Commit Graph

142 Commits

Author SHA1 Message Date
Bob Relyea
05fc0ccfd2 remove unnecessarily divisive terms, take 1.
in ca-certificates there are 3 cases:
   1) master refering to the fedora master branch in the fetch.sh script.
      This can only be changed once fedora changes the master branch name.
   2) a reference to the 'master bundle' in this file: this has been changed
      to 'primary bundle'.
   3) a couple of blacklist directories owned by this package, but used to
      p11-kit. New 'blocklist' directories have been created, but p11-kit
      needs to be updated before the old blacklist directories can be removed
      and the man pages corrected.
2021-01-12 13:50:47 -08:00
Christian Heimes
9bd23da27f Add cross-distro compatibility symlinks
The directory /etc/ssl now contains symlinks to cert.pem bundle,
openssl.cnf, and ct_log_list.cnf to provide better cross-distribution
compatibility.

Resolves: rhbz#1895619
2020-11-10 10:59:19 +01:00
Fedora Release Engineering
5221e001cb - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-27 13:33:08 +00:00
Adam Williamson
5f1176f65b Fix up broken %post and %postinstall scriptlet changes from -2 2020-06-16 12:49:50 -07:00
Adam Williamson
a430e4124c Simplify the %post and %postinstall script stuff, it was broken
This approach had multiple problems. The most obvious is a typo -
it had `%-bindir` instead of `%_bindir`. But you also cannot mix
a %define into a %post script as was being done here, that just
doesn't work, you can't track state between scriptlets like that.
And the `%if` in %posttrans would be resolved at package build
time, not at %posttrans run time. (I think the syntax was wrong
anyway). This whole approach was irredeemably broken.

To get things back to a working state quickly, let's just do it
in a simple-but-dumb way: always run the scripts in %posttrans,
run them in %post if `ln` is available (with the typo fixed).
This means we'll often run them twice, but I don't think that
actually hurts anything. We can refine from here if desired.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-06-16 12:43:54 -07:00
Bob Relyea
34155d6cbe Fix unclosed if 2020-06-10 12:50:35 -07:00
Bob Relyea
9a68b05c60 Update to CKBI 2.41 from NSS 3.53.0
Removing:
    # Certificate "AddTrust Low-Value Services Root"
    # Certificate "AddTrust External Root"
    # Certificate "Staat der Nederlanden Root CA - G2"

-Updates several certificates with CKA_SERVER_DISTRUST_AFTER with a data
-Fix circular dependency issue by moving ca-legacy and upcate-ca-trust to
 %posttrans
2020-06-10 12:45:49 -07:00
Daiki Ueno
00da4d0e2a Update versioned dependency on p11-kit 2020-01-28 08:49:10 +01:00
Daiki Ueno
eaf3ef8b6b Update to CKBI 2.40 from NSS 3.48 2020-01-22 10:56:12 +01:00
Daiki Ueno
6aec97d9bd certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
This allows to follow upcoming changes in certdata.txt:
https://bugzilla.mozilla.org/show_bug.cgi?id=1465613

