Reduce dependency on p11-kit to only the trust subpackage

Related: RHEL-50293

Fedora MR: https://src.fedoraproject.org/rpms/ca-certificates/pull-request/9#
This commit is contained in:
Frantisek Krenzelok 2024-07-25 13:47:29 +02:00
parent 65124caff8
commit be4d5cdeb0
2 changed files with 7 additions and 9 deletions

View File

@ -72,9 +72,7 @@ Requires(post): coreutils
Requires: bash Requires: bash
Requires: grep Requires: grep
Requires: sed Requires: sed
Requires(post): p11-kit >= 0.24
Requires(post): p11-kit-trust >= 0.24 Requires(post): p11-kit-trust >= 0.24
Requires: p11-kit >= 0.24
Requires: p11-kit-trust >= 0.24 Requires: p11-kit-trust >= 0.24
BuildRequires: perl-interpreter BuildRequires: perl-interpreter

View File

@ -70,15 +70,15 @@ extract() {
# OpenSSL PEM bundle that includes trust flags # OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE) # (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts" /usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin" /usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS) # by GnuTLS)
/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with # p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may