ca-certificates-vl.spec 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
  1. %define pkidir %{_sysconfdir}/pki
  2. # this year
  3. %define year 2018
  4. # latest nss release.
  5. # reference: https://hg.mozilla.org/projects/nss
  6. %define nss_version 3_40
  7. # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h
  8. %define ckbi_version 2.28
  9. %define java_version 1.8.0
  10. Summary: The Mozilla CA root certificate bundle
  11. Summary(ja): Mozilla の CA ルート証明書バンドル
  12. Name: ca-certificates
  13. Version: %{year}.%{ckbi_version}
  14. Release: 1%{?_dist_release}
  15. License: MPL2
  16. Group: System Environment/Base
  17. URL: http://www.mozilla.org/
  18. Source0: https://hg.mozilla.org/projects/nss/raw-file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/certdata.txt
  19. Source1: blacklist.txt
  20. Source2: generate-cacerts.pl
  21. Source3: certdata2pem.py
  22. BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
  23. BuildRequires: perl, java-%{java_version}-openjdk-headless, python, rcs
  24. BuildArch: noarch
  25. Vendor: Project Vine
  26. Distribution: Vine Linux.
  27. %description
  28. This package contains the set of CA certificates chosen by the
  29. Mozilla Foundation for use with the Internet PKI.
  30. %prep
  31. rm -rf %{name}
  32. mkdir %{name} %{name}/certs %{name}/java
  33. %build
  34. pushd %{name}/certs
  35. cp %{SOURCE0} %{SOURCE1} .
  36. python %{SOURCE3}
  37. popd
  38. pushd %{name}
  39. (
  40. cat <<EOF
  41. # This is a bundle of X.509 certificates of public Certificate
  42. # Authorities. It was generated from the Mozilla root CA list.
  43. #
  44. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  45. #
  46. # Generated from:
  47. EOF
  48. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  49. echo '#';
  50. ) > ca-bundle.crt
  51. (
  52. cat <<EOF
  53. # This is a bundle of X.509 certificates of public Certificate
  54. # Authorities. It was generated from the Mozilla root CA list.
  55. # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
  56. # format and have trust bits set accordingly.
  57. #
  58. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  59. #
  60. # Generated from:
  61. EOF
  62. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  63. echo '#';
  64. ) > ca-bundle.trust.crt
  65. for f in certs/*.crt; do
  66. tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
  67. case $tbits in
  68. *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
  69. esac
  70. if [ -n "$tbits" ]; then
  71. targs=""
  72. for t in $tbits; do
  73. targs="${targs} -addtrust $t"
  74. done
  75. openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
  76. fi
  77. done
  78. popd
  79. pushd %{name}/java
  80. test -s ../ca-bundle.crt || exit 1
  81. %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
  82. touch -r %{SOURCE0} cacerts
  83. popd
  84. %install
  85. rm -rf $RPM_BUILD_ROOT
  86. mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
  87. install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  88. install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  89. ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
  90. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  91. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  92. # Install Java cacerts file.
  93. mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
  94. install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
  95. # /etc/ssl/certs symlink for 3rd-party tools
  96. mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
  97. ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
  98. %clean
  99. rm -rf $RPM_BUILD_ROOT
  100. %files
  101. %defattr(-,root,root,-)
  102. %dir %{pkidir}/java
  103. %config(noreplace) %{pkidir}/java/cacerts
  104. %dir %{pkidir}/tls
  105. %dir %{pkidir}/tls/certs
  106. %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
  107. %{pkidir}/tls/cert.pem
  108. %dir %{_sysconfdir}/ssl
  109. %{_sysconfdir}/ssl/certs
  110. %changelog
  111. * Tue Nov 20 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.28-1
  112. - updated to 2.28.
  113. * Tue Mar 13 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.22-1
  114. - updated to 2.22.
  115. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-2
  116. - changed "License:" to MPL2.
  117. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-1
  118. - updated to 2.6.
  119. * Thu Feb 06 2014 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.96-1
  120. - update to 1.96
  121. * Wed Sep 25 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.94-1
  122. - update to 1.94
  123. * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1
  124. - update to r1.85
  125. * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1
  126. - initial build for Vine Linux
  127. * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
  128. - update to r1.81
  129. * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
  130. - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
  131. * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
  132. - update to r1.80
  133. - fix handling of certs with dublicate Subject names (#733032)
  134. * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
  135. - update to r1.78, removing trust from DigiNotar root (#734679)
  136. * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
  137. - update to r1.75
  138. * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
  139. - update to r1.74
  140. * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
  141. - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
  142. * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
  143. - update to r1.70
  144. * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
  145. - update to r1.65
  146. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
  147. - package /etc/ssl/certs symlink for third-party apps (#572725)
  148. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
  149. - rebuild
  150. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
  151. - update to certdata.txt r1.63
  152. - use upstream RCS version in Version
  153. * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
  154. - fix ca-bundle.crt (#575111)
  155. * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
  156. - update to certdata.txt r1.58
  157. - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
  158. - exclude ECC certs from the Java cacerts database
  159. - catch keytool failures
  160. - fail parsing certdata.txt on finding untrusted but not blacklisted cert
  161. * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
  162. - fix Java cacert database generation: use Subject rather than Issuer
  163. for alias name; add diagnostics; fix some alias names.
  164. * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
  165. - adopt Python certdata.txt parsing script from Debian
  166. * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
  167. - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
  168. * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
  169. - update to certdata.txt r1.53
  170. * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
  171. - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
  172. * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
  173. - update to certdata.txt r1.49
  174. * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
  175. - Change generate-cacerts.pl to produce pretty aliases.
  176. * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
  177. - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
  178. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
  179. - use package name for temp dir, recreate it in prep
  180. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
  181. - fix source script perms
  182. - mark packaged files as config(noreplace)
  183. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
  184. - add (but don't use) mkcabundle.pl
  185. - tweak description
  186. - use /usr/bin/keytool directly; BR java-openjdk
  187. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
  188. - Initial build (#448497)