forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
app-misc/ca-certificates: Bump to version 20210119.3.62
Bug: https://bugs.gentoo.org/771861 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Lars Wendler <[email protected]>
- Loading branch information
Lars Wendler
committed
Feb 21, 2021
1 parent
6038572
commit b3f5acd
Showing
2 changed files
with
191 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,8 @@ | ||
DIST ca-certificates_20200601.tar.xz 245668 BLAKE2B 1249782dba046f52832d365e4770e02ed24c0b50bff4ceec5e5af932c807eb8120f8e3bc7858503e74789ecb2da577509819f3ffdf9bd1ec5cc22d61f2194ad5 SHA512 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c | ||
DIST ca-certificates_20210119.tar.xz 232964 BLAKE2B 593352912d2b490e3f46ea032ac1ddf1c87a7ac93859d475461cbba490918cdec853b0bb30bb253a634d8d597ca6f0304bc81122b4b31b5b31fd6a80e1faaf33 SHA512 a824209fa0ff0865872a07d8e6b901d8407f599243810fd5c820e1f69226e05b0b4f1e25e5ff3d8d398ff952529084442f026e32220961f359f6323f6bf03373 | ||
DIST nss-3.53.tar.gz 81178428 BLAKE2B 5e67b02bf0ba9390311d77ee4d7b86fd7339bd4f7d830b32563799e4eef126143f0b76b2933ad14c5c5d3da6cb3fa0e670aca7ce9654316123abadce25a728ec SHA512 280edf24356b764584200bff949af4a7f88514ee8ac80bf5348a9a844a8b1eb263e9aa1d772644bd8bb1bd195c12b6cc173280cfc88cd97e56562e1c40e71503 | ||
DIST nss-3.59.tar.gz 82141516 BLAKE2B 74959b14ec42b4628dfc3365af00420cdbd41d202541e9379f6a4448c4496b76307af48c9ec405b370f8770327ce56742b4382f8cd49724b42732ce5cc5b0779 SHA512 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38 | ||
DIST nss-3.60.tar.gz 82035831 BLAKE2B fffc0e26d58d4625be1b8b0123f248a0c7994b18868ece534ba4d60131dd4897d075d7b2dba672c31ccd333e0c18ea384e2aa2f495c23b5430d6d10b91922873 SHA512 6463b2da28b5d9f1f20d45f77a3179e2b93c874af5742c7fc51eb7c44cef93270acacf79174dc63905f227256cbcee23a36f98f1cfed10dd5c56ffc0a76e2695 | ||
DIST nss-3.62.tar.gz 82159506 BLAKE2B 9abd7504766fb57214a16608a7299f8cf6d25c9a4e285665eabd812bce536ba244b698de31fd53796148f3856e4bee6c8a03ce5b6c5234a9337d7af8f300f007 SHA512 7044008ea8e5d6f658da96e202a896e24a1ffa29d7ca862f32ed37cfa09adf8c2d5fbc371e3af6bc5151b2d1216c38207976b41888d5ad8efd4dc3049cb5831d | ||
DIST nss-cacert-class1-class3-r1.patch 22503 BLAKE2B d2ba6b5c3675484dab5b6709478101a9dadc0baded3dbf891dcd04e5eb912079b87cdd17f893a0f539a2a53fb05357c6dd309fb624facac3b021c82c7424a91f SHA512 68906d2442986ad13ebf9cd97c26fac34af3efd5cfaacb3d7824adad966349ad796c9cec8dec44c46d5c571df88ce83aea02ce82e71da337aa4e1aeef58eda66 | ||
DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0 |
189 changes: 189 additions & 0 deletions
189
app-misc/ca-certificates/ca-certificates-20210119.3.62.ebuild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,189 @@ | ||
# Copyright 1999-2021 Gentoo Authors | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
# The Debian ca-certificates package merely takes the CA database as it exists | ||
# in the nss package and repackages it for use by openssl. | ||
# | ||
# The issue with using the compiled debs directly is two fold: | ||
# - they do not update frequently enough for us to rely on them | ||
# - they pull the CA database from nss tip of tree rather than the release | ||
# | ||
# So we take the Debian source tools and combine them with the latest nss | ||
# release to produce (largely) the same end result. The difference is that | ||
# now we know our cert database is kept in sync with nss and, if need be, | ||
# can be sync with nss tip of tree more frequently to respond to bugs. | ||
|
||
# When triaging user reports, refer to our wiki for tips: | ||
# https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues | ||
|
||
EAPI=7 | ||
|
||
PYTHON_COMPAT=( python3_{7..9} ) | ||
|
||
inherit python-any-r1 | ||
|
||
if [[ ${PV} == *.* ]] ; then | ||
# Compile from source ourselves. | ||
PRECOMPILED=false | ||
|
||
DEB_VER=$(ver_cut 1) | ||
NSS_VER=$(ver_cut 2-) | ||
RTM_NAME="NSS_${NSS_VER//./_}_RTM" | ||
else | ||
# Debian precompiled version. | ||
PRECOMPILED=true | ||
inherit unpacker | ||
fi | ||
|
||
DESCRIPTION="Common CA Certificates PEM files" | ||
HOMEPAGE="https://packages.debian.org/sid/ca-certificates" | ||
NMU_PR="" | ||
if ${PRECOMPILED} ; then | ||
SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb" | ||
else | ||
SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz | ||
https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz | ||
cacert? ( | ||
