Resolves: rhbz#1722213
- Update to CKBI 2.32 from NSS 3.44
Removing:
# Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1"
# Certificate "Certplus Root CA G2"
# Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G2"
# Certificate "OpenTrust Root CA G3"
Adding:
# Certificate "GTS Root R1"
# Certificate "GTS Root R2"
# Certificate "GTS Root R3"
# Certificate "GTS Root R4"
# Certificate "UCA Global G2 Root"
# Certificate "UCA Extended Validation Root"
# Certificate "Certigna Root CA"
# Certificate "emSign Root CA - G1"
# Certificate "emSign ECC Root CA - G3"
# Certificate "emSign Root CA - C1"
# Certificate "emSign ECC Root CA - C3"
# Certificate "Hongkong Post Root CA 3"
This commit is contained in:
Bob Relyea
parent
4f5bce3dc2
commit
605570b71e
@ -35,10 +35,10 @@ Name: ca-certificates
|
|||||||
# to have increasing version numbers. However, the new scheme will work,
|
# to have increasing version numbers. However, the new scheme will work,
|
||||||
# because all future versions will start with 2013 or larger.)
|
# because all future versions will start with 2013 or larger.)
|
||||||
|
|
||||||
Version: 2018.2.26
|
Version: 2019.2.32
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 3%{?dist}
|
Release: 2%{?dist}
|
||||||
License: Public Domain
|
License: Public Domain
|
||||||
|
|
||||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||||
@ -369,6 +369,30 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
*Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
|
||||||
|
- Update to CKBI 2.32 from NSS 3.44
|
||||||
|
Removing:
|
||||||
|
# Certificate "Visa eCommerce Root"
|
||||||
|
# Certificate "AC Raiz Certicamara S.A."
|
||||||
|
# Certificate "Certplus Root CA G1"
|
||||||
|
# Certificate "Certplus Root CA G2"
|
||||||
|
# Certificate "OpenTrust Root CA G1"
|
||||||
|
# Certificate "OpenTrust Root CA G2"
|
||||||
|
# Certificate "OpenTrust Root CA G3"
|
||||||
|
Adding:
|
||||||
|
# Certificate "GTS Root R1"
|
||||||
|
# Certificate "GTS Root R2"
|
||||||
|
# Certificate "GTS Root R3"
|
||||||
|
# Certificate "GTS Root R4"
|
||||||
|
# Certificate "UCA Global G2 Root"
|
||||||
|
# Certificate "UCA Extended Validation Root"
|
||||||
|
# Certificate "Certigna Root CA"
|
||||||
|
# Certificate "emSign Root CA - G1"
|
||||||
|
# Certificate "emSign ECC Root CA - G3"
|
||||||
|
# Certificate "emSign Root CA - C1"
|
||||||
|
# Certificate "emSign ECC Root CA - C3"
|
||||||
|
# Certificate "Hongkong Post Root CA 3"
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
|||||||
2739
certdata.txt
2739
certdata.txt
File diff suppressed because it is too large
Load Diff
118
check_certs.sh
Executable file
118
check_certs.sh
Executable file
@ -0,0 +1,118 @@
|
|||||||
|
#!/bin/perl
|
||||||
|
|
||||||
|
sub adjust {
|
||||||
|
my $newLine = $_[0];
|
||||||
|
my @neg = @{$_[1]};
|
||||||
|
my @pos = @{$_[2]};
|
||||||
|
my $found = 0;
|
||||||
|
my @newneg = ();
|
||||||
|
|
||||||
|
foreach my $cline (@neg) {
|
||||||
|
if ($cline eq $newLine) {
|
||||||
|
$found = 1;
|
||||||
|
} else {
|
||||||
|
push(@newneg ,$cline );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (! $found ) {
|
||||||
|
push(@pos, $newLine);
|
||||||
|
}
|
||||||
|
@neg=@newneg;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub removeLine {
|
||||||
|
my $newLine = $_[0];
|
||||||
|
my @neg = @{$_[1]};
|
||||||
|
my $found = 0;
|
||||||
|
my @newneg = ();
|
||||||
|
|
||||||
|
foreach my $cline (@neg) {
|
||||||
|
if ($found) {
|
||||||
|
push(@newneg ,$cline );
|
||||||
|
} elsif ($cline eq $newLine) {
|
||||||
|
$found = 1;
|
||||||
|
} else {
|
||||||
|
push(@newneg ,$cline );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return @newneg;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub filter {
|
||||||
|
my @list = @{$_[0]};
|
||||||
|
my $string = $_[1];
|
||||||
|
my @filteredList = ();
