ca-certificates: upgrade to 20211016
Import latest version from openembedded-core.git, which has the expired "DST Root CA X3" removed. Fixes: OS#5259 Related:5b83fd9847
Related:9c351e7a0b
Related: https://github.com/openembedded/openembedded-core/tree/hardknott/meta/recipes-support/ca-certificates/ca-certificates
This commit is contained in:
parent
dbe8d4b62e
commit
cbc0de86f4
|
@ -0,0 +1,80 @@
|
||||||
|
From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Kanavin <alex@linutronix.de>
|
||||||
|
Date: Mon, 18 Oct 2021 12:05:49 +0200
|
||||||
|
Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
|
||||||
|
certificates."
|
||||||
|
|
||||||
|
This avoids a dependency on python3-cryptography, and only checks
|
||||||
|
for expired certs (which is upstream concern, but not ours).
|
||||||
|
|
||||||
|
Upstream-Status: Inappropriate [oe-core specific]
|
||||||
|
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
|
||||||
|
---
|
||||||
|
debian/changelog | 1 -
|
||||||
|
debian/control | 2 +-
|
||||||
|
mozilla/certdata2pem.py | 11 -----------
|
||||||
|
3 files changed, 1 insertion(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/debian/changelog b/debian/changelog
|
||||||
|
index 531e4d0..4006509 100644
|
||||||
|
--- a/debian/changelog
|
||||||
|
+++ b/debian/changelog
|
||||||
|
@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
|
||||||
|
- "Trustis FPS Root CA"
|
||||||
|
- "Staat der Nederlanden Root CA - G3"
|
||||||
|
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|
||||||
|
- * mozilla/certdata2pem.py: print a warning for expired certificates.
|
||||||
|
|
||||||
|
-- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200
|
||||||
|
|
||||||
|
diff --git a/debian/control b/debian/control
|
||||||
|
index 4434b7a..5c6ba24 100644
|
||||||
|
--- a/debian/control
|
||||||
|
+++ b/debian/control
|
||||||
|
@@ -3,7 +3,7 @@ Section: misc
|
||||||
|
Priority: optional
|
||||||
|
Maintainer: Julien Cristau <jcristau@debian.org>
|
||||||
|
Build-Depends: debhelper-compat (= 13), po-debconf
|
||||||
|
-Build-Depends-Indep: python3, openssl, python3-cryptography
|
||||||
|
+Build-Depends-Indep: python3, openssl
|
||||||
|
Standards-Version: 4.5.0.2
|
||||||
|
Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
|
||||||
|
Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
|
||||||
|
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
|
||||||
|
index ede23d4..7d796f1 100644
|
||||||
|
--- a/mozilla/certdata2pem.py
|
||||||
|
+++ b/mozilla/certdata2pem.py
|
||||||
|
@@ -21,16 +21,12 @@
|
||||||
|
# USA.
|
||||||
|
|
||||||
|
import base64
|
||||||
|
-import datetime
|
||||||
|
import os.path
|
||||||
|
import re
|
||||||
|
import sys
|
||||||
|
import textwrap
|
||||||
|
import io
|
||||||
|
|
||||||
|
-from cryptography import x509
|
||||||
|
-
|
||||||
|
-
|
||||||
|
objects = []
|
||||||
|
|
||||||
|
# Dirty file parser.
|
||||||
|
@@ -121,13 +117,6 @@ for obj in objects:
|
||||||
|
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
|
||||||
|
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
|
||||||
|
continue
|
||||||
|
-
|
||||||
|
- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|
||||||
|
- if cert.not_valid_after < datetime.datetime.now():
|
||||||
|
- print('!'*74)
|
||||||
|
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
|
||||||
|
- print('!'*74)
|
||||||
|
-
|
||||||
|
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
|
||||||
|
.replace(' ', '_')\
|
||||||
|
.replace('(', '=')\
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
ca-certificates is a package from Debian, but some host distros such as Fedora
|
||||||
|
have a leaner run-parts provided by cron which doesn't support --verbose or the
|
||||||
|
-- separator between arguments and paths.
|
||||||
|
|
||||||
|
This solves errors such as
|
||||||
|
|
||||||
|
| Running hooks in [...]/rootfs/etc/ca-certificates/update.d...
|
||||||
|
| [...]/usr/sbin/update-ca-certificates: line 194: Not: command not found
|
||||||
|
| [...]/usr/sbin/update-ca-certificates: line 230: Not a directory: --: command not found
|
||||||
|
| E: Not a directory: -- exited with code 127.
