pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/ca-certificates security/ca-certificates: Add...
details: https://anonhg.NetBSD.org/pkgsrc/rev/916bca62c3eb
branches: trunk
changeset: 380672:916bca62c3eb
user: kim <kim%pkgsrc.org@localhost>
date: Sun Jun 12 07:05:30 2022 +0000
description:
security/ca-certificates: Add configurability for certificate store
- The location of the system certificate store can now be set using
a new configuration file (ca-certificates-dir.conf).
- Installing the certificates to the system certificate store must
be enabled by the administrator.
diffstat:
security/ca-certificates/DESCR | 30 ++--
security/ca-certificates/Makefile | 22 ++-
security/ca-certificates/PLIST | 3 +-
security/ca-certificates/distinfo | 4 +-
security/ca-certificates/files/README.pkgsrc | 19 ++-
security/ca-certificates/files/ca-certificates-dir.conf | 8 +
security/ca-certificates/patches/patch-sbin_update-ca-certificates | 59 +++++++++-
7 files changed, 109 insertions(+), 36 deletions(-)
diffs (237 lines):
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/DESCR
--- a/security/ca-certificates/DESCR Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/DESCR Sun Jun 12 07:05:30 2022 +0000
@@ -1,20 +1,20 @@
-This package provides the root certificates distributed by the Mozilla
-Project as curated by Debian in their package of the same name, along
-with tools to manage the set of configured trust anchors for openssl.
+This package contains the update-ca-certificates(8) tool maintained by
+the Debian Project (in the ca-certificates package they distribute) to
+manage the set of configured trust anchors for openssl.
-\todo Explain if Debian adds or removes, or if this is exactly the
-same set.
+The ca-certificates framework enables the sysadmin to configure the
+certificates to install, using multiple sources of CA certificates, for
+example to include local CAs. See update-ca-certificates(8) for details.
-NB: Installing this package will modify the configuration of the
-openssl implementation used by pkgsrc, which is either the base system
-openssl or pkgsrc openssl. The modification is configuring every
-certificate as a trust anchor. Modification of system configuration
-files is very irregular as pkgsrc should not write anything outside of
-${PREFIX}.
+This package also contains the certificate authorities shipped with
+Mozilla's browser to allow SSL-based applications to check for the
+authenticity of SSL connections.
-The sysadmin can exclude CA certificates from the list of trust
-anchors and also add local certificates as configured trust anchors by
-editing ca-certificates.conf and re-running update-ca-certificates.
+Please note that Debian, NetBSD, and pkgsrc can neither confirm nor deny
+whether the certificate authorities whose certificates are included in
+this package have in any way been audited for trustworthiness or RFC
+3647 compliance. Full responsibility to assess them belongs to the
+local system administrator.
See also the mozilla-rootcerts and mozilla-rootcerts-openssl packages
-for an alternative approach.
+for alternative approaches to installing CA certificates.
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/Makefile
--- a/security/ca-certificates/Makefile Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/Makefile Sun Jun 12 07:05:30 2022 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.6 2022/04/21 11:00:00 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2022/06/12 07:05:30 kim Exp $
PKGNAME= ca-certificates-20211016
-PKGREVISION= 1
+PKGREVISION= 3
DISTNAME= ${PKGNAME_NOREV:C/-([^-]*)$/_\1/}
CATEGORIES= security
MASTER_SITES= http://deb.debian.org/debian/pool/main/c/ca-certificates/
@@ -25,10 +25,9 @@
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
MANDIR= ${PREFIX}/${PKGMANDIR}/man8
-# Set paths depending on whether we depend on builtin or pkgsrc
-# openssl. \todo Arguably, we should consider installing into both
-# builtin and pkgsrc, if both exist, but this requires much more
-# thought.
+# Set default certificate store path depending on whether we depend on
+# builtin or pkgsrc openssl.