|
||||||
|
foreach my $cline (@list) {
|
||||||
|
if ($cline =~ m/$string/) {
|
||||||
|
push(@filteredList ,$cline );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return @filteredList;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub lineExists {
|
||||||
|
my $newLine = $_[0];
|
||||||
|
my @neg = @{$_[1]};
|
||||||
|
|
||||||
|
foreach my $cline (@neg) {
|
||||||
|
if ($cline eq $newLine) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub lineExists {
|
||||||
|
my $newLine = $_[0];
|
||||||
|
my @neg = @{$_[1]};
|
||||||
|
|
||||||
|
foreach my $cline (@neg) {
|
||||||
|
if ($cline eq $newLine) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub printeach {
|
||||||
|
my @args = @{$_[0]};
|
||||||
|
foreach my $arg (@args) {
|
||||||
|
chomp $arg;
|
||||||
|
print " $arg\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
open my $handle, "git diff certdata.txt|";
|
||||||
|
my @diff_lines = <$handle>;
|
||||||
|
close $handle;
|
||||||
|
my @adds = ();
|
||||||
|
my @subs = ();
|
||||||
|
foreach my $line (@diff_lines) {
|
||||||
|
$type = substr $line,0,1;
|
||||||
|
$lline = substr $line,1;
|
||||||
|
if ($type eq "+") {
|
||||||
|
if (lineExists($lline, \@subs)) {
|
||||||
|
@subs = removeLine($lline,\@subs);
|
||||||
|
} else {
|
||||||
|
push(@adds, $lline);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
if ($type eq "-") {
|
||||||
|
if (lineExists($lline, \@adds)) {
|
||||||
|
@adds = removeLine($lline,\@adds);
|
||||||
|
} else {
|
||||||
|
push(@subs, $lline);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
my @tmp = filter(\@subs, "# Certificate");
|
||||||
|
if (@tmp) {
|
||||||
|
print " Removing: \n";
|
||||||
|
printeach(\@tmp);
|
||||||
|
}
|
||||||
|
my @tmp = filter(\@adds, "# Certificate");
|
||||||
|
if (@tmp) {
|
||||||
|
print " Adding: \n";
|
||||||
|
printeach(\@tmp);
|
||||||
|
}
|
||||||
161
fetch.sh
161
fetch.sh
@ -1,4 +1,159 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
exec cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
|
#
|
||||||
co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
|
# This script fetches the latest released certdata.txt and updates the
|
||||||
> certdata.txt
|
# ca-certificates.spec file
|
||||||
|
#
|
||||||
|
baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
|
||||||
|
force=0
|
||||||
|
release_type="RTM"
|
||||||
|
release="3_43"
|
||||||
|
while [ -n "$1" ]; do
|
||||||
|
case $1 in
|
||||||
|
"-d")
|
||||||
|
baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
|
||||||
|
;;
|
||||||
|
-t*)
|
||||||
|
release_type=`echo $1 | sed -e 's;-t;;'`
|
||||||
|
if [ "${release_type}" = "" ]; then
|
||||||
|
shift
|
||||||
|
release_type=$1
|
||||||
|
fi
|
||||||
|
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
||||||
|
;;
|
||||||
|
-n*)
|
||||||
|
release=`echo $1 | sed -e 's;-n;;'`
|
||||||
|
if [ "${release}" = "" ]; then
|
||||||
|
shift
|
||||||
|
release=$1
|
||||||
|
fi
|
||||||
|
release=`echo ${release} | sed -e 's;\\.;_;g'`
|
||||||
|
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
||||||
|
;;
|
||||||
|
"-f")
|
||||||
|
force=1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "usage: $0 [-r] [-n release] [-f]"
|
||||||
|
echo "-d use the development tip rather than the latest release"
|
||||||
|
echo "-n release fetch a specific nss release"
|
||||||
|
echo "-f skip the verify check"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
# get the current certdata version number
|
||||||
|
# nss version number
|
||||||
|
# user making the change
|
||||||
|
# email of user
|
||||||
|
#
|
||||||
|
# versions from the latest nss code in mozilla
|
||||||
|
echo "Getting CKBI version number"
|
||||||
|
ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
|
||||||
|
if [ "${ckbi_version}" = "" ]; then
|
||||||
|
