From 43aa25b523b2c11ce483ea22435196dfca259b30 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Tue, 19 Oct 2021 17:33:29 +0200 Subject: ca-certificates: update 20210119 -> 20211016 Signed-off-by: Alexander Kanavin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit c479b8a810d966d7267af1b4dac38a46f55fc547) Signed-off-by: Steve Sakoman --- ...lla-certdata2pem.py-print-a-warning-for-e.patch | 80 +++++++++++++++++++ .../ca-certificates/ca-certificates/sbindir.patch | 26 ------- .../update-ca-certificates-support-Toybox.patch | 33 -------- .../ca-certificates/ca-certificates_20210119.bb | 90 ---------------------- .../ca-certificates/ca-certificates_20211016.bb | 89 +++++++++++++++++++++ 5 files changed, 169 insertions(+), 149 deletions(-) create mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates_20210119.bb create mode 100644 meta/recipes-support/ca-certificates/ca-certificates_20211016.bb (limited to 'meta') diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000000..5c4a32f526 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch @@ -0,0 +1,80 @@ +From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Mon, 18 Oct 2021 12:05:49 +0200 +Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired + certificates." + +This avoids a dependency on python3-cryptography, and only checks +for expired certs (which is upstream concern, but not ours). + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin +--- + debian/changelog | 1 - + debian/control | 2 +- + mozilla/certdata2pem.py | 11 ----------- + 3 files changed, 1 insertion(+), 13 deletions(-) + +diff --git a/debian/changelog b/debian/changelog +index 531e4d0..4006509 100644 +--- a/debian/changelog ++++ b/debian/changelog +@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low + - "Trustis FPS Root CA" + - "Staat der Nederlanden Root CA - G3" + * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) +- * mozilla/certdata2pem.py: print a warning for expired certificates. + + -- Julien Cristau Thu, 07 Oct 2021 17:12:47 +0200 + +diff --git a/debian/control b/debian/control +index 4434b7a..5c6ba24 100644 +--- a/debian/control ++++ b/debian/control +@@ -3,7 +3,7 @@ Section: misc + Priority: optional + Maintainer: Julien Cristau + Build-Depends: debhelper-compat (= 13), po-debconf +-Build-Depends-Indep: python3, openssl, python3-cryptography ++Build-Depends-Indep: python3, openssl + Standards-Version: 4.5.0.2 + Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git + Vcs-Browser: https://salsa.debian.org/debian/ca-certificates +diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py +index ede23d4..7d796f1 100644 +--- a/mozilla/certdata2pem.py ++++ b/mozilla/certdata2pem.py +@@ -21,16 +21,12 @@ + # USA. + + import base64 +-import datetime + import os.path + import re + import sys + import textwrap + import io + +-from cryptography import x509 +- +- + objects = [] + + # Dirty file parser. +@@ -121,13 +117,6 @@ for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue +- +- cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) +- if cert.not_valid_after < datetime.datetime.now(): +- print('!'*74) +- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) +- print('!'*74) +- + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ +-- +2.20.1 + diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch deleted file mode 100644 index f343ebf16e..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch +++ /dev/null @@ -1,26 +0,0 @@ -sbin/Makefile: Allow the sbin path to be configurable - -Some project sharing ca-certificates from Debian allow configuration -of the installation location. Make the sbin location configurable. - -Also ensure the target directory exists - -Signed-off-by: Richard Purdie -Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] - ---- ca-certificates-20130119.orig/sbin/Makefile -+++ ca-certificates-20130119/sbin/Makefile -@@ -3,9 +3,12 @@ - # - # - -+SBINDIR = /usr/sbin -+ - all: - - clean: - - install: -- install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/ -+ install -d $(DESTDIR)$(SBINDIR) -+ install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/ diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch deleted file mode 100644 index f78790923c..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch +++ /dev/null @@ -1,33 +0,0 @@ -update-ca-certificates: Replace deprecated mktemp -t with mktemp --tmpdir - -According to coreutils docs, mktemp -t is deprecated, switch to the ---tmpdir option instead. - -Signed-off-by: Richard Purdie -Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] - -[This was originally for compatibility with toybox but toybox now -supports -t] ---- - sbin/update-ca-certificates | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates -index 79c41bb..ae9e3f1 100755 ---- a/sbin/update-ca-certificates -+++ b/sbin/update-ca-certificates -@@ -113,9 +113,9 @@ trap cleanup 0 - - # Helper files. (Some of them are not simple arrays because we spawn - # subshells later on.) --TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" --ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" --REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" -+TEMPBUNDLE="$(mktemp --tmpdir "${CERTBUNDLE}.tmp.XXXXXX")" -+ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" -+REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" - - # Adds a certificate to the list of trusted ones. This includes a symlink - # in /etc/ssl/certs to the certificate file and its inclusion into the --- -2.1.4 diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb deleted file mode 100644 index 7dcc86fdc1..