Extract certificate bundle in EDK2 format
This commit is contained in:
parent
398639612c
commit
6220683f76
13
README.edk2
Normal file
13
README.edk2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
This directory /etc/pki/ca-trust/extracted/edk2/ contains a
|
||||||
|
CA certificate bundle file which is automatically created
|
||||||
|
based on the information found in the
|
||||||
|
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
||||||
|
directories.
|
||||||
|
|
||||||
|
The file is in the EDK2 (EFI Development Kit II) file format.
|
||||||
|
|
||||||
|
Please never manually edit the files stored in this directory,
|
||||||
|
because your changes will be lost and the files automatically overwritten,
|
||||||
|
each time the update-ca-trust command gets executed.
|
||||||
|
|
||||||
|
Please refer to the update-ca-trust(8) manual page for additional information.
|
@ -38,7 +38,7 @@ Name: ca-certificates
|
|||||||
Version: 2018.2.24
|
Version: 2018.2.24
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: Public Domain
|
License: Public Domain
|
||||||
|
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -60,7 +60,8 @@ Source13: README.extr
|
|||||||
Source14: README.java
|
Source14: README.java
|
||||||
Source15: README.openssl
|
Source15: README.openssl
|
||||||
Source16: README.pem
|
Source16: README.pem
|
||||||
Source17: README.src
|
Source17: README.edk2
|
||||||
|
Source18: README.src
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
@ -189,6 +190,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
|||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||||
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||||
@ -204,7 +206,8 @@ install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
|
|||||||
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
|
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
|
||||||
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
|
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
|
||||||
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
||||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
|
||||||
|
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||||
|
|
||||||
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
||||||
|
|
||||||
@ -236,6 +239,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bund
|
|||||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||||
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||||
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||||
|
|
||||||
# /etc/ssl/certs symlink for 3rd-party tools
|
# /etc/ssl/certs symlink for 3rd-party tools
|
||||||
ln -s ../pki/tls/certs \
|
ln -s ../pki/tls/certs \
|
||||||
@ -337,6 +342,7 @@ fi
|
|||||||
%{catrustdir}/extracted/java/README
|
%{catrustdir}/extracted/java/README
|
||||||
%{catrustdir}/extracted/openssl/README
|
%{catrustdir}/extracted/openssl/README
|
||||||
%{catrustdir}/extracted/pem/README
|
%{catrustdir}/extracted/pem/README
|
||||||
|
%{catrustdir}/extracted/edk2/README
|
||||||
%{catrustdir}/source/README
|
%{catrustdir}/source/README
|
||||||
|
|
||||||
# symlinks for old locations
|
# symlinks for old locations
|
||||||
@ -362,9 +368,13 @@ fi
|
|||||||
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||||
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||||
%ghost %{catrustdir}/extracted/%{java_bundle}
|
%ghost %{catrustdir}/extracted/%{java_bundle}
|
||||||
|
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4
|
||||||
|
- Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek
|
||||||
|
|
||||||
* Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3
|
* Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3
|
||||||
- Adjust ghost file permissions, rhbz#1564432
|
- Adjust ghost file permissions, rhbz#1564432
|
||||||
|
|
||||||
|
@ -19,3 +19,4 @@ export P11_KIT_NO_USER_CONFIG=1
|
|||||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
|
||||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
||||||
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
||||||
|
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
|
||||||
|
@ -202,6 +202,15 @@ trusted for E-Mail protection.
|
|||||||
File objsign-ca-bundle.pem contains CA certificates
|
File objsign-ca-bundle.pem contains CA certificates
|
||||||
trusted for code signing.
|
trusted for code signing.
|
||||||
|
|
||||||
|
The directory /etc/pki/ca-trust/extracted/edk2/ contains a CA
|
||||||
|
certificate bundle ("cacerts.bin") in the "sequence of
|
||||||
|
EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
|
||||||
|
sections "31.4.1 Signature Database" and
|
||||||
|
"EFI_CERT_X509_GUID". Distrust information cannot be represented in
|
||||||
|
this file format, and distrusted certificates are missing from these
|
||||||
|
files. File "cacerts.bin" contains CA certificates trusted for TLS
|
||||||
|
server authentication.
|
||||||
|
|
||||||
|
|
||||||
COMMANDS
|
COMMANDS
|
||||||
--------
|
--------
|
||||||
|
Loading…
Reference in New Issue
Block a user