diff options
author | kim <kim@pkgsrc.org> | 2022-06-12 07:05:30 +0000 |
---|---|---|
committer | kim <kim@pkgsrc.org> | 2022-06-12 07:05:30 +0000 |
commit | 68c9175b02f028f1ff374cd4e43e175685d5b5d5 (patch) | |
tree | 3897d112b9a011802a1b3ad4d7803ca8a81ac1d3 /security/ca-certificates | |
parent | 4f3fbea8b22623b0d0544e618ca936e6437b05b3 (diff) | |
download | pkgsrc-68c9175b02f028f1ff374cd4e43e175685d5b5d5.tar.gz |
security/ca-certificates: Add configurability for certificate store
- The location of the system certificate store can now be set using
a new configuration file (ca-certificates-dir.conf).
- Installing the certificates to the system certificate store must
be enabled by the administrator.
Diffstat (limited to 'security/ca-certificates')
-rw-r--r-- | security/ca-certificates/DESCR | 30 | ||||
-rw-r--r-- | security/ca-certificates/Makefile | 22 | ||||
-rw-r--r-- | security/ca-certificates/PLIST | 3 | ||||
-rw-r--r-- | security/ca-certificates/distinfo | 4 | ||||
-rw-r--r-- | security/ca-certificates/files/README.pkgsrc | 19 | ||||
-rw-r--r-- | security/ca-certificates/files/ca-certificates-dir.conf | 8 | ||||
-rw-r--r-- | security/ca-certificates/patches/patch-sbin_update-ca-certificates | 59 |
7 files changed, 109 insertions, 36 deletions
diff --git a/security/ca-certificates/DESCR b/security/ca-certificates/DESCR index 157ebde3796..98b80362d62 100644 --- a/security/ca-certificates/DESCR +++ b/security/ca-certificates/DESCR @@ -1,20 +1,20 @@ -This package provides the root certificates distributed by the Mozilla -Project as curated by Debian in their package of the same name, along -with tools to manage the set of configured trust anchors for openssl. +This package contains the update-ca-certificates(8) tool maintained by +the Debian Project (in the ca-certificates package they distribute) to +manage the set of configured trust anchors for openssl. -\todo Explain if Debian adds or removes, or if this is exactly the -same set. +The ca-certificates framework enables the sysadmin to configure the +certificates to install, using multiple sources of CA certificates, for +example to include local CAs. See update-ca-certificates(8) for details. -NB: Installing this package will modify the configuration of the -openssl implementation used by pkgsrc, which is either the base system -openssl or pkgsrc openssl. The modification is configuring every -certificate as a trust anchor. Modification of system configuration -files is very irregular as pkgsrc should not write anything outside of -${PREFIX}. +This package also contains the certificate authorities shipped with +Mozilla's browser to allow SSL-based applications to check for the +authenticity of SSL connections. -The sysadmin can exclude CA certificates from the list of trust -anchors and also add local certificates as configured trust anchors by -editing ca-certificates.conf and re-running update-ca-certificates. +Please note that Debian, NetBSD, and pkgsrc can neither confirm nor deny +whether the certificate authorities whose certificates are included in +this package have in any way been audited for trustworthiness or RFC +3647 compliance. Full responsibility to assess them belongs to the +local system administrator. See also the mozilla-rootcerts and mozilla-rootcerts-openssl packages -for an alternative approach. +for alternative approaches to installing CA certificates. diff --git a/security/ca-certificates/Makefile b/security/ca-certificates/Makefile index fb8b0d3a792..109fae70c50 100644 --- a/security/ca-certificates/Makefile +++ b/security/ca-certificates/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.6 2022/04/21 11:00:00 wiz Exp $ +# $NetBSD: Makefile,v 1.7 2022/06/12 07:05:30 kim Exp $ PKGNAME= ca-certificates-20211016 -PKGREVISION= 1 +PKGREVISION= 3 DISTNAME= ${PKGNAME_NOREV:C/-([^-]*)$/_\1/} CATEGORIES= security MASTER_SITES= http://deb.debian.org/debian/pool/main/c/ca-certificates/ @@ -25,10 +25,9 @@ DOCDIR= ${PREFIX}/share/doc/${PKGBASE} EGDIR= ${PREFIX}/share/examples/${PKGBASE} MANDIR= ${PREFIX}/${PKGMANDIR}/man8 -# Set paths depending on whether we depend on builtin or pkgsrc -# openssl. \todo Arguably, we should consider installing into both -# builtin and pkgsrc, if both exist, but this requires much more -# thought. +# Set default certificate store path depending on whether we depend on +# builtin or pkgsrc openssl. + CHECK_BUILTIN.openssl= yes .include "../../security/openssl/builtin.mk" CHECK_BUILTIN.openssl= no @@ -47,20 +46,24 @@ SUBST_MESSAGE.paths= Replacing hard-coded paths. SUBST_STAGE.paths= post-build SUBST_FILES.paths= Makefile sbin/Makefile SUBST_FILES.paths+= ca-certificates.conf +SUBST_FILES.paths+= ca-certificates-dir.conf SUBST_FILES.paths+= sbin/update-ca-certificates sbin/update-ca-certificates.8 SUBST_FILES.paths+= README.pkgsrc SUBST_SED.paths= -e 's,/usr/sbin,${PREFIX}/sbin,g' -SUBST_SED.paths+= -e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g' +SUBST_SED.paths+= -e 's,/etc/ca-certificates,${PKG_SYSCONFDIR}/ca-certificates,g' SUBST_SED.paths+= -e 's,/etc/ssl,${SSLDIR},g' SUBST_SED.paths+= -e 's,/usr/share/ca-certificates,${DATADIR},g' INSTALLATION_DIRS= sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR} CONF_FILES= ${EGDIR}/ca-certificates.conf \ - ${PKG_SYSCONFDIR}/ca-certificates.conf + ${PKG_SYSCONFDIR}/ca-certificates.conf \ + ${EGDIR}/ca-certificates-dir.conf \ + ${PKG_SYSCONFDIR}/ca-certificates-dir.conf pre-build: - @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/ + @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/ca-certificates-dir.conf \ + ${FILESDIR}/README.pkgsrc ${WRKSRC}/ @${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \ >> ${WRKSRC}/ca-certificates.conf @@ -78,6 +81,7 @@ post-install: ${DESTDIR}${DOCDIR}/ ${INSTALL_DATA} \ ${WRKSRC}/ca-certificates.conf \ + ${WRKSRC}/ca-certificates-dir.conf \ ${DESTDIR}${EGDIR}/ .include "../../lang/python/tool.mk" diff --git a/security/ca-certificates/PLIST b/security/ca-certificates/PLIST index 7af927be6b5..29d5052197e 100644 --- a/security/ca-certificates/PLIST +++ b/security/ca-certificates/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.4 2022/02/28 05:48:44 kim Exp $ +@comment $NetBSD: PLIST,v 1.5 2022/06/12 07:05:30 kim Exp $ man/man8/update-ca-certificates.8 sbin/update-ca-certificates share/ca-certificates/mozilla/ACCVRAIZ1.crt @@ -132,3 +132,4 @@ share/doc/ca-certificates/README.pkgsrc share/doc/ca-certificates/README.source share/doc/ca-certificates/changelog share/examples/ca-certificates/ca-certificates.conf +share/examples/ca-certificates/ca-certificates-dir.conf diff --git a/security/ca-certificates/distinfo b/security/ca-certificates/distinfo index bc187506e2c..e398661e93c 100644 --- a/security/ca-certificates/distinfo +++ b/security/ca-certificates/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.6 2022/02/28 06:46:52 kim Exp $ +$NetBSD: distinfo,v 1.7 2022/06/12 07:05:30 kim Exp $ BLAKE2s (ca-certificates_20211016.tar.xz) = ee1b82472068aef176dbc9dab2099848e299dbcc92ac309ba5a906a98414731d SHA512 (ca-certificates_20211016.tar.xz) = bedf072c8aa1b05b249ea272f5cecfe16bdcd762c02c712323f12ac7a278e8814453f5f3caad86a2581e451788b292ed3a76a6a81620926459bb890133cffde1 Size (ca-certificates_20211016.tar.xz) = 239608 bytes -SHA1 (patch-sbin_update-ca-certificates) = def57fb7ed7b271ac01b92f5a2124d1120f40cef +SHA1 (patch-sbin_update-ca-certificates) = e57e4c0ec2be335f6d901c865a7b0a33405fd7f2 diff --git