+
CHECK_BUILTIN.openssl= yes
.include "../../security/openssl/builtin.mk"
CHECK_BUILTIN.openssl= no
@@ -47,20 +46,24 @@
SUBST_STAGE.paths= post-build
SUBST_FILES.paths= Makefile sbin/Makefile
SUBST_FILES.paths+= ca-certificates.conf
+SUBST_FILES.paths+= ca-certificates-dir.conf
SUBST_FILES.paths+= sbin/update-ca-certificates sbin/update-ca-certificates.8
SUBST_FILES.paths+= README.pkgsrc
SUBST_SED.paths= -e 's,/usr/sbin,${PREFIX}/sbin,g'
-SUBST_SED.paths+= -e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g'
+SUBST_SED.paths+= -e 's,/etc/ca-certificates,${PKG_SYSCONFDIR}/ca-certificates,g'
SUBST_SED.paths+= -e 's,/etc/ssl,${SSLDIR},g'
SUBST_SED.paths+= -e 's,/usr/share/ca-certificates,${DATADIR},g'
INSTALLATION_DIRS= sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR}
CONF_FILES= ${EGDIR}/ca-certificates.conf \
- ${PKG_SYSCONFDIR}/ca-certificates.conf
+ ${PKG_SYSCONFDIR}/ca-certificates.conf \
+ ${EGDIR}/ca-certificates-dir.conf \
+ ${PKG_SYSCONFDIR}/ca-certificates-dir.conf
pre-build:
- @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/
+ @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/ca-certificates-dir.conf \
+ ${FILESDIR}/README.pkgsrc ${WRKSRC}/
@${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
>> ${WRKSRC}/ca-certificates.conf
@@ -78,6 +81,7 @@
${DESTDIR}${DOCDIR}/
${INSTALL_DATA} \
${WRKSRC}/ca-certificates.conf \
+ ${WRKSRC}/ca-certificates-dir.conf \
${DESTDIR}${EGDIR}/
.include "../../lang/python/tool.mk"
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/PLIST
--- a/security/ca-certificates/PLIST Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/PLIST Sun Jun 12 07:05:30 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2022/02/28 05:48:44 kim Exp $
+@comment $NetBSD: PLIST,v 1.5 2022/06/12 07:05:30 kim Exp $
man/man8/update-ca-certificates.8
sbin/update-ca-certificates
share/ca-certificates/mozilla/ACCVRAIZ1.crt
@@ -132,3 +132,4 @@
share/doc/ca-certificates/README.source
share/doc/ca-certificates/changelog
share/examples/ca-certificates/ca-certificates.conf
+share/examples/ca-certificates/ca-certificates-dir.conf
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/distinfo
--- a/security/ca-certificates/distinfo Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/distinfo Sun Jun 12 07:05:30 2022 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.6 2022/02/28 06:46:52 kim Exp $
+$NetBSD: distinfo,v 1.7 2022/06/12 07:05:30 kim Exp $
BLAKE2s (ca-certificates_20211016.tar.xz) = ee1b82472068aef176dbc9dab2099848e299dbcc92ac309ba5a906a98414731d
SHA512 (ca-certificates_20211016.tar.xz) = bedf072c8aa1b05b249ea272f5cecfe16bdcd762c02c712323f12ac7a278e8814453f5f3caad86a2581e451788b292ed3a76a6a81620926459bb890133cffde1
Size (ca-certificates_20211016.tar.xz) = 239608 bytes
-SHA1 (patch-sbin_update-ca-certificates) = def57fb7ed7b271ac01b92f5a2124d1120f40cef
+SHA1 (patch-sbin_update-ca-certificates) = e57e4c0ec2be335f6d901c865a7b0a33405fd7f2
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/files/README.pkgsrc
--- a/security/ca-certificates/files/README.pkgsrc Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/files/README.pkgsrc Sun Jun 12 07:05:30 2022 +0000
@@ -1,12 +1,19 @@
-$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $
+$NetBSD: README.pkgsrc,v 1.2 2022/06/12 07:05:30 kim Exp $
This package provides the certificates distributed by the Mozilla
-Project and will, by default, install certificates trusted by the
-Mozilla Project in the system certificate store (/etc/ssl),
-so that they can be used by third party applications using OpenSSL.
