[gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/ - gentoo-commits

From:	"Robin H. Johnson" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/
Date:	Tue, 02 Jun 2020 17:13:58
Message-Id:	`1591117998.617b767f5022f81117e028e258d8b0e008594a31.robbat2@gentoo`

1

commit:     617b767f5022f81117e028e258d8b0e008594a31

2

Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

3

AuthorDate: Tue Jun  2 16:48:35 2020 +0000

4

Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

5

CommitDate: Tue Jun  2 17:13:18 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=617b767f

7

8

app-misc/ca-certificates: bump

9

10

Bump to unreleased latest Debian sources which haven't been formally

11

announced but are available via the Debian git systems.

12

13

Removes expired AddTrust External CA root causing problems with GnuTLS &

14

OpenSSL 1.0.

15

16

Closes: https://bugs.gentoo.org/726412

17

Bug: https://bugs.gentoo.org/show_bug.cgi?id=726650

18

Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>

19

20

 app-misc/ca-certificates/Manifest                  |   1 +

21

 .../ca-certificates-20200601.3.53.ebuild           | 192 +++++++++++++++++++++

22

 2 files changed, 193 insertions(+)

23

24

diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest

25

index b42b17c308c..e62e401ce09 100644

26

--- a/app-misc/ca-certificates/Manifest

27

+++ b/app-misc/ca-certificates/Manifest

28

@@ -1,4 +1,5 @@

29

 DIST ca-certificates_20190110.tar.xz 243472 BLAKE2B b63e541fcf611712634f8c7fd2da5f189b999c39118047a7e2fd43ddd5e0fbefeaa08788363482a02be55a347447d4cc95f1505bf869accf9cd847578ad2e879 SHA512 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372

30

+DIST ca-certificates_20200601.tar.xz 245668 BLAKE2B 1249782dba046f52832d365e4770e02ed24c0b50bff4ceec5e5af932c807eb8120f8e3bc7858503e74789ecb2da577509819f3ffdf9bd1ec5cc22d61f2194ad5 SHA512 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c

31

 DIST nss-3.43.tar.gz 23466026 BLAKE2B 1b43036daeedea1643a7fe1a8defa167097997efec529417c4857eaa29d453b6a588f462078f13662193d58dfd8f9566c22d729729591934ef154b9befb8f98d SHA512 e9dfba5bd6f68c5ab58fc7a6fa1b16a035be1b1b7c436cf787bdc99257c5f54c78d73d94d015bffd29420df19b2a2818166c68fe592dd7208ab5605344827fb5

32

 DIST nss-3.53.tar.gz 81178428 BLAKE2B 5e67b02bf0ba9390311d77ee4d7b86fd7339bd4f7d830b32563799e4eef126143f0b76b2933ad14c5c5d3da6cb3fa0e670aca7ce9654316123abadce25a728ec SHA512 280edf24356b764584200bff949af4a7f88514ee8ac80bf5348a9a844a8b1eb263e9aa1d772644bd8bb1bd195c12b6cc173280cfc88cd97e56562e1c40e71503

33

 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0

34

35

diff --git a/app-misc/ca-certificates/ca-certificates-20200601.3.53.ebuild b/app-misc/ca-certificates/ca-certificates-20200601.3.53.ebuild

36

new file mode 100644

37

index 00000000000..34b904b2117

38

--- /dev/null

39

+++ b/app-misc/ca-certificates/ca-certificates-20200601.3.53.ebuild

40

@@ -0,0 +1,192 @@

41

+# Copyright 1999-2020 Gentoo Authors

42

+# Distributed under the terms of the GNU General Public License v2

43

+

44

+# The Debian ca-certificates package merely takes the CA database as it exists

45

+# in the nss package and repackages it for use by openssl.

46

+#

47

+# The issue with using the compiled debs directly is two fold:

48

+# - they do not update frequently enough for us to rely on them

49

+# - they pull the CA database from nss tip of tree rather than the release

50

+#

51

+# So we take the Debian source tools and combine them with the latest nss

52

+# release to produce (largely) the same end result.  The difference is that

53

+# now we know our cert database is kept in sync with nss and, if need be,

54

+# can be sync with nss tip of tree more frequently to respond to bugs.

55

+

56

+# When triaging bugs from users, here's some handy tips:

57

+# - To see what cert is hitting errors, use openssl:

58

+#   openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME

59

+#   Focus on the errors written to stderr.