echo "Didn't find ckbi version from ${baseurl}"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
echo "Getting NSS version number"
|
||||||
|
nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
|
||||||
|
if [ "${nss_version}" = "" ]; then
|
||||||
|
echo "Didn't find nss version from ${baseurl}"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
# date from the current system date on this machine
|
||||||
|
echo "Creating change log"
|
||||||
|
export LANG=C
|
||||||
|
year=`date +%Y`
|
||||||
|
log_date=`date +"%a %b %d %Y"`
|
||||||
|
# user name from the environment, fallback to git, fallback to the current user
|
||||||
|
username=`whoami`
|
||||||
|
name=${NAME}
|
||||||
|
if [ "${name}" = "" ]; then
|
||||||
|
name=`git config user.name`
|
||||||
|
fi
|
||||||
|
if [ "${name}" = "" ]; then
|
||||||
|
name=`getent passwd $username`
|
||||||
|
fi
|
||||||
|
email=${EMAIL}
|
||||||
|
if [ "${email}" = "" ]; then
|
||||||
|
email=`git config user.email`
|
||||||
|
fi
|
||||||
|
if [ "${email}" = "" ]; then
|
||||||
|
email=$username@`hostname`
|
||||||
|
fi
|
||||||
|
# rawhide >=2, branches 1.x
|
||||||
|
cwd=$(pwd)
|
||||||
|
if [ `basename ${cwd}` = master ]; then
|
||||||
|
release="2"
|
||||||
|
else
|
||||||
|
release="1.0"
|
||||||
|
fi
|
||||||
|
version=${year}.${ckbi_version}
|
||||||
|
|
||||||
|
#make sure the the current version is newer than what is already there
|
||||||
|
current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
|
||||||
|
if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
|
||||||
|
echo "Can't downgrade current version: ${current_version} new version: ${version}"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
# now get our new certdata.txt
|
||||||
|
echo "Fetching new certdata.txt"
|
||||||
|
wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo fetching certdata.text from ${baseurl} failed!
|
||||||
|
echo " To restore the old certdata.txt use:"
|
||||||
|
echo " git checkout -- certdata.txt"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Verify everything is good with the user
|
||||||
|
echo -e "Upgrading ${current_version} -> ${version}:"
|
||||||
|
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
||||||
|
./check_certs.sh
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
yn=""
|
||||||
|
if [ ! ${force} ]; then
|
||||||
|
echo -n "Do you want to continue (Y/N default Y)? "
|
||||||
|
read yn
|
||||||
|
echo ""
|
||||||
|
fi
|
||||||
|
if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
|
||||||
|
echo "Skipping ca-certificate.spec upgrade."
|
||||||
|
echo " NOTE: certdata.txt has been upgraded."
|
||||||
|
echo " To restore the old certdata.txt use:"
|
||||||
|
echo " git checkout -- certdata.txt"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Updating .spec file"
|
||||||
|
cat ca-certificates.spec | while IFS= read -r line
|
||||||
|
do
|
||||||
|
echo $line | grep "^Version: " 1>&2
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
echo "Version: ${version}"
|
||||||
|
echo "New Version: ${version}" 1>&2
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
echo $line | grep "^Release: " 1>&2
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
echo "Release: ${release}%{?dist}"
|
||||||
|
echo "New Release: ${release}%{?dist}" 1>&2
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
echo $line | grep "^%changelog" 1>&2
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
echo "$line"
|
||||||
|
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
||||||
|
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" 1>&2
|
||||||
|
./check_certs.sh
|
||||||
|
echo ""
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
echo "$line"
|
||||||
|
done > /tmp/ca-certificates.spec.$$
|
||||||
|
mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
|
||||||
|
git status
|
||||||
|
exit 0
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user