ca-certificates/ca-certificates.spec

228 lines
7.2 KiB
RPMSpec
Raw Normal View History

# certdata.txt is generated by extracting it from Mozilla CVS.
# This is done by running:
#
# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
# co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
# > certdata.txt
#
# Keep the RCS version in sync with the spec Version.
#
# Note: This will give us the experimental version, not one that
# Firefox deems "stable". For that, we should check a firefox
# release branch for the certdata.txt version.
2008-06-02 08:47:49 +00:00
%define pkidir %{_sysconfdir}/pki
Summary: The Mozilla CA root certificate bundle
Name: ca-certificates
Version: 2012.86
Release: 2%{?dist}
2008-06-02 08:47:49 +00:00
License: Public Domain
Group: System Environment/Base
URL: http://www.mozilla.org/
Source0: certdata.txt
Source1: blacklist.txt
Source2: generate-cacerts.pl
Source3: certdata2pem.py
2008-06-02 08:47:49 +00:00
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
2012-07-23 11:49:30 +00:00
BuildRequires: perl, java-openjdk, python, rcs, openssl
2008-06-02 08:47:49 +00:00
BuildArch: noarch
%description
This package contains the set of CA certificates chosen by the
Mozilla Foundation for use with the Internet PKI.
%prep
rm -rf %{name}
mkdir %{name} %{name}/certs %{name}/java
2008-06-02 08:47:49 +00:00
%build
pushd %{name}/certs
cp %{SOURCE0} %{SOURCE1} .
python %{SOURCE3}
popd
2008-06-02 08:47:49 +00:00
pushd %{name}
(
cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
EOF
ident -q %{SOURCE0} | sed '1d;s/^/#/';
echo '#';
) > ca-bundle.crt
(
cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
# format and have trust bits set accordingly.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
EOF
ident -q %{SOURCE0} | sed '1d;s/^/#/';
echo '#';
) > ca-bundle.trust.crt
for f in certs/*.crt; do
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
case $tbits in
*serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
esac
if [ -n "$tbits" ]; then
targs=""
for t in $tbits; do
targs="${targs} -addtrust $t"
done
openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
fi
done
popd
pushd %{name}/java
2010-01-15 20:48:32 +00:00
test -s ../ca-bundle.crt || exit 1
%{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
2008-06-02 08:47:49 +00:00
touch -r %{SOURCE0} cacerts
popd
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
2010-01-15 20:48:32 +00:00
install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
2010-03-19 14:00:29 +00:00
install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
2008-06-02 08:47:49 +00:00
# Install Java cacerts file.
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
2008-06-02 08:47:49 +00:00
# /etc/ssl/certs symlink for 3rd-party tools
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
2008-06-02 08:47:49 +00:00
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%dir %{pkidir}/java
%config(noreplace) %{pkidir}/java/cacerts
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
%config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
2008-06-02 09:28:52 +00:00
%{pkidir}/tls/cert.pem
%dir %{_sysconfdir}/ssl
%{_sysconfdir}/ssl/certs
2008-06-02 08:47:49 +00:00
%changelog
* Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED
* Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
- update to r1.86
2012-07-23 11:49:30 +00:00
* Mon Jul 23 2012 Joe Orton <jorton@redhat.com> - 2012.85-2
- add openssl to BuildRequires
2012-07-23 10:50:51 +00:00
* Mon Jul 23 2012 Joe Orton <jorton@redhat.com> - 2012.85-1
- update to r1.85
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2012.81-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
2012-02-13 10:20:14 +00:00
* Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
- update to r1.81
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
2012-02-13 10:20:14 +00:00
* Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
- update to r1.80
- fix handling of certs with dublicate Subject names (#733032)
* Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
- update to r1.78, removing trust from DigiNotar root (#734679)
2011-08-03 10:40:12 +00:00
* Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
- update to r1.75
2011-04-20 09:12:55 +00:00
* Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
- update to r1.74
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
2011-01-12 13:51:15 +00:00
* Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
- update to r1.70
2010-11-09 08:24:29 +00:00
* Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
- update to r1.65
* Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
- package /etc/ssl/certs symlink for third-party apps (#572725)
2010-04-07 10:32:36 +00:00
* Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
- rebuild
* Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
- update to certdata.txt r1.63
- use upstream RCS version in Version
2010-03-19 14:00:29 +00:00
* Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
- fix ca-bundle.crt (#575111)
* Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
- update to certdata.txt r1.58
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
- exclude ECC certs from the Java cacerts database
- catch keytool failures
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
* Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
- fix Java cacert database generation: use Subject rather than Issuer
for alias name; add diagnostics; fix some alias names.
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
- adopt Python certdata.txt parsing script from Debian
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
2009-07-22 14:33:22 +00:00
* Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
- update to certdata.txt r1.53
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
2008-10-14 09:14:38 +00:00
* Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
- update to certdata.txt r1.49
* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
- Change generate-cacerts.pl to produce pretty aliases.
* Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
2008-06-02 08:47:49 +00:00
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
- use package name for temp dir, recreate it in prep
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
- fix source script perms
- mark packaged files as config(noreplace)
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
- add (but don't use) mkcabundle.pl
- tweak description
- use /usr/bin/keytool directly; BR java-openjdk
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
- Initial build (#448497)