https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r1.patch | ||
)" | ||
fi | ||
|
||
LICENSE="MPL-1.1" | ||
SLOT="0" | ||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" | ||
IUSE="" | ||
${PRECOMPILED} || IUSE+=" cacert" | ||
|
||
# c_rehash: we run `c_rehash` | ||
# debianutils: we run `run-parts` | ||
CDEPEND="app-misc/c_rehash | ||
sys-apps/debianutils" | ||
|
||
BDEPEND="${CDEPEND}" | ||
if ! ${PRECOMPILED} ; then | ||
BDEPEND+=" ${PYTHON_DEPS}" | ||
fi | ||
|
||
DEPEND="" | ||
if ${PRECOMPILED} ; then | ||
DEPEND+=" !<sys-apps/portage-2.1.10.41" | ||
fi | ||
|
||
RDEPEND="${CDEPEND} | ||
${DEPEND}" | ||
|
||
S=${WORKDIR} | ||
|
||
pkg_setup() { | ||
# For the conversion to having it in CONFIG_PROTECT_MASK, | ||
# we need to tell users about it once manually first. | ||
[[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \ | ||
|| ewarn "You should run update-ca-certificates manually after etc-update" | ||
} | ||
|
||
src_unpack() { | ||
if ! ${PRECOMPILED} ; then | ||
default | ||
# Initial 20200601 deb release had bad naming inside the debian source tarball. | ||
DEB_S="${WORKDIR}/${PN}-${DEB_VER}" | ||
DEB_BAD_S="${WORKDIR}/work" | ||
if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]] ; then | ||
mv "${DEB_BAD_S}" "${DEB_S}" | ||
fi | ||
fi | ||
|
||
# Do all the work in the image subdir to avoid conflicting with source | ||
# dirs in ${WORKDIR}. Need to perform everything in the offset #381937 | ||
mkdir -p "image/${EPREFIX}" || die | ||
cd "image/${EPREFIX}" || die | ||
|
||
${PRECOMPILED} && unpacker_src_unpack | ||
} | ||
|
||
src_prepare() { | ||
cd "image/${EPREFIX}" || die | ||
if ! ${PRECOMPILED} ; then | ||
mkdir -p usr/sbin || die | ||
cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \ | ||
usr/sbin/ || die | ||
|
||
if use cacert ; then | ||
pushd "${S}"/nss-${NSS_VER} >/dev/null || die | ||
eapply "${DISTDIR}"/nss-cacert-class1-class3-r1.patch | ||
popd >/dev/null || die | ||
fi | ||
fi | ||
|
||
default | ||
eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch | ||
local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g') | ||
sed -i \ | ||
-e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \ | ||
-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \ | ||
-e 's/openssl rehash/c_rehash/' \ | ||
usr/sbin/update-ca-certificates || die | ||
} | ||
|
||
src_compile() { | ||
cd "image/${EPREFIX}" || die | ||
if ! ${PRECOMPILED} ; then | ||
python_setup | ||
local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}" | ||
# Grab the database from the nss sources. | ||
cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die | ||
emake -C "${d}" | ||
|
||
# Now move the files to the same places that the precompiled would. | ||
mkdir -p etc/ssl/certs \ | ||
etc/ca-certificates/update.d \ | ||
"${c}"/mozilla \ | ||
|| die | ||
if use cacert ; then | ||
mkdir -p "${c}"/cacert.org || die | ||
mv "${d}"/CA_Cert_Signing_Authority.crt \ | ||
"${c}"/cacert.org/cacert.org_class1.crt || die | ||
mv "${d}"/CAcert_Class_3_Root.crt \ | ||
"${c}"/cacert.org/cacert.org_class3.crt || die | ||
fi | ||
mv "${d}"/*.crt "${c}"/mozilla/ || die | ||
else | ||
mv usr/share/doc/{ca-certificates,${PF}} || die | ||
fi | ||
|
||
( | ||
echo "# Automatically generated by ${CATEGORY}/${PF}" | ||
echo "# $(date -u)" | ||
echo "# Do not edit." | ||
cd "${c}" || die | ||
find * -name '*.crt' | LC_ALL=C sort | ||
) > etc/ca-certificates.conf | ||
|
||
sh usr/sbin/update-ca-certificates --root "${S}/image" || die | ||
} | ||
|
||
src_install() { | ||
cp -pPR image/* "${D}"/ || die | ||
if ! ${PRECOMPILED} ; then | ||
cd ${PN}-${DEB_VER} || die | ||
doman sbin/*.8 | ||
dodoc debian/README.* examples/ca-certificates-local/README | ||
fi | ||
|
||
echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates | ||
doenvd 98ca-certificates | ||
} | ||
|
||
pkg_postinst() { | ||
if [[ -d "${EROOT}/usr/local/share/ca-certificates" ]] ; then | ||
# if the user has local certs, we need to rebuild again | ||
# to include their stuff in the db. | ||
# However it's too overzealous when the user has custom certs in place. | ||
# --fresh is to clean up dangling symlinks | ||
"${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}" | ||
fi | ||
|
||
if [[ -n "$(find -L "${EROOT}"/etc/ssl/certs/ -type l)" ]] ; then | ||
ewarn "Removing the following broken symlinks:" | ||
ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)" | ||
fi | ||
} |