60

+#

61

+# - Look at the upstream log as to why certs were added/removed:

62

+#   https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt

63

+#

64

+# - If people want to add/remove certs, tell them to file w/mozilla:

65

+#   https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk

66

+

67

+EAPI=6

68

+

69

+PYTHON_COMPAT=( python3_{6,7,8} )

70

+

71

+inherit eutils python-any-r1

72

+

73

+if [[ ${PV} == *.* ]] ; then

74

+	# Compile from source ourselves.

75

+	PRECOMPILED=false

76

+	inherit eapi7-ver

77

+

78

+	DEB_VER=$(ver_cut 1)

79

+	NSS_VER=$(ver_cut 2-)

80

+	RTM_NAME="NSS_${NSS_VER//./_}_RTM"

81

+else

82

+	# Debian precompiled version.

83

+	PRECOMPILED=true

84

+	inherit unpacker

85

+fi

86

+

87

+DESCRIPTION="Common CA Certificates PEM files"

88

+HOMEPAGE="https://packages.debian.org/sid/ca-certificates"

89

+NMU_PR=""

90

+if ${PRECOMPILED} ; then

91

+	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"

92

+else

93

+	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz

94

+		https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz

95

+		cacert? (

96

+			https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch

97

+		)"

98

+fi

99

+

100

+LICENSE="MPL-1.1"

101

+SLOT="0"

102

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"

103

+IUSE=""

104

+${PRECOMPILED} || IUSE+=" cacert"

105

+

106

+DEPEND=""

107

+if ${PRECOMPILED} ; then

108

+	DEPEND+=" !<sys-apps/portage-2.1.10.41"

109

+fi

110

+# c_rehash: we run `c_rehash`

111

+# debianutils: we run `run-parts`

112

+RDEPEND="${DEPEND}

113

+	app-misc/c_rehash

114

+	sys-apps/debianutils"

115

+

116

+if ! ${PRECOMPILED}; then

117

+	DEPEND+=" ${PYTHON_DEPS}"

118

+fi

119

+

120

+S=${WORKDIR}

121

+

122

+pkg_setup() {

123

+	# For the conversion to having it in CONFIG_PROTECT_MASK,

124

+	# we need to tell users about it once manually first.

125

+	[[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \

126

+		|| ewarn "You should run update-ca-certificates manually after etc-update"

127

+}

128

+

129

+src_unpack() {

130

+	if ! ${PRECOMPILED}; then

131

+		default

132

+		# Initial 20200601 deb release had bad naming inside the debian source tarball.

133

+		DEB_S="${WORKDIR}/${PN}-${DEB_VER}"

134

+		DEB_BAD_S="${WORKDIR}/work"

135

+		if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]]; then

136

+			mv "${DEB_BAD_S}" "${DEB_S}"

137

+		fi

138

+	fi

139

+

140

+	# Do all the work in the image subdir to avoid conflicting with source

141

+	# dirs in ${WORKDIR}.  Need to perform everything in the offset #381937

142

+	mkdir -p "image/${EPREFIX}" || die

143

+	cd "image/${EPREFIX}" || die

144

+

145

+	${PRECOMPILED} && unpacker_src_unpack

146

+}

147

+

148

+src_prepare() {

149

+	cd "image/${EPREFIX}" || die

150

+	if ! ${PRECOMPILED} ; then

151

+		mkdir -p usr/sbin || die

152

+		cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \

153

+			usr/sbin/ || die

154

+

155

+		if use cacert ; then

156

+			pushd "${S}"/nss-${NSS_VER} >/dev/null || die

157

+			eapply -p0 "${DISTDIR}"/nss-cacert-class1-class3.patch

158

+			popd >/dev/null || die

159

+		fi

160

+	fi

161

+

162

+	default

163

+	eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch

164

+	local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')

165

+	sed -i \

166

+		-e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \

167

+		-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \

168

+		-e 's/openssl rehash/c_rehash/' \

169

+		usr/sbin/update-ca-certificates || die

170

+}

171

+

172

+src_compile() {

173

+	cd "image/${EPREFIX}" || die

174

+	if ! ${PRECOMPILED} ; then

175

+		python_setup

176

+		local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}"

177

+		# Grab the database from the nss sources.

