[6630] | 1 | %define pkidir %{_sysconfdir}/pki |
---|
| 2 | |
---|
[11588] | 3 | # this year |
---|
[12346] | 4 | %define year 2020 |
---|
[11588] | 5 | |
---|
| 6 | # latest nss release. |
---|
| 7 | # reference: https://hg.mozilla.org/projects/nss |
---|
[12346] | 8 | %define nss_version 3_51 |
---|
[11588] | 9 | |
---|
| 10 | # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h |
---|
[12346] | 11 | %define ckbi_version 2.40 |
---|
[11588] | 12 | |
---|
| 13 | %define java_version 1.8.0 |
---|
| 14 | |
---|
[6630] | 15 | Summary: The Mozilla CA root certificate bundle |
---|
| 16 | Summary(ja): Mozilla の CA ルート証明書バンドル |
---|
| 17 | Name: ca-certificates |
---|
[11588] | 18 | Version: %{year}.%{ckbi_version} |
---|
| 19 | Release: 1%{?_dist_release} |
---|
[9836] | 20 | License: MPL2 |
---|
[6630] | 21 | Group: System Environment/Base |
---|
[12346] | 22 | # see also: https://nss-crypto.org/ |
---|
[6630] | 23 | URL: http://www.mozilla.org/ |
---|
[11588] | 24 | Source0: https://hg.mozilla.org/projects/nss/raw-file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/certdata.txt |
---|
[6630] | 25 | Source1: blacklist.txt |
---|
| 26 | Source2: generate-cacerts.pl |
---|
| 27 | Source3: certdata2pem.py |
---|
| 28 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root |
---|
[11588] | 29 | BuildRequires: perl, java-%{java_version}-openjdk-headless, python, rcs |
---|
[6630] | 30 | BuildArch: noarch |
---|
| 31 | |
---|
[11588] | 32 | Vendor: Project Vine |
---|
| 33 | Distribution: Vine Linux. |
---|
| 34 | |
---|
[6630] | 35 | %description |
---|
| 36 | This package contains the set of CA certificates chosen by the |
---|
| 37 | Mozilla Foundation for use with the Internet PKI. |
---|
| 38 | |
---|
| 39 | %prep |
---|
| 40 | rm -rf %{name} |
---|
| 41 | mkdir %{name} %{name}/certs %{name}/java |
---|
| 42 | |
---|
| 43 | %build |
---|
| 44 | pushd %{name}/certs |
---|
| 45 | cp %{SOURCE0} %{SOURCE1} . |
---|
| 46 | python %{SOURCE3} |
---|
| 47 | popd |
---|
| 48 | pushd %{name} |
---|
| 49 | ( |
---|
| 50 | cat <<EOF |
---|
| 51 | # This is a bundle of X.509 certificates of public Certificate |
---|
| 52 | # Authorities. It was generated from the Mozilla root CA list. |
---|
| 53 | # |
---|
| 54 | # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt |
---|
| 55 | # |
---|
| 56 | # Generated from: |
---|
| 57 | EOF |
---|
| 58 | ident -q %{SOURCE0} | sed '1d;s/^/#/'; |
---|
| 59 | echo '#'; |
---|
| 60 | ) > ca-bundle.crt |
---|
| 61 | ( |
---|
| 62 | cat <<EOF |
---|
| 63 | # This is a bundle of X.509 certificates of public Certificate |
---|
| 64 | # Authorities. It was generated from the Mozilla root CA list. |
---|
| 65 | # These certificates are in the OpenSSL "TRUSTED CERTIFICATE" |
---|
| 66 | # format and have trust bits set accordingly. |
---|
| 67 | # |
---|
| 68 | # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt |
---|
| 69 | # |
---|
| 70 | # Generated from: |
---|
| 71 | EOF |
---|
| 72 | ident -q %{SOURCE0} | sed '1d;s/^/#/'; |
---|
| 73 | echo '#'; |
---|
| 74 | ) > ca-bundle.trust.crt |
---|
| 75 | for f in certs/*.crt; do |
---|
| 76 | tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` |
---|
| 77 | case $tbits in |
---|
| 78 | *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;; |
---|
| 79 | esac |
---|
| 80 | if [ -n "$tbits" ]; then |
---|
| 81 | targs="" |
---|
| 82 | for t in $tbits; do |
---|
| 83 | targs="${targs} -addtrust $t" |
---|
| 84 | done |
---|
| 85 | openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt |
---|
| 86 | fi |
---|
| 87 | done |
---|
| 88 | popd |
---|
| 89 | pushd %{name}/java |
---|
| 90 | test -s ../ca-bundle.crt || exit 1 |
---|
| 91 | %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt |
---|
| 92 | touch -r %{SOURCE0} cacerts |
---|
| 93 | popd |
---|
| 94 | |
---|
| 95 | %install |
---|
| 96 | rm -rf $RPM_BUILD_ROOT |
---|
| 97 | |
---|
| 98 | mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java} |
---|
| 99 | |
---|
| 100 | install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt |
---|
| 101 | install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt |
---|
| 102 | ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem |
---|
| 103 | touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt |
---|
| 104 | touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt |
---|
| 105 | |
---|
| 106 | # Install Java cacerts file. |
---|
| 107 | mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java |
---|
| 108 | install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/ |
---|
| 109 | |
---|
| 110 | # /etc/ssl/certs symlink for 3rd-party tools |
---|
| 111 | mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl |
---|
| 112 | ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs |
---|
| 113 | |
---|
| 114 | %clean |
---|
| 115 | rm -rf $RPM_BUILD_ROOT |
---|
| 116 | |
---|
| 117 | %files |
---|
| 118 | %defattr(-,root,root,-) |
---|
| 119 | %dir %{pkidir}/java |
---|
| 120 | %config(noreplace) %{pkidir}/java/cacerts |
---|
| 121 | %dir %{pkidir}/tls |
---|
| 122 | %dir %{pkidir}/tls/certs |
---|
| 123 | %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt |
---|
| 124 | %{pkidir}/tls/cert.pem |
---|
| 125 | %dir %{_sysconfdir}/ssl |
---|
| 126 | %{_sysconfdir}/ssl/certs |
---|
| 127 | |
---|
| 128 | %changelog |
---|
[12346] | 129 | * Sat Mar 21 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2020.2.40-1 |
