Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/
Date: Fri, 16 Apr 2021 11:35:05
Message-Id: 1618572843.c4b73928b2c215abba3051ea2461b9dde65006c8.whissi@gentoo
1 commit: c4b73928b2c215abba3051ea2461b9dde65006c8
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Fri Apr 16 11:31:23 2021 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Fri Apr 16 11:34:03 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4b73928
7
8 app-misc/ca-certificates: update Chambersign Root trust bit
9
10 Bug: https://bugzilla.mozilla.org/1703090
11 Package-Manager: Portage-3.0.18, Repoman-3.0.3
12 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
13
14 app-misc/ca-certificates/Manifest | 1 +
15 .../ca-certificates-20210119.3.64.ebuild | 189 +++++++++++++++++++++
16 2 files changed, 190 insertions(+)
17
18 diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
19 index 80d95f577f4..c81c39163c3 100644
20 --- a/app-misc/ca-certificates/Manifest
21 +++ b/app-misc/ca-certificates/Manifest
22 @@ -3,5 +3,6 @@ DIST ca-certificates_20210119.tar.xz 232964 BLAKE2B 593352912d2b490e3f46ea032ac1
23 DIST nss-3.53.tar.gz 81178428 BLAKE2B 5e67b02bf0ba9390311d77ee4d7b86fd7339bd4f7d830b32563799e4eef126143f0b76b2933ad14c5c5d3da6cb3fa0e670aca7ce9654316123abadce25a728ec SHA512 280edf24356b764584200bff949af4a7f88514ee8ac80bf5348a9a844a8b1eb263e9aa1d772644bd8bb1bd195c12b6cc173280cfc88cd97e56562e1c40e71503
24 DIST nss-3.60.tar.gz 82035831 BLAKE2B fffc0e26d58d4625be1b8b0123f248a0c7994b18868ece534ba4d60131dd4897d075d7b2dba672c31ccd333e0c18ea384e2aa2f495c23b5430d6d10b91922873 SHA512 6463b2da28b5d9f1f20d45f77a3179e2b93c874af5742c7fc51eb7c44cef93270acacf79174dc63905f227256cbcee23a36f98f1cfed10dd5c56ffc0a76e2695
25 DIST nss-3.62.tar.gz 82159506 BLAKE2B 9abd7504766fb57214a16608a7299f8cf6d25c9a4e285665eabd812bce536ba244b698de31fd53796148f3856e4bee6c8a03ce5b6c5234a9337d7af8f300f007 SHA512 7044008ea8e5d6f658da96e202a896e24a1ffa29d7ca862f32ed37cfa09adf8c2d5fbc371e3af6bc5151b2d1216c38207976b41888d5ad8efd4dc3049cb5831d
26 +DIST nss-3.64.tar.gz 82173054 BLAKE2B 4786a1ff6f4e47dbb6bfef6a2bc47ffeac51aa37f12168872d23799b8d6ca440578acf512e9ec7563ef64331d3fd84c387f17e41afa2ee30d8623c6f66207631 SHA512 0a85e1f64f97670f70596d8a479693939ca454025a4b3bbd557a54ed683ffed625c670fef6a6e3440365af9aa472384f84464942381b1c093659f6a6a222ba04
27 DIST nss-cacert-class1-class3-r1.patch 22503 BLAKE2B d2ba6b5c3675484dab5b6709478101a9dadc0baded3dbf891dcd04e5eb912079b87cdd17f893a0f539a2a53fb05357c6dd309fb624facac3b021c82c7424a91f SHA512 68906d2442986ad13ebf9cd97c26fac34af3efd5cfaacb3d7824adad966349ad796c9cec8dec44c46d5c571df88ce83aea02ce82e71da337aa4e1aeef58eda66
28 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
29
30 diff --git a/app-misc/ca-certificates/ca-certificates-20210119.3.64.ebuild b/app-misc/ca-certificates/ca-certificates-20210119.3.64.ebuild
31 new file mode 100644
32 index 00000000000..267df1da9cc
33 --- /dev/null
34 +++ b/app-misc/ca-certificates/ca-certificates-20210119.3.64.ebuild
35 @@ -0,0 +1,189 @@
36 +# Copyright 1999-2021 Gentoo Authors
37 +# Distributed under the terms of the GNU General Public License v2
38 +
39 +# The Debian ca-certificates package merely takes the CA database as it exists
40 +# in the nss package and repackages it for use by openssl.
41 +#
42 +# The issue with using the compiled debs directly is two fold:
43 +# - they do not update frequently enough for us to rely on them
44 +# - they pull the CA database from nss tip of tree rather than the release
45 +#
46 +# So we take the Debian source tools and combine them with the latest nss
47 +# release to produce (largely) the same end result. The difference is that
48 +# now we know our cert database is kept in sync with nss and, if need be,
49 +# can be sync with nss tip of tree more frequently to respond to bugs.
50 +
51 +# When triaging user reports, refer to our wiki for tips:
52 +# https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
53 +
54 +EAPI=7
55 +
56 +PYTHON_COMPAT=( python3_{7..9} )
57 +
58 +inherit python-any-r1
59 +
60 +if [[ ${PV} == *.* ]] ; then
61 + # Compile from source ourselves.
62 + PRECOMPILED=false
63 +
64 + DEB_VER=$(ver_cut 1)
65 + NSS_VER=$(ver_cut 2-)
66 + RTM_NAME="NSS_${NSS_VER//./_}_RTM"
67 +else
68 + # Debian precompiled version.
