pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/ca-certificates security/ca-certificates: Add...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/916bca62c3eb
branches:  trunk
changeset: 380672:916bca62c3eb
user:      kim <kim%pkgsrc.org@localhost>
date:      Sun Jun 12 07:05:30 2022 +0000

description:
security/ca-certificates: Add configurability for certificate store

- The location of the system certificate store can now be set using
  a new configuration file (ca-certificates-dir.conf).

- Installing the certificates to the system certificate store must
  be enabled by the administrator.

diffstat:

 security/ca-certificates/DESCR                                     |  30 ++--
 security/ca-certificates/Makefile                                  |  22 ++-
 security/ca-certificates/PLIST                                     |   3 +-
 security/ca-certificates/distinfo                                  |   4 +-
 security/ca-certificates/files/README.pkgsrc                       |  19 ++-
 security/ca-certificates/files/ca-certificates-dir.conf            |   8 +
 security/ca-certificates/patches/patch-sbin_update-ca-certificates |  59 +++++++++-
 7 files changed, 109 insertions(+), 36 deletions(-)

diffs (237 lines):

diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/DESCR
--- a/security/ca-certificates/DESCR    Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/DESCR    Sun Jun 12 07:05:30 2022 +0000
@@ -1,20 +1,20 @@
-This package provides the root certificates distributed by the Mozilla
-Project as curated by Debian in their package of the same name, along
-with tools to manage the set of configured trust anchors for openssl.
+This package contains the update-ca-certificates(8) tool maintained by
+the Debian Project (in the ca-certificates package they distribute) to
+manage the set of configured trust anchors for openssl.
 
-\todo Explain if Debian adds or removes, or if this is exactly the
-same set.
+The ca-certificates framework enables the sysadmin to configure the
+certificates to install, using multiple sources of CA certificates, for
+example to include local CAs. See update-ca-certificates(8) for details.
 
-NB: Installing this package will modify the configuration of the
-openssl implementation used by pkgsrc, which is either the base system
-openssl or pkgsrc openssl.  The modification is configuring every
-certificate as a trust anchor.  Modification of system configuration
-files is very irregular as pkgsrc should not write anything outside of
-${PREFIX}.
+This package also contains the certificate authorities shipped with
+Mozilla's browser to allow SSL-based applications to check for the
+authenticity of SSL connections.
 
-The sysadmin can exclude CA certificates from the list of trust
-anchors and also add local certificates as configured trust anchors by
-editing ca-certificates.conf and re-running update-ca-certificates.
+Please note that Debian, NetBSD, and pkgsrc can neither confirm nor deny
+whether the certificate authorities whose certificates are included in
+this package have in any way been audited for trustworthiness or RFC
+3647 compliance.  Full responsibility to assess them belongs to the
+local system administrator.
 
 See also the mozilla-rootcerts and mozilla-rootcerts-openssl packages
-for an alternative approach.
+for alternative approaches to installing CA certificates.
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/Makefile
--- a/security/ca-certificates/Makefile Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/Makefile Sun Jun 12 07:05:30 2022 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.6 2022/04/21 11:00:00 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2022/06/12 07:05:30 kim Exp $
 
 PKGNAME=       ca-certificates-20211016
-PKGREVISION=   1
+PKGREVISION=   3
 DISTNAME=      ${PKGNAME_NOREV:C/-([^-]*)$/_\1/}
 CATEGORIES=    security
 MASTER_SITES=  http://deb.debian.org/debian/pool/main/c/ca-certificates/
@@ -25,10 +25,9 @@
 EGDIR=         ${PREFIX}/share/examples/${PKGBASE}
 MANDIR=                ${PREFIX}/${PKGMANDIR}/man8
 
