Extract certificate bundle in EDK2 format
This commit is contained in:
Daiki Ueno
parent
398639612c
commit
6220683f76
13
README.edk2
Normal file
13
README.edk2
Normal file
@ -0,0 +1,13 @@
|
||||
This directory /etc/pki/ca-trust/extracted/edk2/ contains a
|
||||
CA certificate bundle file which is automatically created
|
||||
based on the information found in the
|
||||
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
||||
directories.
|
||||
|
||||
The file is in the EDK2 (EFI Development Kit II) file format.
|
||||
|
||||
Please never manually edit the files stored in this directory,
|
||||
because your changes will be lost and the files automatically overwritten,
|
||||
each time the update-ca-trust command gets executed.
|
||||
|
||||
Please refer to the update-ca-trust(8) manual page for additional information.
|
||||
@ -38,7 +38,7 @@ Name: ca-certificates
|
||||
Version: 2018.2.24
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: Public Domain
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -60,7 +60,8 @@ Source13: README.extr
|
||||
Source14: README.java
|
||||
Source15: README.openssl
|
||||
Source16: README.pem
|
||||
Source17: README.src
|
||||
Source17: README.edk2
|
||||
Source18: README.src
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -189,6 +190,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||
@ -204,7 +206,8 @@ install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
|
||||
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
|
||||
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
|
||||
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
|
||||
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
|
||||
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
||||
|
||||
@ -236,6 +239,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bund
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
# /etc/ssl/certs symlink for 3rd-party tools
|
||||
ln -s ../pki/tls/certs \
|
||||
@ -337,6 +342,7 @@ fi
|
||||
%{catrustdir}/extracted/java/README
|
||||
%{catrustdir}/extracted/openssl/README
|
||||
%{catrustdir}/extracted/pem/README
|
||||
%{catrustdir}/extracted/edk2/README
|
||||
%{catrustdir}/source/README
|
||||
|
||||
# symlinks for old locations
|
||||
@ -362,9 +368,13 @@ fi
|
||||
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
%ghost %{catrustdir}/extracted/%{java_bundle}
|
||||
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4
|
||||
- Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek
|
||||
|
||||
* Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3
|
||||
- Adjust ghost file permissions, rhbz#1564432
|
||||
|
||||
|
||||
@ -19,3 +19,4 @@ export P11_KIT_NO_USER_CONFIG=1
|
||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
|
||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
||||
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
||||
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
|
||||
|
||||
@ -202,6 +202,15 @@ trusted for E-Mail protection.
|
||||
File objsign-ca-bundle.pem contains CA certificates
|
||||
trusted for code signing.
|
||||
|
||||
The directory /etc/pki/ca-trust/extracted/edk2/ contains a CA
|
||||
certificate bundle ("cacerts.bin") in the "sequence of
|
||||
EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
|
||||
sections "31.4.1 Signature Database" and
|
||||
"EFI_CERT_X509_GUID". Distrust information cannot be represented in
|
||||
this file format, and distrusted certificates are missing from these
|
||||
files. File "cacerts.bin" contains CA certificates trusted for TLS
|
||||
server authentication.
|
||||
|
||||
|
||||
COMMANDS
|
||||
--------
|
||||
|
||||
Loading…
Reference in New Issue
Block a user