|
||||||
|
|
||||||
|
|
||||||
|
Upstream-Status: Inappropriate
|
||||||
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
||||||
|
Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
|
||||||
|
---
|
||||||
|
sbin/update-ca-certificates | 4 +---
|
||||||
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||||
|
|
||||||
|
Index: git/sbin/update-ca-certificates
|
||||||
|
===================================================================
|
||||||
|
--- git.orig/sbin/update-ca-certificates
|
||||||
|
+++ git/sbin/update-ca-certificates
|
||||||
|
@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ]
|
||||||
|
then
|
||||||
|
|
||||||
|
echo "Running hooks in $HOOKSDIR..."
|
||||||
|
- VERBOSE_ARG=
|
||||||
|
- [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
|
||||||
|
- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
|
||||||
|
+ eval run-parts --test "$HOOKSDIR" | while read hook
|
||||||
|
do
|
||||||
|
( cat "$ADDED"
|
||||||
|
cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
|
|
@ -1,45 +0,0 @@
|
||||||
From 111e905fe931da1a3800accfc675cc01c8ee080c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ulf Samuelsson <ulf@emagii.com>
|
|
||||||
Date: Tue, 28 Feb 2012 06:42:58 +0100
|
|
||||||
Subject: [PATCH] update-ca-certificates: remove c rehash
|
|
||||||
|
|
||||||
Updated earlier patch to apply clean on 2012-02-12
|
|
||||||
Signed-off-by: Ulf Samuelsson <ulf@emagii.com>
|
|
||||||
---
|
|
||||||
sbin/update-ca-certificates | 20 ++++++++++----------
|
|
||||||
1 files changed, 10 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
|
|
||||||
index 5375950..c567e3d 100755
|
|
||||||
--- a/sbin/update-ca-certificates
|
|
||||||
+++ b/sbin/update-ca-certificates
|
|
||||||
@@ -132,16 +132,16 @@ rm -f "$CERTBUNDLE"
|
|
||||||
ADDED_CNT=$(wc -l < "$ADDED")
|
|
||||||
REMOVED_CNT=$(wc -l < "$REMOVED")
|
|
||||||
|
|
||||||
-if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
|
|
||||||
-then
|
|
||||||
- # only run if set of files has changed
|
|
||||||
- if [ "$verbose" = 0 ]
|
|
||||||
- then
|
|
||||||
- c_rehash . > /dev/null
|
|
||||||
- else
|
|
||||||
- c_rehash .
|
|
||||||
- fi
|
|
||||||
-fi
|
|
||||||
+#if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
|
|
||||||
+#then
|
|
||||||
+# # only run if set of files has changed
|
|
||||||
+# if [ "$verbose" = 0 ]
|
|
||||||
+# then
|
|
||||||
+# c_rehash . > /dev/null
|
|
||||||
+# else
|
|
||||||
+# c_rehash .
|
|
||||||
+# fi
|
|
||||||
+#fi
|
|
||||||
|
|
||||||
chmod 0644 "$TEMPBUNDLE"
|
|
||||||
mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
|
|
||||||
--
|
|
||||||
1.7.4.1
|
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
Upstream-Status: Pending
|
||||||
|
|
||||||
|
From 724cb153ca0f607fb38b3a8db3ebb2742601cd81 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Oberritter <obi@opendreambox.org>
|
||||||
|
Date: Tue, 19 Mar 2013 17:14:33 +0100
|
||||||
|
Subject: [PATCH 2/2] update-ca-certificates: use $SYSROOT
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
||||||
|
---
|
||||||
|
sbin/update-ca-certificates | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
Index: git/sbin/update-ca-certificates
|
||||||
|
===================================================================
|
||||||
|
--- git.orig/sbin/update-ca-certificates
|
||||||
|
+++ git/sbin/update-ca-certificates
|
||||||
|
@@ -24,12 +24,12 @@
|
||||||
|
verbose=0
|
||||||
|
fresh=0
|
||||||
|
default=0
|
||||||
|
-CERTSCONF=/etc/ca-certificates.conf
|
||||||
|
-CERTSDIR=/usr/share/ca-certificates
|
||||||
|
-LOCALCERTSDIR=/usr/local/share/ca-certificates
|
||||||
|
+CERTSCONF=$SYSROOT/etc/ca-certificates.conf
|
||||||
|
+CERTSDIR=$SYSROOT/usr/share/ca-certificates
|
||||||
|
+LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
|
||||||
|
CERTBUNDLE=ca-certificates.crt
|
||||||
|
-ETCCERTSDIR=/etc/ssl/certs
|
||||||
|
-HOOKSDIR=/etc/ca-certificates/update.d
|
||||||
|
+ETCCERTSDIR=$SYSROOT/etc/ssl/certs
|
||||||
|
+HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
|
||||||
|
|
||||||
|
while [ $# -gt 0 ];
|
||||||
|
do
|
||||||
|
@@ -92,9 +92,9 @@ add() {
|
||||||
|
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
|
||||||
|
-e 's/[()]/=/g' \
|
||||||
|
-e 's/,/_/g').pem"
|
||||||
|
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
|
||||||
|
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
|
||||||
|
then
|
||||||
|
- ln -sf "$CERT" "$PEM"
|
||||||
|
+ ln -sf "${CERT##$SYSROOT}" "$PEM"
|
||||||
|
echo "+$PEM" >> "$ADDED"
|
||||||
|
fi
|
||||||
|
# Add trailing newline to certificate, if it is missing (#635570)
|
|
@ -0,0 +1,71 @@
|
||||||
|
From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
|
||||||
|
Date: Wed, 28 Mar 2018 16:45:05 +0100
|
||||||
|
Subject: [PATCH] update-ca-certificates: use relative symlinks from
|
||||||
|
$ETCCERTSDIR
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
update-ca-certificates symlinks (trusted) certificates
|
||||||
|
from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
|
||||||
|
update-ca-certificates can call hook scripts installed
|
||||||
|
into /etc/ca-certificates/update.d. Those scripts are
|
||||||
|
passed the pem file in /etc/ssl/certs/ that was added or
|
||||||
|
removed in this run and those pem files are absolute
|
||||||
|
symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
|
||||||
|
|
||||||
|
When running update-ca-certificates during image build
|
||||||
|
time, they thusly all point into the host's file system,
|
||||||
|
not into the $SYSROOT. This means:
|
||||||
|
* the host's file system layout must match the one
|
||||||
|
produced by OE, and
|
||||||
|
* it also means that the host must have installed the same
|
||||||
|
(or more) certificates as the target in $CERTSDIR and
|
||||||
|
$LOCALCERTSDIR
|
||||||
|
|
||||||
|
This is a problem when wanting to execute hook scripts,
|
||||||
|
because they all need to be taught about $SYSROOT, and
|
||||||
|
behave differently depending on whether they're called
|
||||||
|
at image build time, or on the target, as otherwise they
|
||||||
|
will be trying to actually read the host's certificates
|
||||||
|
from $CERTSDIR or $LOCALCERTSDIR.
|
||||||
|
|
||||||
|
This also is a problem when running anything else during
|
||||||
|
image build time that depends on the trusted CA
|
||||||
|
certificates.
|
||||||
|
|
||||||
|
Changing the symlink to be relative solves all of these
|
||||||
|
problems. Do so.
|
||||||
|
|
||||||
|
Upstream-Status: Inappropriate [OE-specific]
|
||||||
|
Signed-off-by: André Draszik <andre.draszik@jci.com>
|
||||||
|
---
|
||||||
|
sbin/update-ca-certificates | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
|
||||||
|
index 00f80c7..7e911a9 100755
|
||||||
|
--- a/sbin/update-ca-certificates
|
||||||
|
+++ b/sbin/update-ca-certificates
|
||||||
|
@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
|
||||||
|
LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
|
||||||
|
CERTBUNDLE=ca-certificates.crt
|
||||||
|
ETCCERTSDIR=$SYSROOT/etc/ssl/certs
|
||||||
|
+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
|
||||||
|
HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
|
||||||
|
|
||||||
|
while [ $# -gt 0 ];
|
||||||
|
@@ -125,9 +126,10 @@ add() {
|
||||||
|
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
|
||||||
|
-e 's/[()]/=/g' \
|
||||||
|
-e 's/,/_/g').pem"
|
||||||
|
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
|
||||||
|
+ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
|
||||||
|
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
|
||||||
|
then
|
||||||
|
- ln -sf "${CERT##$SYSROOT}" "$PEM"
|
||||||
|
+ ln -sf "${DST}" "$PEM"
|
||||||
|
echo "+$PEM" >> "$ADDED"
|
||||||
|
fi
|
||||||
|
# Add trailing newline to certificate, if it is missing (#635570)
|
|
@ -0,0 +1,50 @@
|
||||||
|
Upstream-Status: Pending
|
||||||
|
|
||||||
|
update-ca-certificates: find SYSROOT relative to its own location
|
||||||
|
|
||||||
|
This makes the script relocatable.
