%bcond_with bootstrap
%bcond_without java
Summary: Bundle of CA Root Certificates
Name: rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch: 1
Version: 20191126.00
Release: %mkrel 2
License: GPL
Group: Security
URL: http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0: rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
#
# For Source1, the NSS commit trunk version of this file is here:
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
# The version tag for this package should come from the commit date of the version used from the NSS repository above
# To choose which NSS commit version to use, we can check the certdata.txt file used in either...
# the current Mozilla release:
# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# or the Mozilla development commit trunk:
# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# Ideally, it should correspond to the version shipped in the NSS release we are using
Source1: certdata-%{version}.txt
# http://www.cacert.org/certs/root_X0F.der
Source3: cacert.org.der
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6: generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0: generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1: generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2: generate-cacerts-rename-duplicates.patch
Patch3: rootcerts-fix-mkcerts-to-work-with-new-openssl.patch
# Use 'openssl rehash' instead of 'c_rehash' and increase verbosity
Patch4: use-openssl-rehash-instead-of-c_rehash.patch
BuildRequires: perl
BuildRequires: openssl
%if %{without bootstrap}
BuildRequires: nss
%endif
%if %with java
BuildRequires: javapackages-tools
BuildRequires: java-devel
%endif
BuildArch: noarch
Provides: ca-certificates
%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.
%if %with java
%package java
Summary: Bundle of CA Root Certificates for Java
Group: Development/Java
%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif
%prep
%setup -q -n rootcerts
mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt
# extract the license
head -4 builtins/certdata.txt > LICENSE
# CAcert
%if %{mgaversion} < 8
cp %{SOURCE3} .
%endif
cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0
%patch3 -p1
%patch4 -p1
%build
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
%if %{without bootstrap}
# CAcert
# http://wiki.cacert.org/wiki/NSSLib
%if %{mgaversion} < 8
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
%endif
%endif
perl mkcerts.pl > certs.sh
%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make_build
cat pem/*.pem > ca-bundle.crt
%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif
%install
%make_install
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}
install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif
cat > README << EOF
R O O T C E R T S
-----------------
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.
EOF
# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done
%files
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private
%if %with java
%files java
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
%changelog
* Tue May 05 2020 luigiwalser <luigiwalser> 1:20191126.00-2.mga7
+ Revision: 1580664
- sync with cauldron (remove extra downstream certs, update cacert.org.der)
- new certdata.txt file as of 2019-11-26
- new certdata.txt file as of 2019-10-11
- new certdata.txt file as of 2019-08-20
- new certdata.txt file as of 2019-06-04
* Tue Mar 19 2019 luigiwalser <luigiwalser> 1:20190306.00-1.mga7
+ Revision: 1378813
- new certdata.txt file as of 2019-03-06
* Sat Dec 08 2018 luigiwalser <luigiwalser> 1:20181108.00-1.mga7
+ Revision: 1338980
- new certdata.txt file as of 2018-11-08
* Mon Oct 15 2018 luigiwalser <luigiwalser> 1:20181001.00-1.mga7
+ Revision: 1320649
- new certdata.txt file as of 2018-10-01
* Fri Sep 21 2018 umeabot <umeabot> 1:20180411.00-2.mga7