178

+		cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die

179

+		emake -C "${d}"

180

+

181

+		# Now move the files to the same places that the precompiled would.

182

+		mkdir -p etc/ssl/certs \

183

+			etc/ca-certificates/update.d \

184

+			"${c}"/mozilla \

185

+			|| die

186

+		if use cacert ; then

187

+			mkdir -p "${c}"/cacert.org || die

188

+			mv "${d}"/CAcert_Inc..crt \

189

+				"${c}"/cacert.org/cacert.org_root.crt || die

190

+		fi

191

+		mv "${d}"/*.crt "${c}"/mozilla/ || die

192

+	else

193

+		mv usr/share/doc/{ca-certificates,${PF}} || die

194

+	fi

195

+

196

+	(

197

+		echo "# Automatically generated by ${CATEGORY}/${PF}"

198

+		echo "# $(date -u)"

199

+		echo "# Do not edit."

200

+		cd "${c}" || die

201

+		find * -name '*.crt' | LC_ALL=C sort

202

+	) > etc/ca-certificates.conf

203

+

204

+	sh usr/sbin/update-ca-certificates --root "${S}/image" || die

205

+}

206

+

207

+src_install() {

208

+	cp -pPR image/* "${D}"/ || die

209

+	if ! ${PRECOMPILED} ; then

210

+		cd ${PN}-${DEB_VER} || die

211

+		doman sbin/*.8

212

+		dodoc debian/README.* examples/ca-certificates-local/README

213

+	fi

214

+

215

+	echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates

216

+	doenvd 98ca-certificates

217

+}

218

+

219

+pkg_postinst() {

220

+	if [[ -d "${EROOT%/}/usr/local/share/ca-certificates" ]] ; then

221

+		# if the user has local certs, we need to rebuild again

222

+		# to include their stuff in the db.

223

+		# However it's too overzealous when the user has custom certs in place.

224

+		# --fresh is to clean up dangling symlinks

225

+		"${EROOT%/}"/usr/sbin/update-ca-certificates --root "${ROOT}"

226

+	fi

227

+

228

+	if [[ -n "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l)" ]] ; then

229

+		ewarn "Removing the following broken symlinks:"

230

+		ewarn "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"

