[pkgsrc/trunk]: pkgsrc/security/ca-certificates Upgrade to 20200601

To: source-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/ca-certificates Upgrade to 20200601
From: kim <kim%pkgsrc.org@localhost>
Date: Mon, 08 Jun 2020 10:44:05 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/4a6b98920cb6
branches:  trunk
changeset: 433866:4a6b98920cb6
user:      kim <kim%pkgsrc.org@localhost>
date:      Mon Jun 08 09:55:36 2020 +0000

description:
Upgrade to 20200601

* Update Mozilla certificate authority bundle to version 2.40.
* Add distrusted Symantec CA list to blacklist for explicit removal.
* Blacklist expired root certificate, "AddTrust External Root".

The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"

The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"

Changes for pkgsrc packaging:
* Add README.pkgsrc, replacing MESSAGE.
* Improve DESCR to better describe the functionality of the package.
* Install changelog and README.source from the distribution package.

diffstat:

 security/ca-certificates/DESCR               |   9 +++---
 security/ca-certificates/MESSAGE             |  24 ------------------
 security/ca-certificates/Makefile            |  31 +++++++++++++++++-------
 security/ca-certificates/PLIST               |  33 +++++++++++++------------
 security/ca-certificates/distinfo            |  10 +++---
 security/ca-certificates/files/README.pkgsrc |  36 ++++++++++++++++++++++++++++
 6 files changed, 85 insertions(+), 58 deletions(-)

diffs (254 lines):

diff -r ddef18a9a8c0 -r 4a6b98920cb6 security/ca-certificates/DESCR
--- a/security/ca-certificates/DESCR    Mon Jun 08 09:12:46 2020 +0000
+++ b/security/ca-certificates/DESCR    Mon Jun 08 09:55:36 2020 +0000
@@ -1,6 +1,7 @@
 This package provides the certificates distributed by the Mozilla
-Project.
+Project and will, by default, install certificates trusted by the
+Mozilla Project in the system certificate store.
 
-It also provides a script, update-ca-certs, which can be used to manage
-a location that makes certificates usable by TLS implementations,
-including installing select certificates from this package.
+The sysadmin can configure the list of trusted certificates and also
+add local certificates as needed by editing ca-certificates.conf and
+re-running update-ca-certificates.
diff -r ddef18a9a8c0 -r 4a6b98920cb6 security/ca-certificates/MESSAGE
--- a/security/ca-certificates/MESSAGE  Mon Jun 08 09:12:46 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-===========================================================================
-$NetBSD: MESSAGE,v 1.1 2020/05/31 15:53:44 kim Exp $
-
-Execute this command to install and rehash select CA root certificates
-distributed by the Mozilla Project, so that they can be used by third
-party applications using OpenSSL. It also creates a single file
-certificate bundle in PEM format which can be used by applications using
-GnuTLS.
-
-       # update-ca-certificates
-
-You can edit /etc/ca-certificates.conf to configure which certificates are
-installed. Additionally any certificates in /usr/local/share/ca-certificates
-will be installed.
-
-To mark these certificates as trusted for users of gnupg2, do
-the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
-
-       # mkdir -p /usr/pkg/etc/gnupg
-       # cd /usr/pkg/etc/gnupg
-       # for c in /etc/openssl/certs/*.pem; do
-       > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
-       > done > trustlist.txt
-===========================================================================
diff -r ddef18a9a8c0 -r 4a6b98920cb6 security/ca-certificates/Makefile
--- a/security/ca-certificates/Makefile Mon Jun 08 09:12:46 2020 +0000
+++ b/security/ca-certificates/Makefile Mon Jun 08 09:55:36 2020 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.1 2020/05/31 15:53:44 kim Exp $
+# $NetBSD: Makefile,v 1.2 2020/06/08 09:55:36 kim Exp $
 
-PKGNAME=       ca-certificates-20190110
+PKGNAME=       ca-certificates-20200601
 DISTNAME=      ${PKGNAME:C/-([^-]*)$/_\1/}
 CATEGORIES=    security
 MASTER_SITES=  http://deb.debian.org/debian/pool/main/c/ca-certificates/
@@ -14,11 +14,13 @@
 NO_CONFIGURE=          yes
 PYTHON_FOR_BUILD_ONLY= yes
 