+ Revision: 1290771
- Mageia 7 Mass Rebuild
* Sun May 13 2018 wally <wally> 1:20180411.00-1.mga7
+ Revision: 1228730
- add patch to build with 'openssl rehash' instead of 'c_rehash'
+ luigiwalser <luigiwalser>
- new certdata.txt file as of 2018-04-11
* Sat Jan 20 2018 luigiwalser <luigiwalser> 1:20180104.00-1.mga7
+ Revision: 1195139
- new certdata.txt file as of 2018-01-04
* Wed Dec 13 2017 luigiwalser <luigiwalser> 1:20171122.00-1.mga7
+ Revision: 1182474
- new certdata.txt file as of 2017-11-22
* Tue Nov 14 2017 luigiwalser <luigiwalser> 1:20171025.00-1.mga7
+ Revision: 1177324
- new certdata.txt file as of 2017-10-25
- remove patch no longer needed with new nss
* Sun Oct 29 2017 wally <wally> 1:20170718.00-2.mga7
+ Revision: 1174517
- provide ca-certificates to make google-chrome installable
* Tue Aug 22 2017 sander85 <sander85> 1:20170718.00-1.mga7
+ Revision: 1142897
- Fix build with new openssl
+ luigiwalser <luigiwalser>
- new certdata.txt file as of 2017-07-18
* Fri Apr 21 2017 luigiwalser <luigiwalser> 1:20170404.00-1.mga6
+ Revision: 1097021
- new certdata.txt file as of 2017-04-04
* Wed Mar 08 2017 mrambo3501 <mrambo3501> 1:20170209.00-2.mga6
+ Revision: 1089962
- add patch to revert attributes not supported by current nss
* Sat Mar 04 2017 luigiwalser <luigiwalser> 1:20170209.00-1.mga6
+ Revision: 1088737
- new certdata.txt file as of 2017-02-09
* Sun Jan 15 2017 luigiwalser <luigiwalser> 1:20170102.00-1.mga6
+ Revision: 1081752
- new certdata.txt file as of 2017-01-02
* Tue Oct 04 2016 luigiwalser <luigiwalser> 1:20160922.00-1.mga6
+ Revision: 1058740
- new certdata.txt file as of 2016-09-22
* Tue Sep 20 2016 luigiwalser <luigiwalser> 1:20160826.00-1.mga6
+ Revision: 1054564
- new certdata.txt file as of 2016-08-26
* Fri Aug 05 2016 luigiwalser <luigiwalser> 1:20160805.00-1.mga6
+ Revision: 1044667
- new certdata.txt file as of 2016-08-05
* Mon Jul 25 2016 luigiwalser <luigiwalser> 1:20160610.00-1.mga6
+ Revision: 1043619
- new certdata.txt file as of 2016-06-10
* Thu Jun 16 2016 daviddavid <daviddavid> 1:20160225.00-3.mga6
+ Revision: 1021791
- add missing BR on openssl-perl
* Sat Apr 09 2016 pterjan <pterjan> 1:20160225.00-2.mga6
+ Revision: 999930
- Make this package noarch, it's only data in /etc
* Sat Mar 12 2016 luigiwalser <luigiwalser> 1:20160225.00-1.mga6
+ Revision: 989574
- new certdata.txt file as of 2016-02-25
+ umeabot <umeabot>
- Mageia 6 Mass Rebuild
* Sat Dec 05 2015 neoclust <neoclust> 1:20151029.00-2.mga6
+ Revision: 908468
- Enable java build on ARM
* Sun Nov 01 2015 luigiwalser <luigiwalser> 1:20151029.00-1.mga6
+ Revision: 897238
- new certdata.txt file as of 2015-10-29
* Fri Aug 07 2015 luigiwalser <luigiwalser> 1:20150709.00-1.mga6
+ Revision: 861553
- new certdata.txt file as of 2015-07-09
* Wed May 06 2015 luigiwalser <luigiwalser> 1:20150420.00-1.mga5
+ Revision: 821335
- new certdata.txt file as of 2015-04-20
* Wed Apr 01 2015 luigiwalser <luigiwalser> 1:20150326.00-1.mga5
+ Revision: 819491
- new certdata.txt file as of 2015-03-26
* Mon Mar 23 2015 luigiwalser <luigiwalser> 1:20150226.00-1.mga5
+ Revision: 819109
- new certdata.txt file as of 2015-02-26
* Tue Dec 02 2014 luigiwalser <luigiwalser> 1:20141117.00-1.mga5
+ Revision: 800260
- new certdata.txt file as of 2014-11-17
* Wed Oct 15 2014 umeabot <umeabot> 1:20140805.00-3.mga5
+ Revision: 739158
- Second Mageia 5 Mass Rebuild
* Tue Sep 16 2014 umeabot <umeabot> 1:20140805.00-2.mga5
+ Revision: 688693
- Mageia 5 Mass Rebuild
* Sun Aug 17 2014 luigiwalser <luigiwalser> 1:20140805.00-1.mga5
+ Revision: 664502
- new certdata.txt file as of 20140805
* Fri Jul 11 2014 luigiwalser <luigiwalser> 1:20140703.00-1.mga5
+ Revision: 651189
- new certdata.txt file as of 20140703
* Thu May 08 2014 oden <oden> 1:20140507.00-1.mga5
+ Revision: 621138
- new certdata.txt file as of 20140507
