pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

How to handle updates to mozilla-rootcerts?


I noticed in my latest pkgsrc update that I got a new version of
the mozilla-rootcerts package installed, a diff of "old vs new" gave:

-mozilla-rootcerts-1.0.20170121nb6 Root CA certificates from the Mozilla Project
+mozilla-rootcerts-1.0.20180111 Root CA certificates from the Mozilla Project

Is any action on my (the operator's) side required to effect this
update?  I suspect "yes", and the reason I ask is that "pkg_info
mozilla-rootcerts" says

Install notice:
$NetBSD: MESSAGE,v 1.5 2014/08/10 10:47:42 wiz Exp $

Execute this command to extract and rehash all CA root certificates
distributed by the Mozilla Project, so that they can be used by third
party applications using OpenSSL. It also creates a single file
certificate bundle in PEM format which can be used by applications using

        # mozilla-rootcerts install

To mark these certificates as trusted for users of gnupg2, do
the following (assuming default PKG_SYSCONFBASE and a Bourne shell):

        # mkdir -p /usr/pkg/etc/gnupg
        # cd /usr/pkg/etc/gnupg
        # for c in /etc/openssl/certs/*.pem; do
        > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
        > done > trustlist.txt

On initial install, I dutifully executed the "mozilla-rootcerts
install" command.

However, re-running the first command above now that the package
has been updated results in an error message and (I'm assuming)
no action taken:

# mozilla-rootcerts install
ERROR: /etc/openssl/certs already contains certificates, aborting.

As far as I know, the only thing which has populated the certs
directory on this system is pkgsrc via the mozilla-rootcerts
package.  So why is it that this can only be installed once, and
apparently no mechanism is left in place for subsequent updates?

Is it just me that thinks this is a particularly annoying rough
edge in pkgsrc?


- Håvard

Home | Main Index | Thread Index | Old Index