ca-certificates-vl.spec 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271
  1. %define pkidir %{_sysconfdir}/pki
  2. # this year
  3. %define year 2024
  4. # latest nss release.
  5. # reference: https://hg.mozilla.org/projects/nss
  6. %define nss_version 3_101_1
  7. # NSS_BUILTINS_LIBRARY_VERSION from https://hg.mozilla.org/projects/nss/file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/nssckbi.h
  8. %define ckbi_version 2.69
  9. %define java_version 1.8.0
  10. Summary: The Mozilla CA root certificate bundle
  11. Summary(ja): Mozilla の CA ルート証明書バンドル
  12. Name: ca-certificates
  13. Version: %{year}.%{ckbi_version}
  14. Release: 1%{?_dist_release}
  15. Group: system,security
  16. Vendor: Project Vine
  17. Distribution: Vine Linux.
  18. License: MPL2
  19. # see also: https://nss-crypto.org/
  20. URL: http://www.mozilla.org/
  21. Source0: https://hg.mozilla.org/projects/nss/raw-file/NSS_%{nss_version}_RTM/lib/ckfw/builtins/certdata.txt#/certdata-%{version}.txt
  22. Source1: blacklist.txt
  23. Source2: generate-cacerts.pl
  24. Source3: certdata2pem.py
  25. BuildArch: noarch
  26. BuildRequires: perl, java-%{java_version}-openjdk-headless, python3, rcs
  27. %description
  28. This package contains the set of CA certificates chosen by the
  29. Mozilla Foundation for use with the Internet PKI.
  30. %prep
  31. %setup -T -c -n %{name}
  32. mkdir certs java
  33. mkdir certs/legacy-default
  34. mkdir certs/legacy-disable
  35. %build
  36. pushd certs
  37. cp %{SOURCE0} certdata.txt
  38. cp %{SOURCE1} .
  39. python3 %{SOURCE3}
  40. popd
  41. (
  42. cat <<EOF
  43. # This is a bundle of X.509 certificates of public Certificate
  44. # Authorities. It was generated from the Mozilla root CA list.
  45. #
  46. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  47. #
  48. # Generated from:
  49. EOF
  50. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  51. echo '#';
  52. ) > ca-bundle.crt
  53. (
  54. cat <<EOF
  55. # This is a bundle of X.509 certificates of public Certificate
  56. # Authorities. It was generated from the Mozilla root CA list.
  57. # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
  58. # format and have trust bits set accordingly.
  59. #
  60. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  61. #
  62. # Generated from:
  63. EOF
  64. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  65. echo '#';
  66. ) > ca-bundle.trust.crt
  67. for f in certs/*.crt; do
  68. tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' "$f"`
  69. case $tbits in
  70. *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
  71. esac
  72. if [ -n "$tbits" ]; then
  73. targs=""
  74. for t in $tbits; do
  75. targs="${targs} -addtrust $t"
  76. done
  77. openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
  78. fi
  79. done
  80. pushd java
  81. test -s ../ca-bundle.crt || exit 1
  82. %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
  83. touch -r %{SOURCE0} cacerts
  84. popd
  85. %install
  86. rm -rf $RPM_BUILD_ROOT
  87. mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
  88. install -p -m 644 ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  89. install -p -m 644 ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  90. ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
  91. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  92. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  93. # Install Java cacerts file.
  94. mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
  95. install -p -m 644 java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
  96. # /etc/ssl/certs symlink for 3rd-party tools
  97. mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
  98. ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
  99. %clean
  100. rm -rf $RPM_BUILD_ROOT
  101. %files
  102. %defattr(-,root,root,-)
  103. %dir %{pkidir}/java
  104. %config(noreplace) %{pkidir}/java/cacerts
  105. %dir %{pkidir}/tls
  106. %dir %{pkidir}/tls/certs
  107. %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
  108. %{pkidir}/tls/cert.pem
  109. %dir %{_sysconfdir}/ssl
  110. %{_sysconfdir}/ssl/certs
  111. %changelog
  112. * Sat Jun 29 2024 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2024.2.69-1
  113. - updated to 2.69.
  114. * Mon Oct 30 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2023.2.62-1
  115. - updated to 2.62.
  116. * Sun Nov 20 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2022.2.58-1
  117. - updated to 2.58.
  118. * Wed Nov 24 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.52-1
  119. - updated to 2.52.
  120. * Fri Jun 25 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.50-1
  121. - updated to 2.50.
  122. * Mon Mar 22 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.48-1
  123. - updated to 2.48.
  124. * Thu Feb 25 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2021.2.46-1
  125. - updated to 2.46.
  126. * Sat Mar 21 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2020.2.40-1
  127. - updated to 2.40.
  128. * Tue Nov 20 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.28-1
  129. - updated to 2.28.
  130. * Tue Mar 13 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2018.2.22-1
  131. - updated to 2.22.
  132. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-2
  133. - changed "License:" to MPL2.
  134. * Sun Nov 29 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2015.2.6-1
  135. - updated to 2.6.
  136. * Thu Feb 06 2014 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.96-1
  137. - update to 1.96
  138. * Wed Sep 25 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 2013.1.94-1
  139. - update to 1.94
  140. * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1
  141. - update to r1.85
  142. * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1
  143. - initial build for Vine Linux
  144. * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
  145. - update to r1.81
  146. * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
  147. - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
  148. * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
  149. - update to r1.80
  150. - fix handling of certs with dublicate Subject names (#733032)
  151. * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
  152. - update to r1.78, removing trust from DigiNotar root (#734679)
  153. * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
  154. - update to r1.75
  155. * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
  156. - update to r1.74
  157. * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
  158. - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
  159. * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
  160. - update to r1.70
  161. * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
  162. - update to r1.65
  163. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
  164. - package /etc/ssl/certs symlink for third-party apps (#572725)
  165. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
  166. - rebuild
  167. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
  168. - update to certdata.txt r1.63
  169. - use upstream RCS version in Version
  170. * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
  171. - fix ca-bundle.crt (#575111)
  172. * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
  173. - update to certdata.txt r1.58
  174. - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
  175. - exclude ECC certs from the Java cacerts database
  176. - catch keytool failures
  177. - fail parsing certdata.txt on finding untrusted but not blacklisted cert
  178. * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
  179. - fix Java cacert database generation: use Subject rather than Issuer
  180. for alias name; add diagnostics; fix some alias names.
  181. * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
  182. - adopt Python certdata.txt parsing script from Debian
  183. * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
  184. - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
  185. * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
  186. - update to certdata.txt r1.53
  187. * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
  188. - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
  189. * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
  190. - update to certdata.txt r1.49
  191. * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
  192. - Change generate-cacerts.pl to produce pretty aliases.
  193. * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
  194. - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
  195. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
  196. - use package name for temp dir, recreate it in prep
  197. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
  198. - fix source script perms
  199. - mark packaged files as config(noreplace)
  200. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
  201. - add (but don't use) mkcabundle.pl
  202. - tweak description
  203. - use /usr/bin/keytool directly; BR java-openjdk
  204. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
  205. - Initial build (#448497)