tags 795244 + patch thanks Hi there,
On Thu, 12 Apr 2018 16:11:08 +0200, Raphael Hertzog wrote: > On Wed, 12 Aug 2015, Christian Hammers wrote: > > It does not work though: > > > > # java -Xmx64m -jar > > /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit > > That's because the program expects data on standard input. A list of > certificates to add (prefixed with "+") or remove (prefixed with "-"). > > I'm not sure that there's a real issue here. Thus, what is the purpose of the same command in /etc/ca-certificates/update.d/jks-keystore? As the reporter said the command line was taken from that file. Disclaimer: I am not a Java expert... While the /usr/share/doc/ca-certificates-java/README.Debian says that the package "doesn't automagically handle local certificates" (as Michael Shuler noted[1]), the solution is quite simple and can be directly taken from postinst: ``` diff --git a/ca-certificates/update.d/jks-keystore b/ca-certificates/update.d/jks-keystore index e0c3445..b5744ce 100755 --- a/ca-certificates/update.d/jks-keystore +++ b/ca-certificates/update.d/jks-keystore @@ -79,7 +79,19 @@ do_cleanup() fi } -if java -Xmx64m -jar $JAR -storepass "$storepass"; then +## <https://bugs.debian.org/795244> +find /etc/ssl/certs -name \*.pem | \ +while read filename; do + alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _) + alias=${alias%*_} + if [ -n "$FIXOLD" ]; then + echo "-${alias}" + echo "-${alias}_pem" + fi + echo "+${filename}" + done | \ + java -Xmx64m -jar $JAR -storepass "$storepass" +if [ $? -eq 0 ]; then do_cleanup else do_cleanup ``` [1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795244#10> The only drawback is that the cacerts default keystore will be updated at every invocation of update-ca-certificates. I am aware that the very same README advises to uses `update-ca-certificates -f` for a full re-import, but IMHO the patch proposed is more consistent with the "normal" update-ca-certificates behavior. Thx, bye, Luca -- Dr. Luca Capello Ingénieur HPC Division du Système et des Technologies de l'Information et de la Communication Université de Genève | 24 rue Général-Dufour Tél +41 22 379 72 42 | Bureau 151 https://hpc-community.unige.ch mailto:luca.cape...@unige.ch
signature.asc
Description: PGP signature