%define pkidir %{_sysconfdir}/pki # this year %define year 2024 # latest nss release. # reference: https://hg.mozilla.org/projects/nss %define nss_version 3_101_1 # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h %define ckbi_version 2.69 %define java_version 1.8.0 Summary: The Mozilla CA root certificate bundle Summary(ja): Mozilla の CA ルート証明書バンドル Name: ca-certificates Version: %{year}.%{ckbi_version} Release: 1%{?_dist_release} Group: system,security Vendor: Project Vine Distribution: Vine Linux. License: MPL2 # see also: https://nss-crypto.org/ URL: http://www.mozilla.org/ Source0: https://hg.mozilla.org/projects/nss/raw-file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/certdata.txt#/certdata-%{version}.txt Source1: blacklist.txt Source2: generate-cacerts.pl Source3: certdata2pem.py BuildArch: noarch BuildRequires: perl, java-%{java_version}-openjdk-headless, python3, rcs %description This package contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. %prep %setup -T -c -n %{name} mkdir certs java mkdir certs/legacy-default mkdir certs/legacy-disable %build pushd certs cp %{SOURCE0} certdata.txt cp %{SOURCE1} . python3 %{SOURCE3} popd ( cat < ca-bundle.crt ( cat < ca-bundle.trust.crt for f in certs/*.crt; do tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' "$f"` case $tbits in *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;; esac if [ -n "$tbits" ]; then targs="" for t in $tbits; do targs="${targs} -addtrust $t" done openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt fi done pushd java test -s ../ca-bundle.crt || exit 1 %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt touch -r %{SOURCE0} cacerts popd %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java} install -p -m 644 ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt install -p -m 644 ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt # Install Java cacerts file. mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java install -p -m 644 java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/ # /etc/ssl/certs symlink for 3rd-party tools mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %dir %{pkidir}/java %config(noreplace) %{pkidir}/java/cacerts %dir %{pkidir}/tls %dir %{pkidir}/tls/certs %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt %{pkidir}/tls/cert.pem %dir %{_sysconfdir}/ssl %{_sysconfdir}/ssl/certs %changelog * Sat Jun 29 2024 Tomohiro "Tomo-p" KATO 2024.2.69-1 - updated to 2.69. * Mon Oct 30 2023 Tomohiro "Tomo-p" KATO 2023.2.62-1 - updated to 2.62. * Sun Nov 20 2022 Tomohiro "Tomo-p" KATO 2022.2.58-1 - updated to 2.58. * Wed Nov 24 2021 Tomohiro "Tomo-p" KATO 2021.2.52-1 - updated to 2.52. * Fri Jun 25 2021 Tomohiro "Tomo-p" KATO 2021.2.50-1 - updated to 2.50. * Mon Mar 22 2021 Tomohiro "Tomo-p" KATO 2021.2.48-1 - updated to 2.48. * Thu Feb 25 2021 Tomohiro "Tomo-p" KATO 2021.2.46-1 - updated to 2.46. * Sat Mar 21 2020 Tomohiro "Tomo-p" KATO 2020.2.40-1 - updated to 2.40. * Tue Nov 20 2018 Tomohiro "Tomo-p" KATO 2018.2.28-1 - updated to 2.28. * Tue Mar 13 2018 Tomohiro "Tomo-p" KATO 2018.2.22-1 - updated to 2.22. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO 2015.2.6-2 - changed "License:" to MPL2. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO 2015.2.6-1 - updated to 2.6. * Thu Feb 06 2014 Daisuke SUZUKI 2013.1.96-1 - update to 1.96 * Wed Sep 25 2013 Daisuke SUZUKI 2013.1.94-1 - update to 1.94 * Wed Jul 25 2012 Daisuke SUZUKI 2012.85-1 - update to r1.85 * Mon Mar 26 2012 Daisuke SUZUKI 2012.81-1 - initial build for Vine Linux * Mon Feb 13 2012 Joe Orton - 2012.81-1 - update to r1.81 * Thu Jan 12 2012 Fedora Release Engineering - 2011.80-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Wed Nov 9 2011 Joe Orton - 2011.80-1 - update to r1.80 - fix handling of certs with dublicate Subject names (#733032) * Thu Sep 1 2011 Joe Orton - 2011.78-1 - update to r1.78, removing trust from DigiNotar root (#734679) * Wed Aug 3 2011 Joe Orton - 2011.75-1 - update to r1.75 * Wed Apr 20 2011 Joe Orton - 2011.74-1 - update to r1.74 * Tue Feb 08 2011 Fedora Release Engineering - 2011.70-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Wed Jan 12 2011 Joe Orton - 2011.70-1 - update to r1.70 * Tue Nov 9 2010 Joe Orton - 2010.65-3 - update to r1.65 * Wed Apr 7 2010 Joe Orton - 2010.63-3 - package /etc/ssl/certs symlink for third-party apps (#572725) * Wed Apr 7 2010 Joe Orton - 2010.63-2 - rebuild * Wed Apr 7 2010 Joe Orton - 2010.63-1 - update to certdata.txt r1.63 - use upstream RCS version in Version * Fri Mar 19 2010 Joe Orton - 2010-4 - fix ca-bundle.crt (#575111) * Thu Mar 18 2010 Joe Orton - 2010-3 - update to certdata.txt r1.58 - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format - exclude ECC certs from the Java cacerts database - catch keytool failures - fail parsing certdata.txt on finding untrusted but not blacklisted cert * Fri Jan 15 2010 Joe Orton - 2010-2 - fix Java cacert database generation: use Subject rather than Issuer for alias name; add diagnostics; fix some alias names. * Mon Jan 11 2010 Joe Orton - 2010-1 - adopt Python certdata.txt parsing script from Debian * Fri Jul 24 2009 Fedora Release Engineering - 2009-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Wed Jul 22 2009 Joe Orton 2009-1 - update to certdata.txt r1.53 * Mon Feb 23 2009 Fedora Release Engineering - 2008-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Tue Oct 14 2008 Joe Orton 2008-7 - update to certdata.txt r1.49 * Wed Jun 25 2008 Thomas Fitzsimmons - 2008-6 - Change generate-cacerts.pl to produce pretty aliases. * Mon Jun 2 2008 Joe Orton 2008-5 - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt * Tue May 27 2008 Joe Orton 2008-4 - use package name for temp dir, recreate it in prep * Tue May 27 2008 Joe Orton 2008-3 - fix source script perms - mark packaged files as config(noreplace) * Tue May 27 2008 Joe Orton 2008-2 - add (but don't use) mkcabundle.pl - tweak description - use /usr/bin/keytool directly; BR java-openjdk * Tue May 27 2008 Joe Orton 2008-1 - Initial build (#448497)