-USE_TOOLS=     awk:run echo:run expr:run ln:run ls:run openssl:run rm:run mkdir:run
+USE_TOOLS=     echo:run find:run ln:run openssl:run rm:run sed:run sort:run wc:run
 
 WRKSRC=                ${WRKDIR}/${PKGNAME_NOREV}
 DATADIR=       ${PREFIX}/share/${PKGBASE}
+DOCDIR=                ${PREFIX}/share/doc/${PKGBASE}
 EGDIR=         ${PREFIX}/share/examples/${PKGBASE}
+MANDIR=                ${PREFIX}/share/man/man8
 
 # Set paths depending on whether we depend on builtin or pkgsrc
 # openssl.  \todo Arguably, we should consider installing into both
@@ -43,26 +45,37 @@
 SUBST_FILES.paths=     Makefile sbin/Makefile
 SUBST_FILES.paths+=    ca-certificates.conf
 SUBST_FILES.paths+=    sbin/update-ca-certificates sbin/update-ca-certificates.8
+SUBST_FILES.paths+=    README.pkgsrc
 SUBST_SED.paths=       -e 's,/usr/sbin,${PREFIX}/sbin,g'
 SUBST_SED.paths+=      -e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g'
 SUBST_SED.paths+=      -e 's,/etc/ssl,${SSLDIR},g'
 SUBST_SED.paths+=      -e 's,/usr/share/ca-certificates,${DATADIR},g'
 
-INSTALLATION_DIRS=     sbin ${DATADIR} ${EGDIR} share/man/man8
+INSTALLATION_DIRS=     sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR}
 
 CONF_FILES=            ${EGDIR}/ca-certificates.conf \
                        ${PKG_SYSCONFDIR}/ca-certificates.conf
 
 pre-build:
-       @${CP} ${FILESDIR}/ca-certificates.conf ${WRKSRC}/
+       @${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/
        @${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
            >> ${WRKSRC}/ca-certificates.conf
 
+post-extract:
+       ${MV} ${WRKDIR}/work ${WRKSRC}
+
 post-install:
-       ${INSTALL_MAN} ${WRKSRC}/sbin/update-ca-certificates.8 \
-           ${DESTDIR}${PREFIX}/share/man/man8/update-ca-certificates.8
-       ${INSTALL_DATA} ${WRKSRC}/ca-certificates.conf \
-           ${DESTDIR}${EGDIR}/ca-certificates.conf
+       ${INSTALL_MAN} \
+           ${WRKSRC}/sbin/update-ca-certificates.8 \
+           ${DESTDIR}${MANDIR}/
+       ${INSTALL_DATA} \
+           ${WRKSRC}/README.pkgsrc \
+           ${WRKSRC}/debian/README.source \
+           ${WRKSRC}/debian/changelog \
+           ${DESTDIR}${DOCDIR}/
+       ${INSTALL_DATA} \
+           ${WRKSRC}/ca-certificates.conf \
+           ${DESTDIR}${EGDIR}/
 