-# Set paths depending on whether we depend on builtin or pkgsrc
-# openssl.  \todo Arguably, we should consider installing into both
-# builtin and pkgsrc, if both exist, but this requires much more
-# thought.
+# Set default certificate store path depending on whether we depend on
+# builtin or pkgsrc openssl.
+
 CHECK_BUILTIN.openssl= yes
 .include "../../security/openssl/builtin.mk"
 CHECK_BUILTIN.openssl= no
@@ -47,20 +46,24 @@
 SUBST_STAGE.paths=     post-build
 SUBST_FILES.paths=     Makefile sbin/Makefile
 SUBST_FILES.paths+=    ca-certificates.conf
+SUBST_FILES.paths+=    ca-certificates-dir.conf
 SUBST_FILES.paths+=    sbin/update-ca-certificates sbin/update-ca-certificates.8
 SUBST_FILES.paths+=    README.pkgsrc
 SUBST_SED.paths=       -e 's,/usr/sbin,${PREFIX}/sbin,g'
-SUBST_SED.paths+=      -e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g'
+SUBST_SED.paths+=      -e 's,/etc/ca-certificates,${PKG_SYSCONFDIR}/ca-certificates,g'
 SUBST_SED.paths+=      -e 's,/etc/ssl,${SSLDIR},g'
 SUBST_SED.paths+=      -e 's,/usr/share/ca-certificates,${DATADIR},g'
 
 INSTALLATION_DIRS=     sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR}
 
 CONF_FILES=            ${EGDIR}/ca-certificates.conf \
-                       ${PKG_SYSCONFDIR}/ca-certificates.conf
+                       ${PKG_SYSCONFDIR}/ca-certificates.conf \
+                       ${EGDIR}/ca-certificates-dir.conf \
+                       ${PKG_SYSCONFDIR}/ca-certificates-dir.conf
 
 pre-build:
-       @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/
+       @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/ca-certificates-dir.conf \
+           ${FILESDIR}/README.pkgsrc ${WRKSRC}/
        @${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
            >> ${WRKSRC}/ca-certificates.conf
 
@@ -78,6 +81,7 @@
            ${DESTDIR}${DOCDIR}/
        ${INSTALL_DATA} \
            ${WRKSRC}/ca-certificates.conf \
+           ${WRKSRC}/ca-certificates-dir.conf \
            ${DESTDIR}${EGDIR}/
 
 .include "../../lang/python/tool.mk"
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/PLIST
--- a/security/ca-certificates/PLIST    Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/PLIST    Sun Jun 12 07:05:30 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2022/02/28 05:48:44 kim Exp $
+@comment $NetBSD: PLIST,v 1.5 2022/06/12 07:05:30 kim Exp $
 man/man8/update-ca-certificates.8
 sbin/update-ca-certificates
 share/ca-certificates/mozilla/ACCVRAIZ1.crt
@@ -132,3 +132,4 @@
 share/doc/ca-certificates/README.source
 share/doc/ca-certificates/changelog
 share/examples/ca-certificates/ca-certificates.conf
+share/examples/ca-certificates/ca-certificates-dir.conf
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/distinfo
--- a/security/ca-certificates/distinfo Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/distinfo Sun Jun 12 07:05:30 2022 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.6 2022/02/28 06:46:52 kim Exp $
+$NetBSD: distinfo,v 1.7 2022/06/12 07:05:30 kim Exp $
 
 BLAKE2s (ca-certificates_20211016.tar.xz) = ee1b82472068aef176dbc9dab2099848e299dbcc92ac309ba5a906a98414731d
 SHA512 (ca-certificates_20211016.tar.xz) = bedf072c8aa1b05b249ea272f5cecfe16bdcd762c02c712323f12ac7a278e8814453f5f3caad86a2581e451788b292ed3a76a6a81620926459bb890133cffde1
 Size (ca-certificates_20211016.tar.xz) = 239608 bytes
-SHA1 (patch-sbin_update-ca-certificates) = def57fb7ed7b271ac01b92f5a2124d1120f40cef
+SHA1 (patch-sbin_update-ca-certificates) = e57e4c0ec2be335f6d901c865a7b0a33405fd7f2
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/files/README.pkgsrc
--- a/security/ca-certificates/files/README.pkgsrc      Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/files/README.pkgsrc      Sun Jun 12 07:05:30 2022 +0000
@@ -1,12 +1,19 @@
-$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $
+$NetBSD: README.pkgsrc,v 1.2 2022/06/12 07:05:30 kim Exp $
 
