parsing certdata.txt on finding untrusted but not blacklisted cert
  168. * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
  169. - fix Java cacert database generation: use Subject rather than Issuer
  170. for alias name; add diagnostics; fix some alias names.
  171. * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
  172. - adopt Python certdata.txt parsing script from Debian
  173. * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
  174. - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
  175. * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
  176. - update to certdata.txt r1.53
  177. * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
  178. - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
  179. * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
  180. - update to certdata.txt r1.49
  181. * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
  182. - Change generate-cacerts.pl to produce pretty aliases.
  183. * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
  184. - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
  185. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
  186. - use package name for temp dir, recreate it in prep
  187. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
  188. - fix source script perms
  189. - mark packaged files as config(noreplace)
  190. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
  191. - add (but don't use) mkcabundle.pl
  192. - tweak description
  193. - use /usr/bin/keytool directly; BR java-openjdk
  194. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
  195. - Initial build (#448497)