|
||||||
|
|
||||||
|
Index: git/sbin/update-ca-certificates
|
||||||
|
===================================================================
|
||||||
|
--- git.orig/sbin/update-ca-certificates
|
||||||
|
+++ git/sbin/update-ca-certificates
|
||||||
|
@@ -66,6 +66,39 @@ do
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
+if [ -z "$SYSROOT" ]; then
|
||||||
|
+ local_which () {
|
||||||
|
+ if [ $# -lt 1 ]; then
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ (
|
||||||
|
+ IFS=:
|
||||||
|
+ for entry in $PATH; do
|
||||||
|
+ if [ -x "$entry/$1" ]; then
|
||||||
|
+ echo "$entry/$1"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+ exit 1
|
||||||
|
+ )
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ case "$0" in
|
||||||
|
+ */*)
|
||||||
|
+ sbindir=$(cd ${0%/*} && pwd)
|
||||||
|
+ ;;
|
||||||
|
+ *)
|
||||||
|
+ sbindir=$(cd $(dirname $(local_which $0)) && pwd)
|
||||||
|
+ ;;
|
||||||
|
+ esac
|
||||||
|
+ prefix=${sbindir%/*}
|
||||||
|
+ SYSROOT=${prefix%/*}
|
||||||
|
+ if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then
|
||||||
|
+ SYSROOT=
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
if [ ! -s "$CERTSCONF" ]
|
||||||
|
then
|
||||||
|
fresh=1
|
|
@ -1,46 +0,0 @@
|
||||||
DESCRIPTION = "Common CA certificates"
|
|
||||||
HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
|
|
||||||
SECTION = "misc"
|
|
||||||
LICENSE = "GPLv2+"
|
|
||||||
LIC_FILES_CHKSUM = "file://debian/copyright;md5=6135800ff6d893c7904d7aad90972eb5"
|
|
||||||
|
|
||||||
SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates_${PV}.tar.gz \
|
|
||||||
file://0001-update-ca-certificates-remove-c-rehash.patch"
|
|
||||||
|
|
||||||
SRC_URI[md5sum] = "5105d4cc086f0d4ecf7bf2e4c4667289"
|
|
||||||
SRC_URI[sha256sum] = "878cd1130ba056fe5f96decde7e5fc1b71d35eb8565a1515744912e100731ee9"
|
|
||||||
|
|
||||||
inherit allarch
|
|
||||||
|
|
||||||
do_install_prepend() {
|
|
||||||
mkdir -p ${D}/usr/share/ca-certificates
|
|
||||||
mkdir -p ${D}/usr/sbin
|
|
||||||
mkdir -p ${D}/etc/ssl/certs
|
|
||||||
mkdir -p ${D}/etc/ca-certificates/update.d
|
|
||||||
|
|
||||||
oe_runmake 'DESTDIR=${D}' install
|
|
||||||
}
|
|
||||||
|
|
||||||
do_install_append() {
|
|
||||||
cd ${D}/usr/share/ca-certificates
|
|
||||||
echo "# Lines starting with # will be ignored" > ${D}/etc/ca-certificates.conf
|
|
||||||
echo "# Lines starting with ! will remove certificate on next update" >> ${D}/etc/ca-certificates.conf
|
|
||||||
echo "#" >> ${D}/etc/ca-certificates.conf
|
|
||||||
for crt in $(find . -type f -name '*.crt' -print)
|
|
||||||
do
|
|
||||||
crt=$(echo $crt | sed -e 's/\.\///')
|
|
||||||
echo $crt >> ${D}/etc/ca-certificates.conf
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_postinst_${PN} () {
|
|
||||||
if [ -n "$D" ] ; then
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
${sbindir}/update-ca-certificates
|
|
||||||
}
|
|
||||||
|
|
||||||
CONFFILES_${PN} = "/etc/ca-certificates.conf"
|
|
||||||
|
|
||||||
DEFAULT_PREFERENCE = "-1"
|
|
|
@ -0,0 +1,89 @@
|
||||||
|
SUMMARY = "Common CA certificates"
|
||||||
|
DESCRIPTION = "This package includes PEM files of CA certificates to allow \
|
||||||
|
SSL-based applications to check for the authenticity of SSL connections. \
|
||||||
|
This derived from Debian's CA Certificates."
