From be4d5cdeb023590e49a1be99e0d5da49b3ef9cf9 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Thu, 25 Jul 2024 13:47:29 +0200 Subject: [PATCH] Reduce dependency on p11-kit to only the trust subpackage Related: RHEL-50293 Fedora MR: https://src.fedoraproject.org/rpms/ca-certificates/pull-request/9# --- ca-certificates.spec | 2 -- update-ca-trust | 14 +++++++------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/ca-certificates.spec b/ca-certificates.spec index 43a89f4..16f9297 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -72,9 +72,7 @@ Requires(post): coreutils Requires: bash Requires: grep Requires: sed -Requires(post): p11-kit >= 0.24 Requires(post): p11-kit-trust >= 0.24 -Requires: p11-kit >= 0.24 Requires: p11-kit-trust >= 0.24 BuildRequires: perl-interpreter diff --git a/update-ca-trust b/update-ca-trust index 473fa8f..a93f496 100644 --- a/update-ca-trust +++ b/update-ca-trust @@ -70,15 +70,15 @@ extract() { # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) - /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" - /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" - /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" - /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" - /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts" - /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin" + /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" + /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" + /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" + /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" + /usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts" + /usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin" # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and # by GnuTLS) - /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" + /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" # p11-kit extract will have made this directory unwritable; when run with # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may