 This package provides the certificates distributed by the Mozilla
-Project and will, by default, install certificates trusted by the
-Mozilla Project in the system certificate store (/etc/ssl),
-so that they can be used by third party applications using OpenSSL.
+Project and can be used to install the certificates trusted by the
+Mozilla Project in the system certificate store, so that they can be
+used by third party applications using OpenSSL.
+
+To enable management of the system certificate store and to set its
+location, edit the configuration in
 
-Edit /etc/ca-certificates.conf to further configure which
-certificates are installed.
+    /etc/ca-certificates-dir.conf
+
+To further select which certificates are installed, you can edit the
+configuration in
+
+    /etc/ca-certificates.conf
 
 To install local certificate authorities to be implicitly trusted,
 place the certificate files in /usr/local/share/ca-certificates/
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/files/ca-certificates-dir.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/ca-certificates/files/ca-certificates-dir.conf   Sun Jun 12 07:05:30 2022 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: ca-certificates-dir.conf,v 1.1 2022/06/12 07:05:30 kim Exp $
+#
+# The directory managed by update-ca-certificates(8)
+#
+#ETCCERTSDIR=/etc/ssl/certs
+#
+# Remove the # to uncomment the setting and to enable managing
+# installed certificates in the specified directory.
diff -r 1bed40199250 -r 916bca62c3eb security/ca-certificates/patches/patch-sbin_update-ca-certificates
--- a/security/ca-certificates/patches/patch-sbin_update-ca-certificates        Sun Jun 12 04:48:53 2022 +0000
+++ b/security/ca-certificates/patches/patch-sbin_update-ca-certificates        Sun Jun 12 07:05:30 2022 +0000
@@ -1,8 +1,61 @@
-$NetBSD: patch-sbin_update-ca-certificates,v 1.1 2022/02/28 06:46:52 kim Exp $
+$NetBSD: patch-sbin_update-ca-certificates,v 1.2 2022/06/12 07:05:30 kim Exp $
 
 --- sbin/update-ca-certificates.orig   2021-10-16 16:09:43.000000000 +0000
-+++ sbin/update-ca-certificates        2022-02-28 06:38:12.674110664 +0000
-@@ -81,8 +81,8 @@
++++ sbin/update-ca-certificates        2022-06-12 16:09:43.000000000 +0000
+@@ -28,9 +28,23 @@
+ CERTSDIR=/usr/share/ca-certificates
+ LOCALCERTSDIR=/usr/local/share/ca-certificates
+ CERTBUNDLE=ca-certificates.crt
+-ETCCERTSDIR=/etc/ssl/certs
++ETCCERTSDIR=disabled
++ETCCERTSDIRCONF=/etc/ca-certificates-dir.conf
+ HOOKSDIR=/etc/ca-certificates/update.d
+ 
++if [ -s "$ETCCERTSDIRCONF" ]
++then
++  _ETCCERTSDIR="$(sed -n -e '
++      /^ETCCERTSDIR=/ {
++        s///;
++        s/#.*$//;
++        s/  *$//;
++        s/^  *//;
++        p;
++      }' "$ETCCERTSDIRCONF")"
++  ETCCERTSDIR="${_ETCCERTSDIR:-${ETCCERTSDIR}}"
++fi
++
+ while [ $# -gt 0 ];
+ do
+   case $1 in
+@@ -66,6 +80,27 @@
+   shift
+ done
+ 
++case "$ETCCERTSDIR" in
++disabled)
++  cat <<-EOF
++      Please enable update-ca-certificates by editing
++        $ETCCERTSDIRCONF
++      and then run it again.
++      EOF
++  exit 1
++  ;;
++/*)
++  ;;
++*)
++  cat <<-EOF
++      Please set ETCCERTSDIR to an absolute path in
++        $ETCCERTSDIRCONF
++      and then run it again.
++      EOF
++  exit 1
++  ;;
++esac
++
+ if [ ! -s "$CERTSCONF" ]
+ then
+   fresh=1
+@@ -81,8 +116,8 @@
  # Helper files.  (Some of them are not simple arrays because we spawn
  # subshells later on.)
  TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"



Home | Main Index | Thread Index | Old Index