69 + PRECOMPILED=true
70 + inherit unpacker
71 +fi
72 +
73 +DESCRIPTION="Common CA Certificates PEM files"
74 +HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
75 +NMU_PR=""
76 +if ${PRECOMPILED} ; then
77 + SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
78 +else
79 + SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
80 + https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
81 + cacert? (
82 + https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r1.patch
83 + )"
84 +fi
85 +
86 +LICENSE="MPL-1.1"
87 +SLOT="0"
88 +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
89 +IUSE=""
90 +${PRECOMPILED} || IUSE+=" cacert"
91 +
92 +# c_rehash: we run `c_rehash`
93 +# debianutils: we run `run-parts`
94 +CDEPEND="app-misc/c_rehash
95 + sys-apps/debianutils"
96 +
97 +BDEPEND="${CDEPEND}"
98 +if ! ${PRECOMPILED} ; then
99 + BDEPEND+=" ${PYTHON_DEPS}"
100 +fi
101 +
102 +DEPEND=""
103 +if ${PRECOMPILED} ; then
104 + DEPEND+=" !<sys-apps/portage-2.1.10.41"
105 +fi
106 +
107 +RDEPEND="${CDEPEND}
108 + ${DEPEND}"
109 +
110 +S=${WORKDIR}
111 +
112 +pkg_setup() {
113 + # For the conversion to having it in CONFIG_PROTECT_MASK,
114 + # we need to tell users about it once manually first.
115 + [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
116 + || ewarn "You should run update-ca-certificates manually after etc-update"
117 +}
118 +
119 +src_unpack() {
120 + if ! ${PRECOMPILED} ; then
121 + default
122 + # Initial 20200601 deb release had bad naming inside the debian source tarball.
123 + DEB_S="${WORKDIR}/${PN}-${DEB_VER}"
124 + DEB_BAD_S="${WORKDIR}/work"
125 + if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]] ; then
126 + mv "${DEB_BAD_S}" "${DEB_S}"
127 + fi
128 + fi
129 +
130 + # Do all the work in the image subdir to avoid conflicting with source
131 + # dirs in ${WORKDIR}. Need to perform everything in the offset #381937
132 + mkdir -p "image/${EPREFIX}" || die
133 + cd "image/${EPREFIX}" || die
134 +
135 + ${PRECOMPILED} && unpacker_src_unpack
136 +}
137 +
138 +src_prepare() {
139 + cd "image/${EPREFIX}" || die
140 + if ! ${PRECOMPILED} ; then
141 + mkdir -p usr/sbin || die
142 + cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \
143 + usr/sbin/ || die
144 +
145 + if use cacert ; then
146 + pushd "${S}"/nss-${NSS_VER} >/dev/null || die
147 + eapply "${DISTDIR}"/nss-cacert-class1-class3-r1.patch
148 + popd >/dev/null || die
149 + fi
150 + fi
151 +
152 + default
153 + eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
154 + local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
155 + sed -i \
156 + -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
157 + -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
158 + -e 's/openssl rehash/c_rehash/' \
159 + usr/sbin/update-ca-certificates || die
160 +}
161 +
162 +src_compile() {
163 + cd "image/${EPREFIX}" || die
164 + if ! ${PRECOMPILED} ; then
165 + python_setup
166 + local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}"
167 + # Grab the database from the nss sources.
168 + cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
169 + emake -C "${d}"
170 +
171 + # Now move the files to the same places that the precompiled would.
172 + mkdir -p etc/ssl/certs \
173 + etc/ca-certificates/update.d \
174 + "${c}"/mozilla \
175 + || die
176 + if use cacert ; then
177 + mkdir -p "${c}"/cacert.org || die
178 + mv "${d}"/CA_Cert_Signing_Authority.crt \
179 + "${c}"/cacert.org/cacert.org_class1.crt || die
180 + mv "${d}"/CAcert_Class_3_Root.crt \
181 + "${c}"/cacert.org/cacert.org_class3.crt || die
182 + fi
183 + mv "${d}"/*.crt "${c}"/mozilla/ || die
184 + else
185 + mv usr/share/doc/{ca-certificates,${PF}} || die
186 + fi
187 +
188 + (
189 + echo "# Automatically generated by ${CATEGORY}/${PF}"
190 + echo "# $(date -u)"
191 + echo "# Do not edit."
192 + cd "${c}" || die
193 + find * -name '*.crt' | LC_ALL=C sort
194 + ) > etc/ca-certificates.conf
195 +
196 + sh usr/sbin/update-ca-certificates --root "${S}/image" || die
197 +}
198 +
199 +src_install() {
200 + cp -pPR image/* "${D}"/ || die
201 + if ! ${PRECOMPILED} ; then
202 + cd ${PN}-${DEB_VER} || die
203 + doman sbin/*.8
204 + dodoc debian/README.* examples/ca-certificates-local/README
205 + fi
206 +
207 + echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
208 + doenvd 98ca-certificates
209 +}
210 +
211 +pkg_postinst() {
212 + if [[ -d "${EROOT}/usr/local/share/ca-certificates" ]] ; then
213 + # if the user has local certs, we need to rebuild again
214 + # to include their stuff in the db.
215 + # However it's too overzealous when the user has custom certs in place.
216 + # --fresh is to clean up dangling symlinks
217 + "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
218 + fi
219 +
220 + if [[ -n "$(find -L "${EROOT}"/etc/ssl/certs/ -type l)" ]] ; then
221 + ewarn "Removing the following broken symlinks:"
222 + ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
223 + fi
224 +}
Report Message
Find on MARC Find on Google Groups