|
||||||
|
HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
|
||||||
|
SECTION = "misc"
|
||||||
|
LICENSE = "GPL-2.0+ & MPL-2.0"
|
||||||
|
LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e"
|
||||||
|
|
||||||
|
# This is needed to ensure we can run the postinst at image creation time
|
||||||
|
DEPENDS = ""
|
||||||
|
DEPENDS_class-native = "openssl-native"
|
||||||
|
DEPENDS_class-nativesdk = "openssl-native"
|
||||||
|
# Need rehash from openssl and run-parts from debianutils
|
||||||
|
PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
|
||||||
|
|
||||||
|
SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
|
||||||
|
|
||||||
|
SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
|
||||||
|
file://0002-update-ca-certificates-use-SYSROOT.patch \
|
||||||
|
file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
|
||||||
|
file://default-sysroot.patch \
|
||||||
|
file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
|
||||||
|
file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
|
||||||
|
"
|
||||||
|
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
|
||||||
|
|
||||||
|
S = "${WORKDIR}/git"
|
||||||
|
|
||||||
|
inherit allarch
|
||||||
|
|
||||||
|
EXTRA_OEMAKE = "\
|
||||||
|
'CERTSDIR=${datadir}/ca-certificates' \
|
||||||
|
'SBINDIR=${sbindir}' \
|
||||||
|
"
|
||||||
|
|
||||||
|
do_compile_prepend() {
|
||||||
|
oe_runmake clean
|
||||||
|
}
|
||||||
|
|
||||||
|
do_install () {
|
||||||
|
install -d ${D}${datadir}/ca-certificates \
|
||||||
|
${D}${sysconfdir}/ssl/certs \
|
||||||
|
${D}${sysconfdir}/ca-certificates/update.d
|
||||||
|
oe_runmake 'DESTDIR=${D}' install
|
||||||
|
|
||||||
|
install -d ${D}${mandir}/man8
|
||||||
|
install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/
|
||||||
|
|
||||||
|
install -d ${D}${sysconfdir}
|
||||||
|
{
|
||||||
|
echo "# Lines starting with # will be ignored"
|
||||||
|
echo "# Lines starting with ! will remove certificate on next update"
|
||||||
|
echo "#"
|
||||||
|
find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \
|
||||||
|
sed 's,^${D}${datadir}/ca-certificates/,,' | sort
|
||||||
|
} >${D}${sysconfdir}/ca-certificates.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
do_install_append_class-target () {
|
||||||
|
sed -i -e 's,/etc/,${sysconfdir}/,' \
|
||||||
|
-e 's,/usr/share/,${datadir}/,' \
|
||||||
|
-e 's,/usr/local,${prefix}/local,' \
|
||||||
|
${D}${sbindir}/update-ca-certificates \
|
||||||
|
${D}${mandir}/man8/update-ca-certificates.8
|
||||||
|
}
|
||||||
|
|
||||||
|
pkg_postinst_${PN}_class-target () {
|
||||||
|
SYSROOT="$D" $D${sbindir}/update-ca-certificates
|
||||||
|
}
|
||||||
|
|
||||||
|
CONFFILES_${PN} += "${sysconfdir}/ca-certificates.conf"
|
||||||
|
|
||||||
|
# Rather than make a postinst script that works for both target and nativesdk,
|
||||||
|
# we just run update-ca-certificate from do_install() for nativesdk.
|
||||||
|
CONFFILES_${PN}_append_class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt"
|
||||||
|
do_install_append_class-nativesdk () {
|
||||||
|
SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates
|
||||||
|
}
|
||||||
|
|
||||||
|
do_install_append_class-native () {
|
||||||
|
SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
|
||||||
|
}
|
||||||
|
|
||||||
|
RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
|
||||||
|
RDEPENDS_${PN}_append_class-native = " openssl-native"
|
||||||
|
RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
|
||||||
|
|
||||||
|
BBCLASSEXTEND = "native nativesdk"
|
Loading…
Reference in New Issue