---|
| 130 | - updated to 2.40. |
---|
| 131 | |
---|
[11936] | 132 | * Tue Nov 20 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.28-1 |
---|
| 133 | - updated to 2.28. |
---|
| 134 | |
---|
| 135 | * Tue Mar 13 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.22-1 |
---|
[11588] | 136 | - updated to 2.22. |
---|
| 137 | |
---|
[9836] | 138 | * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-2 |
---|
| 139 | - changed "License:" to MPL2. |
---|
| 140 | |
---|
| 141 | * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-1 |
---|
| 142 | - updated to 2.6. |
---|
| 143 | |
---|
[8242] | 144 | * Thu Feb 06 2014 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.96-1 |
---|
| 145 | - update to 1.96 |
---|
| 146 | |
---|
[7834] | 147 | * Wed Sep 25 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.94-1 |
---|
| 148 | - update to 1.94 |
---|
| 149 | |
---|
[6630] | 150 | * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1 |
---|
| 151 | - update to r1.85 |
---|
| 152 | |
---|
| 153 | * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1 |
---|
| 154 | - initial build for Vine Linux |
---|
| 155 | |
---|
| 156 | * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1 |
---|
| 157 | - update to r1.81 |
---|
| 158 | |
---|
| 159 | * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2 |
---|
| 160 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild |
---|
| 161 | |
---|
| 162 | * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1 |
---|
| 163 | - update to r1.80 |
---|
| 164 | - fix handling of certs with dublicate Subject names (#733032) |
---|
| 165 | |
---|
| 166 | * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1 |
---|
| 167 | - update to r1.78, removing trust from DigiNotar root (#734679) |
---|
| 168 | |
---|
| 169 | * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1 |
---|
| 170 | - update to r1.75 |
---|
| 171 | |
---|
| 172 | * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1 |
---|
| 173 | - update to r1.74 |
---|
| 174 | |
---|
| 175 | * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2 |
---|
| 176 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
---|
| 177 | |
---|
| 178 | * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1 |
---|
| 179 | - update to r1.70 |
---|
| 180 | |
---|
| 181 | * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3 |
---|
| 182 | - update to r1.65 |
---|
| 183 | |
---|
| 184 | * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3 |
---|
| 185 | - package /etc/ssl/certs symlink for third-party apps (#572725) |
---|
| 186 | |
---|
| 187 | * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2 |
---|
| 188 | - rebuild |
---|
| 189 | |
---|
| 190 | * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1 |
---|
| 191 | - update to certdata.txt r1.63 |
---|
| 192 | - use upstream RCS version in Version |
---|
| 193 | |
---|
| 194 | * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4 |
---|
| 195 | - fix ca-bundle.crt (#575111) |
---|
| 196 | |
---|
| 197 | * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3 |
---|
| 198 | - update to certdata.txt r1.58 |
---|
| 199 | - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format |
---|
| 200 | - exclude ECC certs from the Java cacerts database |
---|
| 201 | - catch keytool failures |
---|
| 202 | - fail parsing certdata.txt on finding untrusted but not blacklisted cert |
---|
| 203 | |
---|
| 204 | * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2 |
---|
| 205 | - fix Java cacert database generation: use Subject rather than Issuer |
---|
| 206 | for alias name; add diagnostics; fix some alias names. |
---|
| 207 | |
---|
| 208 | * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1 |
---|
| 209 | - adopt Python certdata.txt parsing script from Debian |
---|
| 210 | |
---|
| 211 | * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2 |
---|
| 212 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild |
---|
| 213 | |
---|
| 214 | * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1 |
---|
| 215 | - update to certdata.txt r1.53 |
---|
| 216 | |
---|
| 217 | * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8 |
---|
| 218 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
---|
| 219 | |
---|
| 220 | * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7 |
---|
| 221 | - update to certdata.txt r1.49 |
---|
| 222 | |
---|
| 223 | * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6 |
---|
| 224 | - Change generate-cacerts.pl to produce pretty aliases. |
---|
| 225 | |
---|
| 226 | * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5 |
---|
| 227 | - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt |
---|
| 228 | |
---|
| 229 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4 |
---|
| 230 | - use package name for temp dir, recreate it in prep |
---|
| 231 | |
---|
| 232 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3 |
---|
| 233 | - fix source script perms |
---|
| 234 | - mark packaged files as config(noreplace) |
---|
| 235 | |
---|
| 236 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2 |
---|
| 237 | - add (but don't use) mkcabundle.pl |
---|
| 238 | - tweak description |
---|
| 239 | - use /usr/bin/keytool directly; BR java-openjdk |
---|
| 240 | |
---|
| 241 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1 |
---|
| 242 | - Initial build (#448497) |
---|