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb +++ /dev/null @@ -1,90 +0,0 @@ -SUMMARY = "Common CA certificates" -DESCRIPTION = "This package includes PEM files of CA certificates to allow \ -SSL-based applications to check for the authenticity of SSL connections. \ -This derived from Debian's CA Certificates." -HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" -SECTION = "misc" -LICENSE = "GPL-2.0+ & MPL-2.0" -LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e" - -# This is needed to ensure we can run the postinst at image creation time -DEPENDS = "" -DEPENDS_class-native = "openssl-native" -DEPENDS_class-nativesdk = "openssl-native" -# Need rehash from openssl and run-parts from debianutils -PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" - -SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" - -SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ - file://0002-update-ca-certificates-use-SYSROOT.patch \ - file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ - file://update-ca-certificates-support-Toybox.patch \ - file://default-sysroot.patch \ - file://sbindir.patch \ - file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ - " -UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+)" - -S = "${WORKDIR}/git" - -inherit allarch - -EXTRA_OEMAKE = "\ - 'CERTSDIR=${datadir}/ca-certificates' \ - 'SBINDIR=${sbindir}' \ -" - -do_compile_prepend() { - oe_runmake clean -} - -do_install () { - install -d ${D}${datadir}/ca-certificates \ - ${D}${sysconfdir}/ssl/certs \ - ${D}${sysconfdir}/ca-certificates/update.d - oe_runmake 'DESTDIR=${D}' install - - install -d ${D}${mandir}/man8 - install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/ - - install -d ${D}${sysconfdir} - { - echo "# Lines starting with # will be ignored" - echo "# Lines starting with ! will remove certificate on next update" - echo "#" - find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \ - sed 's,^${D}${datadir}/ca-certificates/,,' | sort - } >${D}${sysconfdir}/ca-certificates.conf -} - -do_install_append_class-target () { - sed -i -e 's,/etc/,${sysconfdir}/,' \ - -e 's,/usr/share/,${datadir}/,' \ - -e 's,/usr/local,${prefix}/local,' \ - ${D}${sbindir}/update-ca-certificates \ - ${D}${mandir}/man8/update-ca-certificates.8 -} - -pkg_postinst_${PN}_class-target () { - SYSROOT="$D" $D${sbindir}/update-ca-certificates -} - -CONFFILES_${PN} += "${sysconfdir}/ca-certificates.conf" - -# Rather than make a postinst script that works for both target and nativesdk, -# we just run update-ca-certificate from do_install() for nativesdk. -CONFFILES_${PN}_append_class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt" -do_install_append_class-nativesdk () { - SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates -} - -do_install_append_class-native () { - SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates -} - -RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" -RDEPENDS_${PN}_append_class-native = " openssl-native" -RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb new file mode 100644 index 0000000000..214bad4ae3 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb @@ -0,0 +1,89 @@ +SUMMARY = "Common CA certificates" +DESCRIPTION = "This package includes PEM files of CA certificates to allow \ +SSL-based applications to check for the authenticity of SSL connections. \ +This derived from Debian's CA Certificates." +HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" +SECTION = "misc" +LICENSE = "GPL-2.0+ & MPL-2.0" +LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e" + +# This is needed to ensure we can run the postinst at image creation time +DEPENDS = "" +DEPENDS_class-native = "openssl-native" +DEPENDS_class-nativesdk = "openssl-native" +# Need rehash from openssl and run-parts from debianutils +PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" + +SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" + +SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ + file://0002-update-ca-certificates-use-SYSROOT.patch \ + file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ + file://default-sysroot.patch \ + file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ + file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ + " +UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+)" + +S = "${WORKDIR}/git" + +inherit allarch + +EXTRA_OEMAKE = "\ + 'CERTSDIR=${datadir}/ca-certificates' \ + 'SBINDIR=${sbindir}' \ +" + +do_compile_prepend() { + oe_runmake clean +} + +do_install () { + install -d ${D}${datadir}/ca-certificates \ + ${D}${sysconfdir}/ssl/certs \ + ${D}${sysconfdir}/ca-certificates/update.d + oe_runmake 'DESTDIR=${D}' install + + install -d ${D}${mandir}/man8 + install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/ + + install -d ${D}${sysconfdir} + { + echo "# Lines starting with # will be ignored" + echo "# Lines starting with ! will remove certificate on next update" + echo "#" + find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \ + sed 's,^${D}${datadir}/ca-certificates/,,' | sort + } >${D}${sysconfdir}/ca-certificates.conf +} + +do_install_append_class-target () { + sed -i -e 's,/etc/,${sysconfdir}/,' \ + -e 's,/usr/share/,${datadir}/,' \ + -e 's,/usr/local,${prefix}/local,' \ + ${D}${sbindir}/update-ca-certificates \ + ${D}${mandir}/man8/update-ca-certificates.8 +} + +pkg_postinst_${PN}_class-target () { + SYSROOT="$D" $D${sbindir}/update-ca-certificates +} + +CONFFILES_${PN} += "${sysconfdir}/ca-certificates.conf" + +# Rather than make a postinst script that works for both target and nativesdk, +# we just run update-ca-certificate from do_install() for nativesdk. +CONFFILES_${PN}_append_class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt" +do_install_append_class-nativesdk () { + SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates +} + +do_install_append_class-native () { + SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates +} + +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" +RDEPENDS_${PN}_append_class-native = " openssl-native" +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" + +BBCLASSEXTEND = "native nativesdk" -- cgit 1.2.3-korg