update-ca-trust: make a copy of directory-hash symlinks in ../tls/certs
Resolves: RHEL-50293 - update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs - Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
This commit is contained in:
parent
59744b459d
commit
9bf988861b
@ -1,7 +1,6 @@
|
||||
%define pkidir %{_sysconfdir}/pki
|
||||
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
||||
%define classic_tls_bundle ca-bundle.crt
|
||||
%define openssl_format_trust_bundle ca-bundle.trust.crt
|
||||
%define p11_format_bundle ca-bundle.trust.p11-kit
|
||||
%define legacy_default_bundle ca-bundle.legacy.default.crt
|
||||
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
|
||||
@ -38,7 +37,7 @@ Name: ca-certificates
|
||||
Version: 2024.2.69_v8.0.303
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 101.1%{?dist}
|
||||
Release: 101.2%{?dist}
|
||||
License: MIT AND GPL-2.0-or-later
|
||||
|
||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||
@ -235,33 +234,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
# /etc/ssl is provided in a Debian compatible form for (bad) code that
|
||||
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
ln -s %{catrustdir}/extracted/pem/directory-hash \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
||||
ln -s /etc/pki/tls/openssl.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
||||
ln -s /etc/pki/tls/ct_log_list.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
# legacy filenames
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
||||
|
||||
# Populate %%{catrustdir}/extracted/pem/directory-hash.
|
||||
#
|
||||
# First direct p11-kit-trust.so to the generated bundle (not the one
|
||||
@ -291,16 +268,39 @@ trust-policy: yes
|
||||
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
|
||||
EOF
|
||||
|
||||
# Extract the trust anchors to the directory-hash format.
|
||||
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
|
||||
--purpose server-auth \
|
||||
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
|
||||
# Create a temporary file with the list of (%ghost )files in the directory-hash.
|
||||
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
|
||||
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
||||
# Clean up the temporary module config.
|
||||
rm -f "$trust_module_config"
|
||||
|
||||
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
|
||||
-regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
|
||||
-exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
|
||||
# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
|
||||
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
|
||||
find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
|
||||
|
||||
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
||||
|
||||
# /etc/ssl is provided in a Debian compatible form for (bad) code that
|
||||
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
ln -s %{pkidir}/tls/certs \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
||||
ln -s /etc/pki/tls/openssl.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
||||
ln -s /etc/pki/tls/ct_log_list.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
# legacy filenames
|
||||
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
|
||||
%clean
|
||||
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
@ -308,6 +308,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%pre
|
||||
if [ $1 -gt 1 ] ; then
|
||||
# Remove the old symlinks
|
||||
rm -f %{pkidir}/tls/cert.pem
|
||||
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
|
||||
|
||||
# Upgrade or Downgrade.
|
||||
# If the classic filename is a regular file, then we are upgrading
|
||||
# from an old package and we will move it to an .rpmsave backup file.
|
||||
@ -339,17 +343,6 @@ if [ $1 -gt 1 ] ; then
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
|
||||
# no backup yet
|
||||
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
||||
# a file exists
|
||||
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
||||
# it's an old regular file, not a link
|
||||
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
@ -413,9 +406,7 @@ fi
|
||||
%{catrustdir}/source/README
|
||||
|
||||
# symlinks for old locations
|
||||
%{pkidir}/tls/cert.pem
|
||||
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
%{pkidir}/%{java_bundle}
|
||||
# Hybrid hash directory with bundle file for Debian compatibility
|
||||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
@ -438,13 +429,14 @@ fi
|
||||
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
%ghost %{catrustdir}/extracted/%{java_bundle}
|
||||
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
||||
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
|
||||
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
|
||||
|
||||
%changelog
|
||||
*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
|
||||
- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
|
||||
- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
|
||||
|
||||
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
||||
- update-ca-trust: return warnings on a unsupported argument instead of error
|
||||
|
||||
|
@ -8,6 +8,7 @@ set -eu
|
||||
# files in $DEST.
|
||||
|
||||
DEST=/etc/pki/ca-trust/extracted
|
||||
DEST_CERTS=/etc/pki/tls/certs
|
||||
|
||||
# Prevent p11-kit from reading user configuration files.
|
||||
export P11_KIT_NO_USER_CONFIG=1
|
||||
@ -28,7 +29,8 @@ usage() {
|
||||
|
||||
EXTRACT OPTIONS
|
||||
-o DIR, --output=DIR: Write the extracted trust store into the given
|
||||
directory instead of updating $DEST.
|
||||
directory instead of updating $DEST. (Note: This option will not
|
||||
populate the ../pki/tls/certs with the directory-hash symbolic links.)
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -73,9 +75,15 @@ extract() {
|
||||
"$DEST"/edk2
|
||||
fi
|
||||
|
||||
|
||||
# Delete all directory hash symlinks from the cert directory
|
||||
if [ -z "$USER_DEST" ]; then
|
||||
find "$DEST_CERTS" -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
|
||||
fi
|
||||
|
||||
# OpenSSL PEM bundle that includes trust flags
|
||||
# (BEGIN TRUSTED CERTIFICATE)
|
||||
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
||||
@ -85,25 +93,16 @@ extract() {
|
||||
# by GnuTLS)
|
||||
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
||||
|
||||
# p11-kit extract will have made this directory unwritable; when run with
|
||||
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
|
||||
# not be the case. See rhbz#2241240.
|
||||
if [ -n "$USER_DEST" ]; then
|
||||
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
|
||||
fi
|
||||
|
||||
# Debian compatibility: their /etc/ssl/certs has this bundle
|
||||
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
|
||||
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
|
||||
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
|
||||
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
|
||||
|
||||
# Remove write permissions again
|
||||
if [ -n "$USER_DEST" ]; then
|
||||
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
|
||||
if [ -z "$USER_DEST" ]; then
|
||||
find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
|
||||
target=$(readlink -f "$link")
|
||||
new_link="$DEST_CERTS/$(basename "$link")"
|
||||
ln -s "$target" "$new_link"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
set -- extract
|
||||
fi
|
||||
|
@ -230,7 +230,8 @@ EXTRACT OPTIONS
|
||||
^^^^^^^^^^^^^^^
|
||||
*-o DIR*, *--output=DIR*::
|
||||
Write the extracted trust store into the given directory instead of
|
||||
updating /etc/pki/ca-trust/extracted.
|
||||
updating /etc/pki/ca-trust/extracted. (Note: This option will not
|
||||
populate the ../pki/tls/certs with the directory-hash symbolic links.)
|
||||
|
||||
FILES
|
||||
-----
|
||||
@ -257,6 +258,9 @@ FILES
|
||||
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
|
||||
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
|
||||
|
||||
/etc/pki/tls/certs::
|
||||
Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
|
||||
|
||||
AUTHOR
|
||||
------
|
||||
Written by Kai Engert and Stef Walter.
|
||||
|
Loading…
Reference in New Issue
Block a user