rpms/ca-certificates
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Extract certificate bundle in EDK2 format

Browse Source
This commit is contained in:
Daiki Ueno 2018-06-11 13:57:17 +02:00
parent 398639612c
commit 6220683f76
4 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.edk2 Normal file
View File

@ -0,0 +1,13 @@
This directory /etc/pki/ca-trust/extracted/edk2/ contains a
CA certificate bundle file which is automatically created
based on the information found in the
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
directories.
The file is in the EDK2 (EFI Development Kit II) file format.
Please never manually edit the files stored in this directory,
because your changes will be lost and the files automatically overwritten,
each time the update-ca-trust command gets executed.
Please refer to the update-ca-trust(8) manual page for additional information.

16
ca-certificates.spec
View File

@ -38,7 +38,7 @@ Name: ca-certificates
Version: 2018.2.24 Version: 2018.2.24
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 3%{?dist} Release: 4%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Base Group: System Environment/Base
@ -60,7 +60,8 @@ Source13: README.extr
Source14: README.java Source14: README.java
Source15: README.openssl Source15: README.openssl
Source16: README.pem Source16: README.pem
Source17: README.src Source17: README.edk2
Source18: README.src
BuildArch: noarch BuildArch: noarch
@ -189,6 +190,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
@ -204,7 +206,8 @@ install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
@ -236,6 +239,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bund
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl/certs symlink for 3rd-party tools # /etc/ssl/certs symlink for 3rd-party tools
ln -s ../pki/tls/certs \ ln -s ../pki/tls/certs \
@ -337,6 +342,7 @@ fi
%{catrustdir}/extracted/java/README %{catrustdir}/extracted/java/README
%{catrustdir}/extracted/openssl/README %{catrustdir}/extracted/openssl/README
%{catrustdir}/extracted/pem/README %{catrustdir}/extracted/pem/README
%{catrustdir}/extracted/edk2/README
%{catrustdir}/source/README %{catrustdir}/source/README
# symlinks for old locations # symlinks for old locations
@ -362,9 +368,13 @@ fi
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%changelog %changelog
* Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4
- Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek
* Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3 * Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3
- Adjust ghost file permissions, rhbz#1564432 - Adjust ghost file permissions, rhbz#1564432

1
update-ca-trust
View File

@ -19,3 +19,4 @@ export P11_KIT_NO_USER_CONFIG=1
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

9
update-ca-trust.8.txt
View File

@ -202,6 +202,15 @@ trusted for E-Mail protection.
File objsign-ca-bundle.pem contains CA certificates File objsign-ca-bundle.pem contains CA certificates
trusted for code signing. trusted for code signing.
The directory /etc/pki/ca-trust/extracted/edk2/ contains a CA
certificate bundle ("cacerts.bin") in the "sequence of
EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
sections "31.4.1 Signature Database" and
"EFI_CERT_X509_GUID". Distrust information cannot be represented in
this file format, and distrusted certificates are missing from these
files. File "cacerts.bin" contains CA certificates trusted for TLS
server authentication.
COMMANDS COMMANDS
-------- --------