231

+	fi

232

+}

1	commit: 617b767f5022f81117e028e258d8b0e008594a31
2	Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
3	AuthorDate: Tue Jun 2 16:48:35 2020 +0000
4	Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
5	CommitDate: Tue Jun 2 17:13:18 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=617b767f
7
8	app-misc/ca-certificates: bump
9
10	Bump to unreleased latest Debian sources which haven't been formally
11	announced but are available via the Debian git systems.
12
13	Removes expired AddTrust External CA root causing problems with GnuTLS &
14	OpenSSL 1.0.
15
16	Closes: https://bugs.gentoo.org/726412
17	Bug: https://bugs.gentoo.org/show_bug.cgi?id=726650
18	Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
19
20	app-misc/ca-certificates/Manifest \| 1 +
21	.../ca-certificates-20200601.3.53.ebuild \| 192 +++++++++++++++++++++
22	2 files changed, 193 insertions(+)
23
24	diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
25	index b42b17c308c..e62e401ce09 100644
26	--- a/app-misc/ca-certificates/Manifest
27	+++ b/app-misc/ca-certificates/Manifest
28	@@ -1,4 +1,5 @@
29	DIST ca-certificates_20190110.tar.xz 243472 BLAKE2B b63e541fcf611712634f8c7fd2da5f189b999c39118047a7e2fd43ddd5e0fbefeaa08788363482a02be55a347447d4cc95f1505bf869accf9cd847578ad2e879 SHA512 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372
30	+DIST ca-certificates_20200601.tar.xz 245668 BLAKE2B 1249782dba046f52832d365e4770e02ed24c0b50bff4ceec5e5af932c807eb8120f8e3bc7858503e74789ecb2da577509819f3ffdf9bd1ec5cc22d61f2194ad5 SHA512 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c
31	DIST nss-3.43.tar.gz 23466026 BLAKE2B 1b43036daeedea1643a7fe1a8defa167097997efec529417c4857eaa29d453b6a588f462078f13662193d58dfd8f9566c22d729729591934ef154b9befb8f98d SHA512 e9dfba5bd6f68c5ab58fc7a6fa1b16a035be1b1b7c436cf787bdc99257c5f54c78d73d94d015bffd29420df19b2a2818166c68fe592dd7208ab5605344827fb5
32	DIST nss-3.53.tar.gz 81178428 BLAKE2B 5e67b02bf0ba9390311d77ee4d7b86fd7339bd4f7d830b32563799e4eef126143f0b76b2933ad14c5c5d3da6cb3fa0e670aca7ce9654316123abadce25a728ec SHA512 280edf24356b764584200bff949af4a7f88514ee8ac80bf5348a9a844a8b1eb263e9aa1d772644bd8bb1bd195c12b6cc173280cfc88cd97e56562e1c40e71503
33	DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
34
35	diff --git a/app-misc/ca-certificates/ca-certificates-20200601.3.53.ebuild b/app-misc/ca-certificates/ca-certificates-20200601.3.53.ebuild
36	new file mode 100644
37	index 00000000000..34b904b2117
38	--- /dev/null
39	+++ b/app-misc/ca-certificates/ca-certificates-20200601.3.53.ebuild
40	@@ -0,0 +1,192 @@
41	+# Copyright 1999-2020 Gentoo Authors
42	+# Distributed under the terms of the GNU General Public License v2
43	+
44	+# The Debian ca-certificates package merely takes the CA database as it exists
45	+# in the nss package and repackages it for use by openssl.
46	+#
47	+# The issue with using the compiled debs directly is two fold:
48	+# - they do not update frequently enough for us to rely on them
49	+# - they pull the CA database from nss tip of tree rather than the release
50	+#
51	+# So we take the Debian source tools and combine them with the latest nss
52	+# release to produce (largely) the same end result. The difference is that
53	+# now we know our cert database is kept in sync with nss and, if need be,
54	+# can be sync with nss tip of tree more frequently to respond to bugs.
55	+
56	+# When triaging bugs from users, here's some handy tips:
57	+# - To see what cert is hitting errors, use openssl:
58	+# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
59	+# Focus on the errors written to stderr.
60	+#
61	+# - Look at the upstream log as to why certs were added/removed:
62	+# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
63	+#
64	+# - If people want to add/remove certs, tell them to file w/mozilla:
65	+# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
66	+
67	+EAPI=6
68	+
69	+PYTHON_COMPAT=( python3_{6,7,8} )
70	+
71	+inherit eutils python-any-r1
72	+
73	+if [[ ${PV} == . ]] ; then
74	+ # Compile from source ourselves.
75	+ PRECOMPILED=false
76	+ inherit eapi7-ver
77	+
78	+ DEB_VER=$(ver_cut 1)
79	+ NSS_VER=$(ver_cut 2-)
80	+ RTM_NAME="NSS_${NSS_VER//./_}_RTM"
81	+else
82	+ # Debian precompiled version.
83	+ PRECOMPILED=true
84	+ inherit unpacker
85	+fi
86	+
87	+DESCRIPTION="Common CA Certificates PEM files"
88	+HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
89	+NMU_PR=""
90	+if ${PRECOMPILED} ; then
91	+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
92	+else
93	+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
