1 | # certdata.txt is generated by extracting it from Mozilla CVS. |
---|
2 | # This is done by running: |
---|
3 | # |
---|
4 | # cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \ |
---|
5 | # co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \ |
---|
6 | # > certdata.txt |
---|
7 | # |
---|
8 | # Keep the RCS version in sync with the spec Version. |
---|
9 | |
---|
10 | %define pkidir %{_sysconfdir}/pki |
---|
11 | |
---|
12 | Summary: The Mozilla CA root certificate bundle |
---|
13 | Summary(ja): Mozilla の CA ルート証明書バンドル |
---|
14 | Name: ca-certificates |
---|
15 | Version: 2013.1.96 |
---|
16 | Release: 1%{?_dist_release} |
---|
17 | License: Public Domain |
---|
18 | Group: System Environment/Base |
---|
19 | URL: http://www.mozilla.org/ |
---|
20 | Source0: certdata.txt |
---|
21 | Source1: blacklist.txt |
---|
22 | Source2: generate-cacerts.pl |
---|
23 | Source3: certdata2pem.py |
---|
24 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root |
---|
25 | BuildRequires: perl, java-openjdk, python, rcs |
---|
26 | BuildArch: noarch |
---|
27 | |
---|
28 | %description |
---|
29 | This package contains the set of CA certificates chosen by the |
---|
30 | Mozilla Foundation for use with the Internet PKI. |
---|
31 | |
---|
32 | %prep |
---|
33 | rm -rf %{name} |
---|
34 | mkdir %{name} %{name}/certs %{name}/java |
---|
35 | |
---|
36 | %build |
---|
37 | pushd %{name}/certs |
---|
38 | cp %{SOURCE0} %{SOURCE1} . |
---|
39 | python %{SOURCE3} |
---|
40 | popd |
---|
41 | pushd %{name} |
---|
42 | ( |
---|
43 | cat <<EOF |
---|
44 | # This is a bundle of X.509 certificates of public Certificate |
---|
45 | # Authorities. It was generated from the Mozilla root CA list. |
---|
46 | # |
---|
47 | # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt |
---|
48 | # |
---|
49 | # Generated from: |
---|
50 | EOF |
---|
51 | ident -q %{SOURCE0} | sed '1d;s/^/#/'; |
---|
52 | echo '#'; |
---|
53 | ) > ca-bundle.crt |
---|
54 | ( |
---|
55 | cat <<EOF |
---|
56 | # This is a bundle of X.509 certificates of public Certificate |
---|
57 | # Authorities. It was generated from the Mozilla root CA list. |
---|
58 | # These certificates are in the OpenSSL "TRUSTED CERTIFICATE" |
---|
59 | # format and have trust bits set accordingly. |
---|
60 | # |
---|
61 | # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt |
---|
62 | # |
---|
63 | # Generated from: |
---|
64 | EOF |
---|
65 | ident -q %{SOURCE0} | sed '1d;s/^/#/'; |
---|
66 | echo '#'; |
---|
67 | ) > ca-bundle.trust.crt |
---|
68 | for f in certs/*.crt; do |
---|
69 | tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` |
---|
70 | case $tbits in |
---|
71 | *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;; |
---|
72 | esac |
---|
73 | if [ -n "$tbits" ]; then |
---|
74 | targs="" |
---|
75 | for t in $tbits; do |
---|
76 | targs="${targs} -addtrust $t" |
---|
77 | done |
---|
78 | openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt |
---|
79 | fi |
---|
80 | done |
---|
81 | popd |
---|
82 | pushd %{name}/java |
---|
83 | test -s ../ca-bundle.crt || exit 1 |
---|
84 | %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt |
---|
85 | touch -r %{SOURCE0} cacerts |
---|
86 | popd |
---|
87 | |
---|
88 | %install |
---|
89 | rm -rf $RPM_BUILD_ROOT |
---|
90 | |
---|
91 | mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java} |
---|
92 | |
---|
93 | install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt |
---|
94 | install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt |
---|
95 | ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem |
---|
96 | touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt |
---|
97 | touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt |
---|
98 | |
---|
99 | # Install Java cacerts file. |
---|
100 | mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java |
---|
101 | install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/ |
---|
102 | |
---|
103 | # /etc/ssl/certs symlink for 3rd-party tools |
---|
104 | mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl |
---|
105 | ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs |
---|
106 | |
---|
107 | %clean |
---|
108 | rm -rf $RPM_BUILD_ROOT |
---|
109 | |
---|
110 | %files |
---|
111 | %defattr(-,root,root,-) |
---|
112 | %dir %{pkidir}/java |
---|
113 | %config(noreplace) %{pkidir}/java/cacerts |
---|
114 | %dir %{pkidir}/tls |
---|
115 | %dir %{pkidir}/tls/certs |
---|
116 | %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt |
---|
117 | %{pkidir}/tls/cert.pem |
---|
118 | %dir %{_sysconfdir}/ssl |
---|
