diff options
author | kim <kim@pkgsrc.org> | 2020-06-08 09:55:36 +0000 |
---|---|---|
committer | kim <kim@pkgsrc.org> | 2020-06-08 09:55:36 +0000 |
commit | 83a172e3b1dc0683644536db0ca710cd46a55266 (patch) | |
tree | 6040c00b1e535c46d48662200d0d12394a0e118e /security | |
parent | dc74373b8eb618e0032ea6e0cc4c2662eb5b21e7 (diff) | |
download | pkgsrc-83a172e3b1dc0683644536db0ca710cd46a55266.tar.gz |
Upgrade to 20200601
* Update Mozilla certificate authority bundle to version 2.40.
* Add distrusted Symantec CA list to blacklist for explicit removal.
* Blacklist expired root certificate, "AddTrust External Root".
The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"
The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"
Changes for pkgsrc packaging:
* Add README.pkgsrc, replacing MESSAGE.
* Improve DESCR to better describe the functionality of the package.
* Install changelog and README.source from the distribution package.
Diffstat (limited to 'security')
-rw-r--r-- | security/ca-certificates/DESCR | 9 | ||||
-rw-r--r-- | security/ca-certificates/MESSAGE | 24 | ||||
-rw-r--r-- | security/ca-certificates/Makefile | 31 | ||||
-rw-r--r-- | security/ca-certificates/PLIST | 33 | ||||
-rw-r--r-- | security/ca-certificates/distinfo | 10 | ||||
-rw-r--r-- | security/ca-certificates/files/README.pkgsrc | 36 |
6 files changed, 85 insertions, 58 deletions
diff --git a/security/ca-certificates/DESCR b/security/ca-certificates/DESCR index f36fec7645a..328683f5a9e 100644 --- a/security/ca-certificates/DESCR +++ b/security/ca-certificates/DESCR @@ -1,6 +1,7 @@ This package provides the certificates distributed by the Mozilla -Project. +Project and will, by default, install certificates trusted by the +Mozilla Project in the system certificate store. -It also provides a script, update-ca-certs, which can be used to manage -a location that makes certificates usable by TLS implementations, -including installing select certificates from this package. +The sysadmin can configure the list of trusted certificates and also +add local certificates as needed by editing ca-certificates.conf and +re-running update-ca-certificates. diff --git a/security/ca-certificates/MESSAGE b/security/ca-certificates/MESSAGE deleted file mode 100644 index 5914a1aaa80..00000000000 --- a/security/ca-certificates/MESSAGE +++ /dev/null @@ -1,24 +0,0 @@ -=========================================================================== -$NetBSD: MESSAGE,v 1.1 2020/05/31 15:53:44 kim Exp $ - -Execute this command to install and rehash select CA root certificates -distributed by the Mozilla Project, so that they can be used by third -party applications using OpenSSL. It also creates a single file -certificate bundle in PEM format which can be used by applications using -GnuTLS. - - # update-ca-certificates - -You can edit /etc/ca-certificates.conf to configure which certificates are -installed. Additionally any certificates in /usr/local/share/ca-certificates -will be installed. - -To mark these certificates as trusted for users of gnupg2, do -the following (assuming default PKG_SYSCONFBASE and a Bourne shell): - - # mkdir -p /usr/pkg/etc/gnupg - # cd /usr/pkg/etc/gnupg - # for c in /etc/openssl/certs/*.pem; do - > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|' - > done > trustlist.txt -=========================================================================== diff --git a/security/ca-certificates/Makefile b/security/ca-certificates/Makefile index 41674afab44..94e6728f31e 100644 --- a/security/ca-certificates/Makefile +++ b/security/ca-certificates/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.1 2020/05/31 15:53:44 kim Exp $ +# $NetBSD: Makefile,v 1.2 2020/06/08 09:55:36 kim Exp $ -PKGNAME= ca-certificates-20190110 +PKGNAME= ca-certificates-20200601 DISTNAME= ${PKGNAME:C/-([^-]*)$/_\1/} CATEGORIES= security MASTER_SITES= http://deb.debian.org/debian/pool/main/c/ca-certificates/ @@ -14,11 +14,13 @@ LICENSE= gnu-gpl-v2 AND mpl-2.0 NO_CONFIGURE= yes PYTHON_FOR_BUILD_ONLY= yes -USE_TOOLS= awk:run echo:run expr:run