+Project and can be used to install the certificates trusted by the
+Mozilla Project in the system certificate store, so that they can be
+used by third party applications using OpenSSL.
+
+To enable management of the system certificate store and to set its
+location, edit the configuration in
-Edit /etc/ca-certificates.conf to further configure which
-certificates are installed.
+ /etc/ca-certificates-dir.conf
+
+To further select which certificates are installed, you can edit the
+configuration in
+
+ /etc/ca-certificates.conf
To install local certificate authorities to be implicitly trusted,
place the certificate files in /usr/local/share/ca-certificates/
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/files/ca-certificates-dir.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/ca-certificates/files/ca-certificates-dir.conf Sun Jun 12 07:05:30 2022 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: ca-certificates-dir.conf,v 1.1 2022/06/12 07:05:30 kim Exp $
+#
+# The directory managed by update-ca-certificates(8)
+#
+#ETCCERTSDIR=/etc/ssl/certs
+#
+# Remove the # to uncomment the setting and to enable managing
+# installed certificates in the specified directory.
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/patches/patch-sbin_update-ca-certificates
--- a/security/ca-certificates/patches/patch-sbin_update-ca-certificates Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/patches/patch-sbin_update-ca-certificates Sun Jun 12 07:05:30 2022 +0000
@@ -1,8 +1,61 @@
-$NetBSD: patch-sbin_update-ca-certificates,v 1.1 2022/02/28 06:46:52 kim Exp $
+$NetBSD: patch-sbin_update-ca-certificates,v 1.2 2022/06/12 07:05:30 kim Exp $
--- sbin/update-ca-certificates.orig 2021-10-16 16:09:43.000000000 +0000
-+++ sbin/update-ca-certificates 2022-02-28 06:38:12.674110664 +0000
-@@ -81,8 +81,8 @@
++++ sbin/update-ca-certificates 2022-06-12 16:09:43.000000000 +0000
+@@ -28,9 +28,23 @@
+ CERTSDIR=/usr/share/ca-certificates
+ LOCALCERTSDIR=/usr/local/share/ca-certificates
+ CERTBUNDLE=ca-certificates.crt
+-ETCCERTSDIR=/etc/ssl/certs
++ETCCERTSDIR=disabled
++ETCCERTSDIRCONF=/etc/ca-certificates-dir.conf
+ HOOKSDIR=/etc/ca-certificates/update.d
+
++if [ -s "$ETCCERTSDIRCONF" ]
++then
++ _ETCCERTSDIR="$(sed -n -e '
++ /^ETCCERTSDIR=/ {
++ s///;
++ s/#.*$//;
++ s/ *$//;
++ s/^ *//;
++ p;
++ }' "$ETCCERTSDIRCONF")"
++ ETCCERTSDIR="${_ETCCERTSDIR:-${ETCCERTSDIR}}"
++fi
++
+ while [ $# -gt 0 ];
+ do
+ case $1 in
+@@ -66,6 +80,27 @@
+ shift
+ done
+
++case "$ETCCERTSDIR" in
++disabled)
++ cat <<-EOF
++ Please enable update-ca-certificates by editing
++ $ETCCERTSDIRCONF
++ and then run it again.
++ EOF
++ exit 1
++ ;;
++/*)
++ ;;
++*)
++ cat <<-EOF
++ Please set ETCCERTSDIR to an absolute path in
++ $ETCCERTSDIRCONF
++ and then run it again.
++ EOF
++ exit 1
++ ;;
++esac
++
+ if [ ! -s "$CERTSCONF" ]
+ then
+ fresh=1
+@@ -81,8 +116,8 @@
# Helper files. (Some of them are not simple arrays because we spawn
# subshells later on.)
TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
Home |
Main Index |
Thread Index |
Old Index