Signed-off-by: Daiki Ueno <dueno@redhat.com>
2019-12-04 10:53:31 +01:00
Fedora Release Engineering
8702798203 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 19:46:15 +00:00
Bob Relyea
605570b71e Resolves: rhbz#1722213
- Update to CKBI 2.32 from NSS 3.44
   Removing:
    # Certificate "Visa eCommerce Root"
    # Certificate "AC Raiz Certicamara S.A."
    # Certificate "Certplus Root CA G1"
    # Certificate "Certplus Root CA G2"
    # Certificate "OpenTrust Root CA G1"
    # Certificate "OpenTrust Root CA G2"
    # Certificate "OpenTrust Root CA G3"
   Adding:
    # Certificate "GTS Root R1"
    # Certificate "GTS Root R2"
    # Certificate "GTS Root R3"
    # Certificate "GTS Root R4"
    # Certificate "UCA Global G2 Root"
    # Certificate "UCA Extended Validation Root"
    # Certificate "Certigna Root CA"
    # Certificate "emSign Root CA - G1"
    # Certificate "emSign ECC Root CA - G3"
    # Certificate "emSign Root CA - C1"
    # Certificate "emSign ECC Root CA - C3"
    # Certificate "Hongkong Post Root CA 3"
2019-06-19 10:17:16 -07:00
Fedora Release Engineering
4f5bce3dc2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-01-31 15:07:07 +00:00
Igor Gnatenko
6947c0bb5e Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:23:57 +01:00
Robert Relyea
f4842fa2d8 Fix stray commit character that turned a comment into an invalid rpm directive 2018-09-24 17:53:39 -07:00
Robert Relyea
439a513c7a Update ca-certficates to 2.26 from NSS 3.39 2018-09-24 17:18:53 -07:00
Fedora Release Engineering
46d2f25804 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-12 21:28:32 +00:00
Paul Wouters
31ba2e4690 packaging: remove obsolete defattr line 2018-07-03 15:36:24 -04:00
Kai Engert
1a2c011ba4 Ported scripts to python3 2018-06-28 22:36:01 +02:00
Kai Engert
34c0da9058 edk2 requires p11-kit >= 0.23.10 2018-06-11 16:08:26 +02:00
Daiki Ueno
6220683f76 Extract certificate bundle in EDK2 format 2018-06-11 14:05:57 +02:00
Kai Engert
398639612c Adjust ghost file permissions, rhbz#1564432 2018-06-04 15:19:58 +02:00
Kai Engert
342574ec95 Update to CKBI 2.24 from NSS 3.37 2018-05-18 13:05:43 +02:00
Iryna Shcherbina
77a1f2aa46 Update Python 2 dependency declarations to new packaging standards 2018-03-15 00:20:54 +01:00
Patrick Uiterwijk
09838f0deb Add dep on coreutils for ln(1) in %post
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2018-02-23 23:02:30 +01:00
Igor Gnatenko
44ff50bbce
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 07:53:59 +01:00
Kai Engert
a77bc273de Update to CKBI 2.22 from NSS 3.35 2018-02-06 14:42:09 +01:00
Kai Engert
756b8b4c69 Depend on bash, grep, sed. Required for ca-legacy script execution.
p11-kit is already required at %%post execution time. (rhbz#1537127)
2018-01-22 15:35:38 +01:00
Kai Engert
4d1e9c779d Use the force, script! (Which sln did by default). 2018-01-19 13:14:55 +01:00
Kai Engert
201f66b36b Stop using sln in ca-legacy script. 2018-01-19 13:07:06 +01:00
Kai Engert
078e3f0b9b Use ln -s, because sln was removed from glibc. rhbz#1536349 2018-01-19 12:57:53 +01:00
Kai Engert
e3a2f67722 Update to CKBI 2.20 from NSS 3.34.1 2017-11-27 21:37:37 +01:00
Bruno Goncalves
5fae916208 Add CI tests using the standard test interface 2017-09-25 11:03:21 +02:00
Kai Engert
6b317cb305 Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/ca-certificates 2017-08-15 15:41:33 +02:00
Kai Engert
7a69d0d22f - Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user configuration files (rhbz#1478172). 2017-08-15 15:39:45 +02:00
Fedora Release Engineering
c735381906 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 04:24:01 +00:00
Kai Engert
7accaab619 Update to (yet unreleased) CKBI 2.16 which is planned for NSS 3.32. Mozilla removed all trust bits for code signing. 2017-07-19 11:40:38 +02:00
Petr Písař
a2a1b6c64d perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:05:20 +02:00
Kai Engert
6cea01c4b1 Update to CKBI 2.14 from NSS 3.30.2 2017-04-26 14:37:22 +02:00
Kai Engert
c1c275770a For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true
Set attribute modifiable: false
Require p11-kit 0.23.4
2017-02-23 19:39:46 +01:00
Kai Engert
f0b0be2c1f - Changed the packaged bundle to use the flexible p11-kit-object-v1 file format,
as a preparation to fix bugs in the interaction between p11-kit-trust and
  Mozilla applications, such as Firefox, Thunderbird etc.
- Changed update-ca-trust to add comments to extracted PEM format files.
- Added an utility to help with comparing output of the trust dump command.
2017-02-13 21:04:08 +01:00
Fedora Release Engineering
b1bece42f2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-10 07:11:28 +00:00
Kai Engert
1926916bb3 Update to CKBI 2.11 from NSS 3.28.1 2017-01-11 14:16:31 +01:00
Kai Engert
00af3f958b Update to CKBI 2.10 from NSS 3.27 2016-10-04 19:54:47 +02:00
Kai Engert
552fa4a6d3 Revert to the unmodified upstream CA list, changing the legacy trust to an empty list. Keeping the ca-legacy tool and existing config, however, the configuration has no effect after this change. 2016-08-18 14:11:51 +02:00
Kai Engert
02204a071d Update to CKBI 2.9 from NSS 3.26 with legacy modifications 2016-08-16 18:51:35 +02:00
Kai Engert
54fae46d1e Update to CKBI 2.8 from NSS 3.25 with legacy modifications 2016-07-15 13:44:08 +02:00
Kai Engert
8867a18ec0 Only create backup files if there is an original file (bug 999017). 2016-05-10 20:28:23 +02:00
Kai Engert
5300aa7f75 Use sln, not ln, to avoid the dependency on coreutils. 2016-05-10 18:48:44 +02:00
Kai Engert
de9cf5de04 Fix typos in a manual page and in a README file. 2016-04-25 18:58:31 +02:00