ln:run ls:run openssl:run rm:run mkdir:run +USE_TOOLS= echo:run find:run ln:run openssl:run rm:run sed:run sort:run wc:run WRKSRC= ${WRKDIR}/${PKGNAME_NOREV} DATADIR= ${PREFIX}/share/${PKGBASE} +DOCDIR= ${PREFIX}/share/doc/${PKGBASE} EGDIR= ${PREFIX}/share/examples/${PKGBASE} +MANDIR= ${PREFIX}/share/man/man8 # Set paths depending on whether we depend on builtin or pkgsrc # openssl. \todo Arguably, we should consider installing into both @@ -43,26 +45,37 @@ SUBST_STAGE.paths= post-build SUBST_FILES.paths= Makefile sbin/Makefile SUBST_FILES.paths+= ca-certificates.conf SUBST_FILES.paths+= sbin/update-ca-certificates sbin/update-ca-certificates.8 +SUBST_FILES.paths+= README.pkgsrc SUBST_SED.paths= -e 's,/usr/sbin,${PREFIX}/sbin,g' SUBST_SED.paths+= -e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g' SUBST_SED.paths+= -e 's,/etc/ssl,${SSLDIR},g' SUBST_SED.paths+= -e 's,/usr/share/ca-certificates,${DATADIR},g' -INSTALLATION_DIRS= sbin ${DATADIR} ${EGDIR} share/man/man8 +INSTALLATION_DIRS= sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR} CONF_FILES= ${EGDIR}/ca-certificates.conf \ ${PKG_SYSCONFDIR}/ca-certificates.conf pre-build: - @${CP} ${FILESDIR}/ca-certificates.conf ${WRKSRC}/ + @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/ @${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \ >> ${WRKSRC}/ca-certificates.conf +post-extract: + ${MV} ${WRKDIR}/work ${WRKSRC} + post-install: - ${INSTALL_MAN} ${WRKSRC}/sbin/update-ca-certificates.8 \ - ${DESTDIR}${PREFIX}/share/man/man8/update-ca-certificates.8 - ${INSTALL_DATA} ${WRKSRC}/ca-certificates.conf \ - ${DESTDIR}${EGDIR}/ca-certificates.conf + ${INSTALL_MAN} \ + ${WRKSRC}/sbin/update-ca-certificates.8 \ + ${DESTDIR}${MANDIR}/ + ${INSTALL_DATA} \ + ${WRKSRC}/README.pkgsrc \ + ${WRKSRC}/debian/README.source \ + ${WRKSRC}/debian/changelog \ + ${DESTDIR}${DOCDIR}/ + ${INSTALL_DATA} \ + ${WRKSRC}/ca-certificates.conf \ + ${DESTDIR}${EGDIR}/ .include "../../lang/python/tool.mk" .include "../../mk/bsd.pkg.mk" diff --git a/security/ca-certificates/PLIST b/security/ca-certificates/PLIST index bb69475a6f1..daea1c0abd8 100644 --- a/security/ca-certificates/PLIST +++ b/security/ca-certificates/PLIST @@ -1,9 +1,8 @@ -@comment $NetBSD: PLIST,v 1.1 2020/05/31 15:53:44 kim Exp $ +@comment $NetBSD: PLIST,v 1.2 2020/06/08 09:55:36 kim Exp $ sbin/update-ca-certificates share/ca-certificates/mozilla/ACCVRAIZ1.crt share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt -share/ca-certificates/mozilla/AddTrust_External_Root.crt share/ca-certificates/mozilla/AffirmTrust_Commercial.crt share/ca-certificates/mozilla/AffirmTrust_Networking.crt share/ca-certificates/mozilla/AffirmTrust_Premium.crt @@ -23,8 +22,7 @@ share/ca-certificates/mozilla/COMODO_Certification_Authority.crt share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt share/ca-certificates/mozilla/Certigna.crt -share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt -share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt +share/ca-certificates/mozilla/Certigna_Root_CA.crt share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt @@ -33,7 +31,6 @@ share/ca-certificates/mozilla/Cybertrust_Global_Root.crt share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt share/ca-certificates/mozilla/DST_Root_CA_X3.crt -share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt @@ -49,12 +46,12 @@ share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt +share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt -share/ca-certificates/mozilla/GeoTrust_Global_CA.crt -share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt -share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt -share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt -share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt +share/ca-certificates/mozilla/GTS_Root_R1.crt +share/ca-certificates/mozilla/GTS_Root_R2.crt +share/ca-certificates/mozilla/GTS_Root_R3.crt +share/ca-certificates/mozilla/GTS_Root_R4.crt share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt @@ -69,6 +66,7 @@ share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_Ro share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt +share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt share/ca-certificates/mozilla/ISRG_Root_X1.crt share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt @@ -116,17 +114,20 @@ share/ca-certificates/mozilla/TrustCor_ECA-1.crt share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt +share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt +share/ca-certificates/mozilla/UCA_Global_G2_Root.crt share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt -share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt -share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt -share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt -share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt -share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt -share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt +share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt +share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt +share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt +share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt +share/doc/ca-certificates/README.pkgsrc +share/doc/ca-certificates/README.source +share/doc/ca-certificates/changelog share/examples/ca-certificates/ca-certificates.conf share/man/man8/update-ca-certificates.8 diff --git a/security/ca-certificates/distinfo b/security/ca-certificates/distinfo index 3fb888886a3..c40f266f4a5 100644 --- a/security/ca-certificates/distinfo +++ b/security/ca-certificates/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.1 2020/05/31 15:53:44 kim Exp $ +$NetBSD: distinfo,v 1.2 2020/06/08 09:55:36 kim Exp $ -SHA1 (ca-certificates_20190110.tar.xz) = 47d4584eae85fc905e4994766eb3930a8a84e2e1 -RMD160 (ca-certificates_20190110.tar.xz) = cbf8f474fba527dc96413632ac5874385bd38e17 -SHA512 (ca-certificates_20190110.tar.xz) = 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372 -Size (ca-certificates_20190110.tar.xz) = 243472 bytes +SHA1 (ca-certificates_20200601.tar.xz) = f17235bc9c3aec538065a655681815c242a6d7d5 +RMD160 (ca-certificates_20200601.tar.xz) = a9f1f232f46ecb06c53d5d814c29d3b9aca88323 +SHA512 (ca-certificates_20200601.tar.xz) = 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c +Size (ca-certificates_20200601.tar.xz) = 245668 bytes diff --git a/security/ca-certificates/files/README.pkgsrc b/security/ca-certificates/files/README.pkgsrc new file mode 100644 index 00000000000..d0f3f5a42ba --- /dev/null +++ b/security/ca-certificates/files/README.pkgsrc @@ -0,0 +1,36 @@ +$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $ + +This package provides the certificates distributed by the Mozilla +Project and will, by default, install certificates trusted by the +Mozilla Project in the system certificate store (/etc/ssl), +so that they can be used by third party applications using OpenSSL. + +Edit /etc/ca-certificates.conf to further configure which +certificates are installed. + +To install local certificate authorities to be implicitly trusted, +place the certificate files in /usr/local/share/ca-certificates/ +as single files ending with ".crt". + +After changing the configuration and adding local certificates run this +command to install and rehash the certificates: + + # /usr/sbin/update-ca-certificates + +After removing local certificates run this command to remove dangling +symlinks from /etc/ssl/certs: + + # /usr/sbin/update-ca-certificates --fresh + +The update-ca-certificates tool also creates a single file certificate +bundle in PEM format in /etc/ssl/certs/ca-certificates.crt +which can be used by applications using GnuTLS. + +To mark the installed certificates as trusted for users of gnupg2 do +the following (assuming default PKG_SYSCONFBASE and a Bourne shell): + + # mkdir -p /usr/pkg/etc/gnupg + # cd /usr/pkg/etc/gnupg + # for c in /etc/ssl/certs/*.pem; do + > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|' + > done > trustlist.txt |