Date: Sunday, August 24, 2014 @ 16:47:45 Author: heftig Revision: 220623
Implement CA rethink Added: nss/trunk/ca-certificates-mozilla.install nss/trunk/certdata2pem.py-loudness.patch Modified: nss/trunk/PKGBUILD ---------------------------------+ PKGBUILD | 59 ++++++++++++++++++++++++++++---------- ca-certificates-mozilla.install | 11 +++++++ certdata2pem.py-loudness.patch | 13 ++++++++ 3 files changed, 69 insertions(+), 14 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-08-24 14:32:31 UTC (rev 220622) +++ PKGBUILD 2014-08-24 14:47:45 UTC (rev 220623) @@ -1,8 +1,9 @@ # $Id$ # Maintainer: Jan de Groot <[email protected]> -pkgname=nss -pkgver=3.16.3 +pkgbase=nss +pkgname=(nss ca-certificates-mozilla) +pkgver=3.17 pkgrel=1 pkgdesc="Mozilla Network Security Services" arch=(i686 x86_64) @@ -9,21 +10,28 @@ url="http://www.mozilla.org/projects/security/pki/nss/"; license=('MPL' 'GPL') _nsprver=4.10.6 -depends=("nspr>=${_nsprver}" 'sqlite' 'zlib' 'sh') -makedepends=('perl') +depends=("nspr>=${_nsprver}" 'sqlite' 'zlib' 'sh' 'p11-kit') +makedepends=('perl' 'python2') options=('!strip' '!makeflags' 'staticlibs') -source=(ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgname}-${pkgver}.tar.gz +source=("ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz"; + "certdata2pem.py::http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?id=15470c64b5464d273556a290b1e7b50b32a2e5a0"; nss.pc.in nss-config.in - ssl-renegotiate-transitional.patch) -sha1sums=('a1937de60e03a24526591d883bcfe31a3acc8ef4' - 'aa5b2c0aa38d3c1066d511336cf28d1333e3aebd' - 'cb744cc3e56b604e4754bc3c7d9f25bb9a0a136c' - '8a964a744ba098711b80c0d279a2993524e8eb92') + ssl-renegotiate-transitional.patch + certdata2pem.py-loudness.patch) +sha256sums=('3b1abcd8f89211dda2cc739bfa76552d080f7ea80482ef2727b006548a7f0c81' + '57bd6f309736825fc0edbf7d522726224764520595dfdddd0dba59158839e863' + 'b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd' + 'e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9' + '12df04bccbf674db1eef7a519a28987927b5e9c107b1dc386686f05e64f49a97' + '90f8e72fbcca9ce907dcf6565bcd95ca23d2da5d87caee64c141ac54680f8703') prepare() { - cd $pkgname-$pkgver + mkdir certs + patch --follow-symlinks certdata2pem.py certdata2pem.py-loudness.patch + cd nss-$pkgver + # Adds transitional SSL renegotiate support - patch from Debian patch -Np3 -i ../ssl-renegotiate-transitional.patch @@ -30,12 +38,18 @@ # Respect LDFLAGS sed -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/' \ -i nss/coreconf/rules.mk + + ln -sr nss/lib/ckfw/builtins/certdata.txt ../certs/ } build() { - cd $pkgname-$pkgver/nss + cd certs + python2 ../certdata2pem.py + printf "mozilla/%s\n" *.crt > mozilla.conf + test -s mozilla.conf + cd ../nss-$pkgver/nss export BUILD_OPT=1 export NSS_USE_SYSTEM_SQLITE=1 export NSS_ENABLE_ECC=1 @@ -50,8 +64,8 @@ make } -package() { - cd $pkgname-$pkgver +package_nss() { + cd nss-$pkgver install -d "$pkgdir"/usr/{bin,include/nss,lib/pkgconfig} NSS_VMAJOR=$(grep '#define.*NSS_VMAJOR' nss/lib/nss/nss.h | awk '{print $3}') @@ -88,4 +102,21 @@ cd ../../public/nss install -t "$pkgdir/usr/include/nss" -m644 *.h + + rm "$pkgdir/usr/lib/libnssckbi.so" + ln -s p11-kit-proxy.so "$pkgdir/usr/lib/libnssckbi.so" } + +package_ca-certificates-mozilla() { + pkgdesc="Mozilla's set of trusted CA certificates" + depends=(ca-certificates-utils) + install=ca-certificates-mozilla.install + + cd certs + + local _certdir="$pkgdir/usr/share/ca-certificates/mozilla" + install -d "$_certdir" + install -t "$_certdir" -m644 *.crt + + install -Dm644 mozilla.conf "$pkgdir/etc/ca-certificates/conf.d/mozilla.conf" +} Added: ca-certificates-mozilla.install =================================================================== --- ca-certificates-mozilla.install (rev 0) +++ ca-certificates-mozilla.install 2014-08-24 14:47:45 UTC (rev 220623) @@ -0,0 +1,11 @@ +post_install() { + usr/bin/update-ca-certificates --fresh &>/dev/null +} + +post_upgrade() { + post_install +} + +pre_remove() { + post_install +} Added: certdata2pem.py-loudness.patch =================================================================== --- certdata2pem.py-loudness.patch (rev 0) +++ certdata2pem.py-loudness.patch 2014-08-24 14:47:45 UTC (rev 220623) @@ -0,0 +1,13 @@ +--- certdata2pem.py 2014-08-24 15:16:24.927192958 +0200 ++++ certdata2pem.py.loudness 2014-08-24 15:17:30.193535402 +0200 +@@ -104,9 +104,7 @@ + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED', + 'CKT_NSS_NOT_TRUSTED'): +- print '!'*74 +- print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'] +- print '!'*74 ++ print "Certificate %s untrusted, ignoring." % obj['CKA_LABEL'] + else: + print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