* Wed Mar 19 2014 oden <oden> 1:20140318.00-1.mga5
+ Revision: 605584
- new certdata.txt file as of 20140318
* Tue Dec 10 2013 luigiwalser <luigiwalser> 1:20131204.00-1.mga4
+ Revision: 556204
- new certdata.txt file as of 2013-12-04
* Thu Nov 14 2013 luigiwalser <luigiwalser> 1:20131111.00-1.mga4
+ Revision: 551152
- new certdata.txt file as of 2013-11-11
* Mon Oct 21 2013 umeabot <umeabot> 1:20130411.00-2.mga4
+ Revision: 539097
- Mageia 4 Mass Rebuild
* Fri Oct 04 2013 luigiwalser <luigiwalser> 1:20130411.00-1.mga4
+ Revision: 491390
- update java BRs
+ oden <oden>
- new certdata.txt file as of 2013-04-11 since it now lives in mozilla hg
* Thu Jan 24 2013 fwang <fwang> 1:20121229.00-4.mga3
+ Revision: 392002
- update rpm group
* Mon Jan 14 2013 umeabot <umeabot> 1:20121229.00-3.mga3
+ Revision: 380402
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild
* Tue Jan 08 2013 oden <oden> 1:20121229.00-2.mga3
+ Revision: 343283
- bump release
* Tue Jan 08 2013 oden <oden> 1:20121229.00-1.mga3
+ Revision: 343219
- new certdata.txt file as of 2012/12/29 (fixes CVE-2013-0743)
* Mon Jan 07 2013 blino <blino> 1:20121018.00-2.mga3
+ Revision: 340430
- add a Debian/Ubuntu compat symlink for /etc/ssl/private/ as well
* Sat Oct 27 2012 luigiwalser <luigiwalser> 1:20121018.00-1.mga3
+ Revision: 310747
- update certdata.txt to 2012/10/18 version
* Mon Jul 02 2012 luigiwalser <luigiwalser> 1:20120628.00-1.mga3
+ Revision: 266580
- update certdata.txt to 2012/06/28 version
* Sun Feb 26 2012 luigiwalser <luigiwalser> 1:20120218.00-1.mga2
+ Revision: 215028
- update certdata.txt to 2012/02/18 version
- update certdata.txt to 2012/02/18 version
* Mon Dec 26 2011 dmorgan <dmorgan> 1:20111103.00-1.mga2
+ Revision: 187788
- New version 20111103
* Wed Aug 31 2011 dmorgan <dmorgan> 1:20110830.00-1.mga2
+ Revision: 137338
- Remove P3: unneeded
- new certdata.txt file (fixes MFSA 2011-34 Protection against fraudulent DigiNotar certificates)
- Fix sha1.lst
* Wed Apr 20 2011 pterjan <pterjan> 1:20110323.00-1.mga1
+ Revision: 89070
- Update certdata.txt to 23/03/2011 version
* Sat Jan 15 2011 wally <wally> 1:20101202.00-2.mga1
+ Revision: 18895
- fix unwanted occurrences
- rename patch
* Thu Jan 13 2011 pterjan <pterjan> 1:20101202.00-1.mga1
+ Revision: 16347
- Drop obsolete tests
- imported package rootcerts
* Sat Dec 25 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20101202.00-1mdv2011.0
+ Revision: 624972
- new certdata.txt file from upstream cvs (20101202)
* Thu Nov 25 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20101119.00-1mdv2011.0
+ Revision: 601001
- new certdata.txt from upstream (2010-11-19)
* Thu Sep 09 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100827.00-1mdv2011.0
+ Revision: 576922
- new certdata.txt file as of 2010/08/27
* Mon May 17 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100408.00-1mdv2010.1
+ Revision: 544960
- drop the RSA Security 1024 V3 Root cert
* Tue Apr 06 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100403.01-1mdv2010.1
+ Revision: 532249
- new certdata.txt from upstream (20100403)
* Fri Mar 12 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100216.01-1mdv2010.1
+ Revision: 518349
- fix #58107 (provide compatibility symlink for Adobe Flash)
- new certdata.txt (20100216) from upstream
* Wed Feb 03 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.04-1mdv2010.1
+ Revision: 500052
- P3: remove the offending MD5 Collisions Forged Rogue CA 25c3 cert
* Thu Jan 28 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.03-1mdv2010.1
+ Revision: 497698
- avoid making useless (empty) debug packages
* Thu Jan 28 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.02-1mdv2010.1
+ Revision: 497654
- fix the bcond stuff (thanks anssi)
* Thu Jan 28 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.01-1mdv2010.1
+ Revision: 497593
- disable java cert generations on older products
