forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
app-misc/ca-certificates: Bump to version 20211016.3.72
Signed-off-by: Lars Wendler <[email protected]>
- Loading branch information
Lars Wendler
committed
Nov 4, 2021
1 parent
36961a6
commit 40cb637
Showing
2 changed files
with
191 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,7 @@ | ||
| DIST ca-certificates_20210119.tar.xz 232964 BLAKE2B 593352912d2b490e3f46ea032ac1ddf1c87a7ac93859d475461cbba490918cdec853b0bb30bb253a634d8d597ca6f0304bc81122b4b31b5b31fd6a80e1faaf33 SHA512 a824209fa0ff0865872a07d8e6b901d8407f599243810fd5c820e1f69226e05b0b4f1e25e5ff3d8d398ff952529084442f026e32220961f359f6323f6bf03373 | ||
| DIST ca-certificates_20211016.tar.xz 239608 BLAKE2B 9b4730b54fd9f472fe4e5427bf912d9a61d10d2c289d1e443b54cca469fa87f9e02b8f67e7e087aceceffc7dd2b4043cdb5380e2652bc619d51f3a224c64f717 SHA512 bedf072c8aa1b05b249ea272f5cecfe16bdcd762c02c712323f12ac7a278e8814453f5f3caad86a2581e451788b292ed3a76a6a81620926459bb890133cffde1 | ||
| DIST nss-3.66.tar.gz 82401896 BLAKE2B ae369899af681e1c6ea8046098c83da08c2112b16d85a0eaee46e9d4f97dfb3f7c3e97eb681ec947b5648446c6db51e8f1396ec9bb6c731c9678ecf925e7f743 SHA512 327129cb065a8c19246e081e3cbc4798c81dc52eab6ee366eade151e9d308990592075c52a7c672165725fd855a0c539d56a803c26ef066561c584d693e0e467 | ||
| DIST nss-3.70.tar.gz 83917362 BLAKE2B 51de2e2cf5feb11045388b0badec24509d50f8bc8abd4116cbab77ff434f86a44ad4c98e533a1dd7093a9d1be9b7deb45f0426e3a173f9b2b92995cf63f2ea51 SHA512 9766282b36560d2f73ac5e90dbc3962802d6b1e8650ff9c0afbd6d2e1ff4cf8f2bc251f972344dc8a6ac5209b917aae03cc9883cb081011a7dea7bd258a95d82 | ||
| DIST nss-3.71.tar.gz 83927933 BLAKE2B a8d683b9f9bff5390e0378ab0d55156f7cc69a52b0667658738e67e920548965e7a276dc4104547b2e6a1a6d18325c3f85b955b9c12d7f071d10930b5264207e SHA512 a4a724dc4e8677965b6245ea2309790d31ec7719658e2b349eb67c9008082132c76277340d15e4fdd8d2fe1f560ae6803fb038d023c3dfd2e3772fa3b77720e2 | ||
| DIST nss-3.72.tar.gz 83928300 BLAKE2B d92889e27e99095a18090eff0c08b8653ef1f53f4954f5bd018df2f2903647bc71f217159bb4b11f0d6b4fb289fda20bffa2d1d207d1836dcfc33dbd4bedf511 SHA512 1d818d2ef85735837275059fecf68d57e48152f0348ea54887c29171cf029b6944e94d99a8cd96e580a81edb678b79c55515ac0516e27daf6b290c34baed9ebb | ||
| DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4 |
189 changes: 189 additions & 0 deletions
189
app-misc/ca-certificates/ca-certificates-20211016.3.72.ebuild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,189 @@ | ||
| # Copyright 1999-2021 Gentoo Authors | ||
| # Distributed under the terms of the GNU General Public License v2 | ||
|
|
||
| # The Debian ca-certificates package merely takes the CA database as it exists | ||
| # in the nss package and repackages it for use by openssl. | ||
| # | ||
| # The issue with using the compiled debs directly is two fold: | ||
| # - they do not update frequently enough for us to rely on them | ||
| # - they pull the CA database from nss tip of tree rather than the release | ||
| # | ||
| # So we take the Debian source tools and combine them with the latest nss | ||
| # release to produce (largely) the same end result. The difference is that | ||
| # now we know our cert database is kept in sync with nss and, if need be, | ||
| # can be sync with nss tip of tree more frequently to respond to bugs. | ||
|
|
||
| # When triaging user reports, refer to our wiki for tips: | ||
| # https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues | ||
|
|
||
| EAPI=7 | ||
|
|
||
| PYTHON_COMPAT=( python3_{7..10} ) | ||
|
|
||
| inherit python-any-r1 | ||
|
|
||
| if [[ ${PV} == *.* ]] ; then | ||
| # Compile from source ourselves. | ||
| PRECOMPILED=false | ||
|
|
||
| DEB_VER=$(ver_cut 1) | ||
| NSS_VER=$(ver_cut 2-) | ||
| RTM_NAME="NSS_${NSS_VER//./_}_RTM" | ||
| else | ||
| # Debian precompiled version. | ||
| PRECOMPILED=true | ||
| inherit unpacker | ||
| fi | ||
|
|
||
| DESCRIPTION="Common CA Certificates PEM files" | ||
| HOMEPAGE="https://packages.debian.org/sid/ca-certificates" | ||
| NMU_PR="" | ||
| if ${PRECOMPILED} ; then | ||
| SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb" | ||
| else | ||
| SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz | ||
| https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz | ||
| cacert? ( | ||
| https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch | ||
| )" | ||
| fi | ||
|
|
||
| LICENSE="MPL-1.1" | ||
| SLOT="0" | ||
| KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" | ||
| IUSE="" | ||