a/security/ca-certificates/files/README.pkgsrc b/security/ca-certificates/files/README.pkgsrc index d0f3f5a42ba..662bc9554bc 100644 --- a/security/ca-certificates/files/README.pkgsrc +++ b/security/ca-certificates/files/README.pkgsrc @@ -1,12 +1,19 @@ -$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $ +$NetBSD: README.pkgsrc,v 1.2 2022/06/12 07:05:30 kim Exp $ This package provides the certificates distributed by the Mozilla -Project and will, by default, install certificates trusted by the -Mozilla Project in the system certificate store (/etc/ssl), -so that they can be used by third party applications using OpenSSL. +Project and can be used to install the certificates trusted by the +Mozilla Project in the system certificate store, so that they can be +used by third party applications using OpenSSL. -Edit /etc/ca-certificates.conf to further configure which -certificates are installed. +To enable management of the system certificate store and to set its +location, edit the configuration in + + /etc/ca-certificates-dir.conf + +To further select which certificates are installed, you can edit the +configuration in + + /etc/ca-certificates.conf To install local certificate authorities to be implicitly trusted, place the certificate files in /usr/local/share/ca-certificates/ diff --git a/security/ca-certificates/files/ca-certificates-dir.conf b/security/ca-certificates/files/ca-certificates-dir.conf new file mode 100644 index 00000000000..15e8da8038e --- /dev/null +++ b/security/ca-certificates/files/ca-certificates-dir.conf @@ -0,0 +1,8 @@ +# $NetBSD: ca-certificates-dir.conf,v 1.1 2022/06/12 07:05:30 kim Exp $ +# +# The directory managed by update-ca-certificates(8) +# +#ETCCERTSDIR=/etc/ssl/certs +# +# Remove the # to uncomment the setting and to enable managing +# installed certificates in the specified directory. diff --git a/security/ca-certificates/patches/patch-sbin_update-ca-certificates b/security/ca-certificates/patches/patch-sbin_update-ca-certificates index e0c846e726f..3fe80ce84fc 100644 --- a/security/ca-certificates/patches/patch-sbin_update-ca-certificates +++ b/security/ca-certificates/patches/patch-sbin_update-ca-certificates @@ -1,8 +1,61 @@ -$NetBSD: patch-sbin_update-ca-certificates,v 1.1 2022/02/28 06:46:52 kim Exp $ +$NetBSD: patch-sbin_update-ca-certificates,v 1.2 2022/06/12 07:05:30 kim Exp $ --- sbin/update-ca-certificates.orig 2021-10-16 16:09:43.000000000 +0000 -+++ sbin/update-ca-certificates 2022-02-28 06:38:12.674110664 +0000 -@@ -81,8 +81,8 @@ ++++ sbin/update-ca-certificates 2022-06-12 16:09:43.000000000 +0000 +@@ -28,9 +28,23 @@ + CERTSDIR=/usr/share/ca-certificates + LOCALCERTSDIR=/usr/local/share/ca-certificates + CERTBUNDLE=ca-certificates.crt +-ETCCERTSDIR=/etc/ssl/certs ++ETCCERTSDIR=disabled ++ETCCERTSDIRCONF=/etc/ca-certificates-dir.conf + HOOKSDIR=/etc/ca-certificates/update.d + ++if [ -s "$ETCCERTSDIRCONF" ] ++then ++ _ETCCERTSDIR="$(sed -n -e ' ++ /^ETCCERTSDIR=/ { ++ s///; ++ s/#.*$//; ++ s/ *$//; ++ s/^ *//; ++ p; ++ }' "$ETCCERTSDIRCONF")" ++ ETCCERTSDIR="${_ETCCERTSDIR:-${ETCCERTSDIR}}" ++fi ++ + while [ $# -gt 0 ]; + do + case $1 in +@@ -66,6 +80,27 @@ + shift + done + ++case "$ETCCERTSDIR" in ++disabled) ++ cat <<-EOF ++ Please enable update-ca-certificates by editing ++ $ETCCERTSDIRCONF ++ and then run it again. ++ EOF ++ exit 1 ++ ;; ++/*) ++ ;; ++*) ++ cat <<-EOF ++ Please set ETCCERTSDIR to an absolute path in ++ $ETCCERTSDIRCONF ++ and then run it again. ++ EOF ++ exit 1 ++ ;; ++esac ++ + if [ ! -s "$CERTSCONF" ] + then + fresh=1 +@@ -81,8 +116,8 @@ # Helper files. (Some of them are not simple arrays because we spawn # subshells later on.) TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new" |