* Sun Jan 24 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.00-1mdv2010.1
+ Revision: 495449
- new certdata.txt file as of 2009/12/03
- the java certs won't build unless using a safe locale
* Mon Oct 19 2009 Anssi Hannula <anssi@mandriva.org> 1:20090831.00-1mdv2010.0
+ Revision: 458242
- add multiple "-alt" suffixes to java certificate shortnames if more
than 2 certificates share the same name
(cacerts-rename-duplicates.patch modified)
+ Oden Eriksson <oeriksson@mandriva.com>
- new certdata.txt from mozilla
* Mon Sep 28 2009 Olivier Blin <oblin@mandriva.com> 1:20090814.00-2mdv2010.0
+ Revision: 450336
- disable java on mips & arm, implying it's not noarch anymore
(from Arnaud Patard)
* Sat Aug 22 2009 Oden Eriksson <oeriksson@mandriva.com> 1:20090814.00-1mdv2010.0
+ Revision: 419733
- new snapshot (20090814)
* Sun Aug 02 2009 Oden Eriksson <oeriksson@mandriva.com> 1:20090521.00-1mdv2010.0
+ Revision: 407545
- new cvs snap (20090521)
- the IGC/A cert was added upstream (S5)
* Mon Mar 23 2009 Anssi Hannula <anssi@mandriva.org> 1:20090115.00-1mdv2009.1
+ Revision: 360711
- java: rename identically named certificates that are not handled by
mandriva.patch
+ Oden Eriksson <oeriksson@mandriva.com>
- new certdata.txt file
* Sat Jan 24 2009 Oden Eriksson <oeriksson@mandriva.com> 1:20081017.00-2mdv2009.1
+ Revision: 333321
- roll back the certdata.txt file for now
- new certdata.txt file
* Fri Oct 24 2008 Oden Eriksson <oeriksson@mandriva.com> 1:20081017.00-1mdv2009.1
+ Revision: 296928
- new S1
* Sat Jul 05 2008 Anssi Hannula <anssi@mandriva.org> 1:20080503.00-2mdv2009.0
+ Revision: 232015
- add java subpackage that contains cacerts file for JRE, and a
--with[out] java build option to disable it
* Fri Jul 04 2008 Oden Eriksson <oeriksson@mandriva.com> 1:20080503.00-1mdv2009.0
+ Revision: 231658
- new certdata.txt
* Wed Jun 18 2008 Thierry Vignaud <tv@mandriva.org> 1:20080117.00-2mdv2009.0
+ Revision: 225323
- rebuild
* Thu Feb 14 2008 Oden Eriksson <oeriksson@mandriva.com> 1:20080117.00-1mdv2008.1
+ Revision: 168072
- new certdata.txt (Guenter Knauf)
* Thu Dec 20 2007 Oden Eriksson <oeriksson@mandriva.com> 1:20070713.00-1mdv2008.1
+ Revision: 135400
- new S1 from upstream cvs
* Mon Dec 17 2007 Thierry Vignaud <tv@mandriva.org> 1:20070402.00-1mdv2008.1
+ Revision: 126645
- kill re-definition of %%buildroot on Pixel's request
* Tue Apr 03 2007 Marcelo Ricardo Leitner <mrl@mandriva.com> 20070402.00-1mdv2007.1
+ Revision: 150441
- Improve package versioning:
- Fix version in order to point to current date.
- Bumped epoch to 0 for this.
- Ignores rpm's release, in order to avoid distro tags.
- More details, please refer to comments on the package.
* Tue Apr 03 2007 Oden Eriksson <oeriksson@mandriva.com> 20071031-3mdv2007.1
+ Revision: 150288
- added the IGC/A CA root cert (French government CA)
* Wed Mar 21 2007 Andreas Hasenack <andreas@mandriva.com> 20071031-2mdv2007.1
+ Revision: 147526
- added a new verisign certificate (#29612)
- note to self: the mozilla/nss part of this package is not
working as intended
* Tue Oct 31 2006 Oden Eriksson <oeriksson@mandriva.com> 20071031-1mdv2007.1
+ Revision: 74824
- new certdata.txt version
- bunzip sources
- import rootcerts-20060621-2mdv2007.0
* Thu Jun 22 2006 Oden Eriksson <oeriksson@mandriva.com> 20060621-2mdv2007.0
- added the cacert root cert
- add the certdata.txt to the package
* Thu Jun 22 2006 Oden Eriksson <oeriksson@mandriva.com> 20060621-1mdv2007.0
- new certdata.txt from the mozilla cvs
* Fri Nov 11 2005 Oden Eriksson <oeriksson@mandriva.com> 20051111-1mdk
- initial Mandriva package
- added ICP-Brasil from a patch added to our mozilla-firefox
- credits goes to Scott Grayban for finding this bug
distrib
>
Mageia
>
7
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
200538b95ad5e85d5ce65d5e155f62dc
>
files
>
8
