Resolves: rhbz#1053883 rhbz#1396811
Add debian compatible certificate trust hash directory and links for less aware packages.
This commit is contained in:
Bob Relyea
parent
40ecfc5f64
commit
1c8b67fb5a
20
README.etcssl
Normal file
20
README.etcssl
Normal file
@ -0,0 +1,20 @@
|
||||
This directory (/etc/ssl) is provided as a courtesy attempt to provide
|
||||
compatibility with software which assumes its existence. It is not a
|
||||
supported or canonical location. Software which assumes and relies on
|
||||
the existence and layout of this directory is making a wrong assumption
|
||||
(this directory is not any kind of 'standard', it is a configuration
|
||||
detail of Debian and its derivatives) and should be improved. No
|
||||
software packaged in this distribution should use this directory.
|
||||
|
||||
An attempt is made to make the layout of /etc/ssl/certs match that
|
||||
provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
|
||||
of individual certificate files, and also contains a certificate bundle
|
||||
file named ca-certificates.crt, as Debian does. It also contains a
|
||||
bundle named ca-bundle.crt, as this distribution has long provided
|
||||
such a file, and it is possible some software has come to expect its
|
||||
existence.
|
||||
|
||||
/etc/ssl/certs itself and the bundle files are in fact symlinks to
|
||||
some of the output of the 'update-ca-trust' script which forms a part
|
||||
of a system of consolidated CA certificates. Please refer to the
|
||||
update-ca-trust(8) manual page for additional information.
|
||||
@ -38,7 +38,7 @@ Name: ca-certificates
|
||||
Version: 2021.2.50
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: Public Domain
|
||||
|
||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||
@ -61,6 +61,7 @@ Source15: README.openssl
|
||||
Source16: README.pem
|
||||
Source17: README.edk2
|
||||
Source18: README.src
|
||||
Source19: README.etcssl
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -71,10 +72,10 @@ Requires(post): coreutils
|
||||
Requires: bash
|
||||
Requires: grep
|
||||
Requires: sed
|
||||
Requires(post): p11-kit >= 0.24
|
||||
Requires(post): p11-kit-trust >= 0.24
|
||||
Requires: p11-kit >= 0.24
|
||||
Requires: p11-kit-trust >= 0.24
|
||||
Requires(post): p11-kit >= 0.23
|
||||
Requires(post): p11-kit-trust >= 0.23
|
||||
Requires: p11-kit >= 0.23
|
||||
Requires: p11-kit-trust >= 0.23
|
||||
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: python3
|
||||
@ -184,6 +185,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||
@ -192,6 +194,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
|
||||
@ -207,6 +210,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
|
||||
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
|
||||
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
|
||||
|
||||
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
||||
|
||||
@ -241,8 +245,9 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
|
||||
ln -s /etc/pki/tls/certs \
|
||||
# /etc/ssl is provided in a Debian compatible form for (bad) code that
|
||||
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
ln -s %{catrustdir}/extracted/pem/directory-hash \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
||||
@ -341,6 +346,7 @@ fi
|
||||
%dir %{catrustdir}
|
||||
%dir %{catrustdir}/source
|
||||
%dir %{catrustdir}/source/anchors
|
||||
%dir %{catrustdir}/source/blacklist
|
||||
%dir %{catrustdir}/source/blocklist
|
||||
%dir %{catrustdir}/extracted
|
||||
%dir %{catrustdir}/extracted/pem
|
||||
@ -349,6 +355,7 @@ fi
|
||||
%dir %{_datadir}/pki
|
||||
%dir %{_datadir}/pki/ca-trust-source
|
||||
%dir %{_datadir}/pki/ca-trust-source/anchors
|
||||
%dir %{_datadir}/pki/ca-trust-source/blacklist
|
||||
%dir %{_datadir}/pki/ca-trust-source/blocklist
|
||||
%dir %{_datadir}/pki/ca-trust-legacy
|
||||
|
||||
@ -370,8 +377,10 @@ fi
|
||||
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
%{pkidir}/%{java_bundle}
|
||||
# symlinks to cross-distro compatibility files and directory
|
||||
# Hybrid hash directory with bundle file for Debian compatibility
|
||||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
%{_sysconfdir}/ssl/certs
|
||||
%{_sysconfdir}/ssl/README
|
||||
%{_sysconfdir}/ssl/cert.pem
|
||||
%{_sysconfdir}/ssl/openssl.cnf
|
||||
%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
@ -395,6 +404,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
|
||||
- integrate Adam William's /etc/ssl/certs with Debian-compatibility
|
||||
- back out blocklist change since p11-kit .24 is not yet available on rawhide
|
||||
|
||||
*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
|
||||
- remove blacklist directory now that pk11-kit is using blocklist
|
||||
|
||||
|
||||
@ -20,3 +20,12 @@ export P11_KIT_NO_USER_CONFIG=1
|
||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
||||
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
||||
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
|
||||
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
|
||||
# by GnuTLS)
|
||||
/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash
|
||||
# Debian compatibility: their /etc/ssl/certs has this bundle
|
||||
/usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt
|
||||
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
|
||||
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
|
||||
/usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user