119 | %{_sysconfdir}/ssl/certs |
---|
120 | |
---|
121 | %changelog |
---|
122 | * Thu Feb 06 2014 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.96-1 |
---|
123 | - update to 1.96 |
---|
124 | |
---|
125 | * Wed Sep 25 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.94-1 |
---|
126 | - update to 1.94 |
---|
127 | |
---|
128 | * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1 |
---|
129 | - update to r1.85 |
---|
130 | |
---|
131 | * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1 |
---|
132 | - initial build for Vine Linux |
---|
133 | |
---|
134 | * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1 |
---|
135 | - update to r1.81 |
---|
136 | |
---|
137 | * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2 |
---|
138 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild |
---|
139 | |
---|
140 | * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1 |
---|
141 | - update to r1.80 |
---|
142 | - fix handling of certs with dublicate Subject names (#733032) |
---|
143 | |
---|
144 | * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1 |
---|
145 | - update to r1.78, removing trust from DigiNotar root (#734679) |
---|
146 | |
---|
147 | * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1 |
---|
148 | - update to r1.75 |
---|
149 | |
---|
150 | * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1 |
---|
151 | - update to r1.74 |
---|
152 | |
---|
153 | * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2 |
---|
154 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
---|
155 | |
---|
156 | * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1 |
---|
157 | - update to r1.70 |
---|
158 | |
---|
159 | * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3 |
---|
160 | - update to r1.65 |
---|
161 | |
---|
162 | * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3 |
---|
163 | - package /etc/ssl/certs symlink for third-party apps (#572725) |
---|
164 | |
---|
165 | * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2 |
---|
166 | - rebuild |
---|
167 | |
---|
168 | * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1 |
---|
169 | - update to certdata.txt r1.63 |
---|
170 | - use upstream RCS version in Version |
---|
171 | |
---|
172 | * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4 |
---|
173 | - fix ca-bundle.crt (#575111) |
---|
174 | |
---|
175 | * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3 |
---|
176 | - update to certdata.txt r1.58 |
---|
177 | - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format |
---|
178 | - exclude ECC certs from the Java cacerts database |
---|
179 | - catch keytool failures |
---|
180 | - fail parsing certdata.txt on finding untrusted but not blacklisted cert |
---|
181 | |
---|
182 | * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2 |
---|
183 | - fix Java cacert database generation: use Subject rather than Issuer |
---|
184 | for alias name; add diagnostics; fix some alias names. |
---|
185 | |
---|
186 | * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1 |
---|
187 | - adopt Python certdata.txt parsing script from Debian |
---|
188 | |
---|
189 | * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2 |
---|
190 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild |
---|
191 | |
---|
192 | * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1 |
---|
193 | - update to certdata.txt r1.53 |
---|
194 | |
---|
195 | * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8 |
---|
196 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
---|
197 | |
---|
198 | * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7 |
---|
199 | - update to certdata.txt r1.49 |
---|
200 | |
---|
201 | * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6 |
---|
202 | - Change generate-cacerts.pl to produce pretty aliases. |
---|
203 | |
---|
204 | * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5 |
---|
205 | - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt |
---|
206 | |
---|
207 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4 |
---|
208 | - use package name for temp dir, recreate it in prep |
---|
209 | |
---|
210 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3 |
---|
211 | - fix source script perms |
---|
212 | - mark packaged files as config(noreplace) |
---|
213 | |
---|
214 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2 |
---|
215 | - add (but don't use) mkcabundle.pl |
---|
216 | - tweak description |
---|
217 | - use /usr/bin/keytool directly; BR java-openjdk |
---|
218 | |
---|
219 | * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1 |
---|
220 | - Initial build (#448497) |
---|