 .include "../../lang/python/tool.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r ddef18a9a8c0 -r 4a6b98920cb6 security/ca-certificates/PLIST
--- a/security/ca-certificates/PLIST    Mon Jun 08 09:12:46 2020 +0000
+++ b/security/ca-certificates/PLIST    Mon Jun 08 09:55:36 2020 +0000
@@ -1,9 +1,8 @@
-@comment $NetBSD: PLIST,v 1.1 2020/05/31 15:53:44 kim Exp $
+@comment $NetBSD: PLIST,v 1.2 2020/06/08 09:55:36 kim Exp $
 sbin/update-ca-certificates
 share/ca-certificates/mozilla/ACCVRAIZ1.crt
 share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
 share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
-share/ca-certificates/mozilla/AddTrust_External_Root.crt
 share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
 share/ca-certificates/mozilla/AffirmTrust_Networking.crt
 share/ca-certificates/mozilla/AffirmTrust_Premium.crt
@@ -23,8 +22,7 @@
 share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
 share/ca-certificates/mozilla/Certigna.crt
-share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt
-share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
+share/ca-certificates/mozilla/Certigna_Root_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
 share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
@@ -33,7 +31,6 @@
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
 share/ca-certificates/mozilla/DST_Root_CA_X3.crt
-share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
@@ -49,12 +46,12 @@
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
+share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt
 share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt
-share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
-share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
+share/ca-certificates/mozilla/GTS_Root_R1.crt
+share/ca-certificates/mozilla/GTS_Root_R2.crt
+share/ca-certificates/mozilla/GTS_Root_R3.crt
+share/ca-certificates/mozilla/GTS_Root_R4.crt
 share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
@@ -69,6 +66,7 @@
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
 share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
+share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt
 share/ca-certificates/mozilla/ISRG_Root_X1.crt
 share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
 share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
@@ -116,17 +114,20 @@
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
 share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
+share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
+share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
 share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
-share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
-share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
-share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
 share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
 share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt
+share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt
+share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt
+share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt
+share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt
+share/doc/ca-certificates/README.pkgsrc
+share/doc/ca-certificates/README.source
+share/doc/ca-certificates/changelog
 share/examples/ca-certificates/ca-certificates.conf
 share/man/man8/update-ca-certificates.8
diff -r ddef18a9a8c0 -r 4a6b98920cb6 security/ca-certificates/distinfo
--- a/security/ca-certificates/distinfo Mon Jun 08 09:12:46 2020 +0000
+++ b/security/ca-certificates/distinfo Mon Jun 08 09:55:36 2020 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.1 2020/05/31 15:53:44 kim Exp $
+$NetBSD: distinfo,v 1.2 2020/06/08 09:55:36 kim Exp $
 
-SHA1 (ca-certificates_20190110.tar.xz) = 47d4584eae85fc905e4994766eb3930a8a84e2e1
-RMD160 (ca-certificates_20190110.tar.xz) = cbf8f474fba527dc96413632ac5874385bd38e17
-SHA512 (ca-certificates_20190110.tar.xz) = 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372
-Size (ca-certificates_20190110.tar.xz) = 243472 bytes
+SHA1 (ca-certificates_20200601.tar.xz) = f17235bc9c3aec538065a655681815c242a6d7d5
+RMD160 (ca-certificates_20200601.tar.xz) = a9f1f232f46ecb06c53d5d814c29d3b9aca88323
+SHA512 (ca-certificates_20200601.tar.xz) = 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c
+Size (ca-certificates_20200601.tar.xz) = 245668 bytes
diff -r ddef18a9a8c0 -r 4a6b98920cb6 security/ca-certificates/files/README.pkgsrc
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/ca-certificates/files/README.pkgsrc      Mon Jun 08 09:55:36 2020 +0000
@@ -0,0 +1,36 @@
+$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $
+
+This package provides the certificates distributed by the Mozilla
+Project and will, by default, install certificates trusted by the
+Mozilla Project in the system certificate store (/etc/ssl),
+so that they can be used by third party applications using OpenSSL.
+
+Edit /etc/ca-certificates.conf to further configure which
+certificates are installed.
+
+To install local certificate authorities to be implicitly trusted,
+place the certificate files in /usr/local/share/ca-certificates/
+as single files ending with ".crt".
+
+After changing the configuration and adding local certificates run this
+command to install and rehash the certificates:
+
+    # /usr/sbin/update-ca-certificates
+
+After removing local certificates run this command to remove dangling
+symlinks from /etc/ssl/certs:
+
+    # /usr/sbin/update-ca-certificates --fresh
+
+The update-ca-certificates tool also creates a single file certificate
+bundle in PEM format in /etc/ssl/certs/ca-certificates.crt
+which can be used by applications using GnuTLS.
+
+To mark the installed certificates as trusted for users of gnupg2 do
+the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
+
+    # mkdir -p /usr/pkg/etc/gnupg
+    # cd /usr/pkg/etc/gnupg
+    # for c in /etc/ssl/certs/*.pem; do
+    > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
+    > done > trustlist.txt
Prev by Date: [pkgsrc/trunk]: pkgsrc/sysutils/xentools413 Match not only NetBSD releases bu...
Next by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated security/ca-certificates to 20200601
Previous by Thread: [pkgsrc/trunk]: pkgsrc/sysutils/xentools413 Match not only NetBSD releases bu...
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated security/ca-certificates to 20200601
Indexes:
Home | Main Index | Thread Index | Old Index