94	+ https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
95	+ cacert? (
96	+ https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch
97	+ )"
98	+fi
99	+
100	+LICENSE="MPL-1.1"
101	+SLOT="0"
102	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
103	+IUSE=""
104	+${PRECOMPILED} \|\| IUSE+=" cacert"
105	+
106	+DEPEND=""
107	+if ${PRECOMPILED} ; then
108	+ DEPEND+=" !<sys-apps/portage-2.1.10.41"
109	+fi
110	+# c_rehash: we run `c_rehash`
111	+# debianutils: we run `run-parts`
112	+RDEPEND="${DEPEND}
113	+ app-misc/c_rehash
114	+ sys-apps/debianutils"
115	+
116	+if ! ${PRECOMPILED}; then
117	+ DEPEND+=" ${PYTHON_DEPS}"
118	+fi
119	+
120	+S=${WORKDIR}
121	+
122	+pkg_setup() {
123	+ # For the conversion to having it in CONFIG_PROTECT_MASK,
124	+ # we need to tell users about it once manually first.
125	+ [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
126	+ \|\| ewarn "You should run update-ca-certificates manually after etc-update"
127	+}
128	+
129	+src_unpack() {
130	+ if ! ${PRECOMPILED}; then
131	+ default
132	+ # Initial 20200601 deb release had bad naming inside the debian source tarball.
133	+ DEB_S="${WORKDIR}/${PN}-${DEB_VER}"
134	+ DEB_BAD_S="${WORKDIR}/work"
135	+ if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]]; then
136	+ mv "${DEB_BAD_S}" "${DEB_S}"
137	+ fi
138	+ fi
139	+
140	+ # Do all the work in the image subdir to avoid conflicting with source
141	+ # dirs in ${WORKDIR}. Need to perform everything in the offset #381937
142	+ mkdir -p "image/${EPREFIX}" \|\| die
143	+ cd "image/${EPREFIX}" \|\| die
144	+
145	+ ${PRECOMPILED} && unpacker_src_unpack
146	+}
147	+
148	+src_prepare() {
149	+ cd "image/${EPREFIX}" \|\| die
150	+ if ! ${PRECOMPILED} ; then
151	+ mkdir -p usr/sbin \|\| die
152	+ cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \
153	+ usr/sbin/ \|\| die
154	+
155	+ if use cacert ; then
156	+ pushd "${S}"/nss-${NSS_VER} >/dev/null \|\| die
157	+ eapply -p0 "${DISTDIR}"/nss-cacert-class1-class3.patch
158	+ popd >/dev/null \|\| die
159	+ fi
160	+ fi
161	+
162	+ default
163	+ eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
164	+ local relp=$(echo "${EPREFIX}" \| sed -e 's:[^/]\+:..:g')
165	+ sed -i \
166	+ -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
167	+ -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
168	+ -e 's/openssl rehash/c_rehash/' \
169	+ usr/sbin/update-ca-certificates \|\| die
170	+}
171	+
172	+src_compile() {
173	+ cd "image/${EPREFIX}" \|\| die
174	+ if ! ${PRECOMPILED} ; then
175	+ python_setup
176	+ local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}"
177	+ # Grab the database from the nss sources.
178	+ cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" \|\| die
179	+ emake -C "${d}"
180	+
181	+ # Now move the files to the same places that the precompiled would.
182	+ mkdir -p etc/ssl/certs \
183	+ etc/ca-certificates/update.d \
184	+ "${c}"/mozilla \
185	+ \|\| die
186	+ if use cacert ; then
187	+ mkdir -p "${c}"/cacert.org \|\| die
188	+ mv "${d}"/CAcert_Inc..crt \
189	+ "${c}"/cacert.org/cacert.org_root.crt \|\| die
190	+ fi
191	+ mv "${d}"/*.crt "${c}"/mozilla/ \|\| die
192	+ else
193	+ mv usr/share/doc/{ca-certificates,${PF}} \|\| die
194	+ fi
195	+
196	+ (
197	+ echo "# Automatically generated by ${CATEGORY}/${PF}"
198	+ echo "# $(date -u)"
199	+ echo "# Do not edit."
200	+ cd "${c}" \|\| die
201	+ find * -name '*.crt' \| LC_ALL=C sort
202	+ ) > etc/ca-certificates.conf
203	+
204	+ sh usr/sbin/update-ca-certificates --root "${S}/image" \|\| die
205	+}
206	+
207	+src_install() {
208	+ cp -pPR image/* "${D}"/ \|\| die
209	+ if ! ${PRECOMPILED} ; then
210	+ cd ${PN}-${DEB_VER} \|\| die
211	+ doman sbin/*.8
212	+ dodoc debian/README.* examples/ca-certificates-local/README
213	+ fi
214	+
215	+ echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
216	+ doenvd 98ca-certificates
217	+}
218	+
219	+pkg_postinst() {
220	+ if [[ -d "${EROOT%/}/usr/local/share/ca-certificates" ]] ; then
221	+ # if the user has local certs, we need to rebuild again
222	+ # to include their stuff in the db.
223	+ # However it's too overzealous when the user has custom certs in place.
224	+ # --fresh is to clean up dangling symlinks
225	+ "${EROOT%/}"/usr/sbin/update-ca-certificates --root "${ROOT}"
226	+ fi
227	+
228	+ if [[ -n "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l)" ]] ; then
229	+ ewarn "Removing the following broken symlinks:"
230	+ ewarn "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
231	+ fi
232	+}

Gentoo Archives: gentoo-commits