| ${PRECOMPILED} || IUSE+=" cacert" | ||
|
|
||
| # c_rehash: we run `c_rehash` | ||
| # debianutils: we run `run-parts` | ||
| CDEPEND="app-misc/c_rehash | ||
| sys-apps/debianutils" | ||
|
|
||
| BDEPEND="${CDEPEND}" | ||
| if ! ${PRECOMPILED} ; then | ||
| BDEPEND+=" ${PYTHON_DEPS}" | ||
| fi | ||
|
|
||
| DEPEND="" | ||
| if ${PRECOMPILED} ; then | ||
| DEPEND+=" !<sys-apps/portage-2.1.10.41" | ||
| fi | ||
|
|
||
| RDEPEND="${CDEPEND} | ||
| ${DEPEND}" | ||
|
|
||
| S=${WORKDIR} | ||
|
|
||
| pkg_setup() { | ||
| # For the conversion to having it in CONFIG_PROTECT_MASK, | ||
| # we need to tell users about it once manually first. | ||
| [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \ | ||
| || ewarn "You should run update-ca-certificates manually after etc-update" | ||
| } | ||
|
|
||
| src_unpack() { | ||
| if ! ${PRECOMPILED} ; then | ||
| default | ||
| # Initial 20200601 deb release had bad naming inside the debian source tarball. | ||
| DEB_S="${WORKDIR}/${PN}-${DEB_VER}" | ||
| DEB_BAD_S="${WORKDIR}/work" | ||
| if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]] ; then | ||
| mv "${DEB_BAD_S}" "${DEB_S}" | ||
| fi | ||
| fi | ||
|
|
||
| # Do all the work in the image subdir to avoid conflicting with source | ||
| # dirs in ${WORKDIR}. Need to perform everything in the offset #381937 | ||
| mkdir -p "image/${EPREFIX}" || die | ||
| cd "image/${EPREFIX}" || die | ||
|
|
||
| ${PRECOMPILED} && unpacker_src_unpack | ||
| } | ||
|
|
||
| src_prepare() { | ||
| cd "image/${EPREFIX}" || die | ||
| if ! ${PRECOMPILED} ; then | ||
| mkdir -p usr/sbin || die | ||
| cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \ | ||
| usr/sbin/ || die | ||
|
|
||
| if use cacert ; then | ||
| pushd "${S}"/nss-${NSS_VER} >/dev/null || die | ||
| eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch | ||
| popd >/dev/null || die | ||
| fi | ||
| fi | ||
|
|
||
| default | ||
| eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch | ||
| local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g') | ||
| sed -i \ | ||
| -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \ | ||
| -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \ | ||
| -e 's/openssl rehash/c_rehash/' \ | ||
| usr/sbin/update-ca-certificates || die | ||
| } | ||
|
|
||
| src_compile() { | ||
| cd "image/${EPREFIX}" || die | ||
| if ! ${PRECOMPILED} ; then | ||
| python_setup | ||
| local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}" | ||
| # Grab the database from the nss sources. | ||
| cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die | ||
| emake -C "${d}" | ||
|
|
||
| # Now move the files to the same places that the precompiled would. | ||
| mkdir -p etc/ssl/certs \ | ||
| etc/ca-certificates/update.d \ | ||
| "${c}"/mozilla \ | ||
| || die | ||
| if use cacert ; then | ||
| mkdir -p "${c}"/cacert.org || die | ||
| mv "${d}"/CA_Cert_Signing_Authority.crt \ | ||
| "${c}"/cacert.org/cacert.org_class1.crt || die | ||
| mv "${d}"/CAcert_Class_3_Root.crt \ | ||
| "${c}"/cacert.org/cacert.org_class3.crt || die | ||
| fi | ||
| mv "${d}"/*.crt "${c}"/mozilla/ || die | ||
| else | ||
| mv usr/share/doc/{ca-certificates,${PF}} || die | ||
| fi | ||
|
|
||
| ( | ||
| echo "# Automatically generated by ${CATEGORY}/${PF}" | ||
| echo "# $(date -u)" | ||
| echo "# Do not edit." | ||
| cd "${c}" || die | ||
| find * -name '*.crt' | LC_ALL=C sort | ||
| ) > etc/ca-certificates.conf | ||
|
|
||
| sh usr/sbin/update-ca-certificates --root "${S}/image" || die | ||
| } | ||
|
|
||
| src_install() { | ||
| cp -pPR image/* "${D}"/ || die | ||
| if ! ${PRECOMPILED} ; then | ||
| cd ${PN}-${DEB_VER} || die | ||
| doman sbin/*.8 | ||
| dodoc debian/README.* examples/ca-certificates-local/README | ||
| fi | ||
|
|
||
| echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates | ||
| doenvd 98ca-certificates | ||
| } | ||
|
|
||
| pkg_postinst() { | ||
| if [[ -d "${EROOT}/usr/local/share/ca-certificates" ]] ; then | ||
| # if the user has local certs, we need to rebuild again | ||
| # to include their stuff in the db. | ||
| # However it's too overzealous when the user has custom certs in place. | ||
| # --fresh is to clean up dangling symlinks | ||
| "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}" | ||
| fi | ||
|
|
||
| if [[ -n "$(find -L "${EROOT}"/etc/ssl/certs/ -type l)" ]] ; then | ||
| ewarn "Removing the following broken symlinks:" | ||
| ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)" | ||
| fi | ||
| } |