ca-certificates-vl.spec 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214
  1. # certdata.txt is generated by extracting it from Mozilla CVS.
  2. # This is done by running:
  3. #
  4. # cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
  5. # co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
  6. # > certdata.txt
  7. #
  8. # Keep the RCS version in sync with the spec Version.
  9. %define pkidir %{_sysconfdir}/pki
  10. Summary: The Mozilla CA root certificate bundle
  11. Summary(ja): Mozilla の CA ルート証明書バンドル
  12. Name: ca-certificates
  13. Version: 2012.85
  14. Release: 1%{?_dist_release}
  15. License: Public Domain
  16. Group: System Environment/Base
  17. URL: http://www.mozilla.org/
  18. Source0: certdata.txt
  19. Source1: blacklist.txt
  20. Source2: generate-cacerts.pl
  21. Source3: certdata2pem.py
  22. BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
  23. BuildRequires: perl, java-openjdk, python, rcs
  24. BuildArch: noarch
  25. %description
  26. This package contains the set of CA certificates chosen by the
  27. Mozilla Foundation for use with the Internet PKI.
  28. %prep
  29. rm -rf %{name}
  30. mkdir %{name} %{name}/certs %{name}/java
  31. %build
  32. pushd %{name}/certs
  33. cp %{SOURCE0} %{SOURCE1} .
  34. python %{SOURCE3}
  35. popd
  36. pushd %{name}
  37. (
  38. cat <<EOF
  39. # This is a bundle of X.509 certificates of public Certificate
  40. # Authorities. It was generated from the Mozilla root CA list.
  41. #
  42. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  43. #
  44. # Generated from:
  45. EOF
  46. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  47. echo '#';
  48. ) > ca-bundle.crt
  49. (
  50. cat <<EOF
  51. # This is a bundle of X.509 certificates of public Certificate
  52. # Authorities. It was generated from the Mozilla root CA list.
  53. # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
  54. # format and have trust bits set accordingly.
  55. #
  56. # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  57. #
  58. # Generated from:
  59. EOF
  60. ident -q %{SOURCE0} | sed '1d;s/^/#/';
  61. echo '#';
  62. ) > ca-bundle.trust.crt
  63. for f in certs/*.crt; do
  64. tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
  65. case $tbits in
  66. *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
  67. esac
  68. if [ -n "$tbits" ]; then
  69. targs=""
  70. for t in $tbits; do
  71. targs="${targs} -addtrust $t"
  72. done
  73. openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
  74. fi
  75. done
  76. popd
  77. pushd %{name}/java
  78. test -s ../ca-bundle.crt || exit 1
  79. %{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
  80. touch -r %{SOURCE0} cacerts
  81. popd
  82. %install
  83. rm -rf $RPM_BUILD_ROOT
  84. mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
  85. install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  86. install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  87. ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
  88. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
  89. touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
  90. # Install Java cacerts file.
  91. mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
  92. install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
  93. # /etc/ssl/certs symlink for 3rd-party tools
  94. mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
  95. ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
  96. %clean
  97. rm -rf $RPM_BUILD_ROOT
  98. %files
  99. %defattr(-,root,root,-)
  100. %dir %{pkidir}/java
  101. %config(noreplace) %{pkidir}/java/cacerts
  102. %dir %{pkidir}/tls
  103. %dir %{pkidir}/tls/certs
  104. %config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
  105. %{pkidir}/tls/cert.pem
  106. %dir %{_sysconfdir}/ssl
  107. %{_sysconfdir}/ssl/certs
  108. %changelog
  109. * Wed Jul 25 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.85-1
  110. - update to r1.85
  111. * Mon Mar 26 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 2012.81-1
  112. - initial build for Vine Linux
  113. * Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2012.81-1
  114. - update to r1.81
  115. * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.80-2
  116. - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
  117. * Wed Nov 9 2011 Joe Orton <jorton@redhat.com> - 2011.80-1
  118. - update to r1.80
  119. - fix handling of certs with dublicate Subject names (#733032)
  120. * Thu Sep 1 2011 Joe Orton <jorton@redhat.com> - 2011.78-1
  121. - update to r1.78, removing trust from DigiNotar root (#734679)
  122. * Wed Aug 3 2011 Joe Orton <jorton@redhat.com> - 2011.75-1
  123. - update to r1.75
  124. * Wed Apr 20 2011 Joe Orton <jorton@redhat.com> - 2011.74-1
  125. - update to r1.74
  126. * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2011.70-2
  127. - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
  128. * Wed Jan 12 2011 Joe Orton <jorton@redhat.com> - 2011.70-1
  129. - update to r1.70
  130. * Tue Nov 9 2010 Joe Orton <jorton@redhat.com> - 2010.65-3
  131. - update to r1.65
  132. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
  133. - package /etc/ssl/certs symlink for third-party apps (#572725)
  134. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
  135. - rebuild
  136. * Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
  137. - update to certdata.txt r1.63
  138. - use upstream RCS version in Version
  139. * Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
  140. - fix ca-bundle.crt (#575111)
  141. * Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
  142. - update to certdata.txt r1.58
  143. - add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
  144. - exclude ECC certs from the Java cacerts database
  145. - catch keytool failures
  146. - fail parsing certdata.txt on finding untrusted but not blacklisted cert
  147. * Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
  148. - fix Java cacert database generation: use Subject rather than Issuer
  149. for alias name; add diagnostics; fix some alias names.
  150. * Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
  151. - adopt Python certdata.txt parsing script from Debian
  152. * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
  153. - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
  154. * Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
  155. - update to certdata.txt r1.53
  156. * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
  157. - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
  158. * Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
  159. - update to certdata.txt r1.49
  160. * Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
  161. - Change generate-cacerts.pl to produce pretty aliases.
  162. * Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
  163. - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
  164. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
  165. - use package name for temp dir, recreate it in prep
  166. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
  167. - fix source script perms
  168. - mark packaged files as config(noreplace)
  169. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
  170. - add (but don't use) mkcabundle.pl
  171. - tweak description
  172. - use /usr/bin/keytool directly; BR java-openjdk
  173. * Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
  174. - Initial build (#448497)