This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository ca-certificates-java.
commit 795acfc67528034c27d508a79739acfd930730fa Author: Torsten Werner <[email protected]> Date: Sun Apr 24 22:06:29 2011 +0000 [svn-inject] Installing original source of ca-certificates-java (20100412) --- debian/README.Debian | 15 ++++++ debian/changelog | 105 +++++++++++++++++++++++++++++++++++++ debian/compat | 1 + debian/control | 15 ++++++ debian/copyright | 15 ++++++ debian/default | 10 ++++ debian/jks-keystore.hook | 112 +++++++++++++++++++++++++++++++++++++++ debian/postinst | 133 +++++++++++++++++++++++++++++++++++++++++++++++ debian/postrm | 23 ++++++++ debian/rules | 85 ++++++++++++++++++++++++++++++ debian/source/format | 1 + 11 files changed, 515 insertions(+) diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..0a781fb --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,15 @@ +ca-certificates-java for Debian +------------------------------- + +This package uses the hooks of the ca-certificates package to update the +JKS keystore used for many java runtimes. The alias used to store the +certificate is the basename without the trailing '.crt', with all uppercase +letters translated to lowercase letters, and all repeated non alphanumeric +characters replaced and squeezed by a single `_'. + +Could be part of ca-certificates, if openjdk is in main. + +ca-certificates-java doesn't automagically handle local certificates, +although these are not overwritten on updates. + + -- Matthias Klose <[email protected]> Mon, 02 Jun 2008 14:52:46 +0000 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..f7bdd4b --- /dev/null +++ b/debian/changelog @@ -0,0 +1,105 @@ +ca-certificates-java (20100412) unstable; urgency=low + + * Upload to unstable. + + -- Matthias Klose <[email protected]> Mon, 12 Apr 2010 03:15:47 +0200 + +ca-certificates-java (20100406ubuntu1) lucid; urgency=low + + * Make the installation and import of certificates more robust, + if the NSS based security provider is disabled or not built. + + -- Matthias Klose <[email protected]> Sun, 11 Apr 2010 20:54:43 +0200 + +ca-certificates-java (20100406) unstable; urgency=low + + * Explicitely fail the installation, if /proc is not mounted. + Currently required by the java tools, changed in OpenJDK7. + Closes: #576453. LP: #556044. + * Print name of JVM in case of errors. + * Set priority to optional, set section to java. Closes: #566855. + * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853. + + -- Matthias Klose <[email protected]> Tue, 06 Apr 2010 21:41:39 +0200 + +ca-certificates-java (20091021) unstable; urgency=low + + * Clarify output for keytool errors (although it shouldnn't be + necessary anymore). Closes: #540490. + + -- Matthias Klose <[email protected]> Wed, 21 Oct 2009 22:00:53 +0200 + +ca-certificates-java (20090928) karmic; urgency=low + + * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with + ca-certificates 20090814. + + -- Matthias Klose <[email protected]> Mon, 28 Sep 2009 16:47:09 +0200 + +ca-certificates-java (20090629) unstable; urgency=low + + * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out + SHA384withECDSA certificates since keytool won't support them. + LP: #392104, closes: #534520. + * Fix typo in hook. Closes: #534533. + * Use java6-runtime-headless as alternative dependency. Closes: #512293. + + -- Matthias Klose <[email protected]> Mon, 29 Jun 2009 11:27:59 +0200 + +ca-certificates-java (20081028) unstable; urgency=low + + * Ignore LANG and LC_ALL setting when running keytool. LP: #289934. + + -- Matthias Klose <[email protected]> Tue, 28 Oct 2008 07:20:16 +0100 + +ca-certificates-java (20081027) unstable; urgency=medium + + * Merge from Ubuntu: + - Don't try to import certificates, which are listed in + /etc/ca-certificates.conf, but not available on the system. + Just warn about those. LP: #289091. + - Need to run keytool, when the jre is unpacked, but not yet configured. + Create a temporary jvm.cfg for the time in that postinst and the + jks-keystore.hook are run, and remove it afterwards. LP: #289199. + + -- Matthias Klose <[email protected]> Mon, 27 Oct 2008 13:58:14 +0100 + +ca-certificates-java (20081024) unstable; urgency=low + + * Install /etc/default/cacerts with mode 600. + + -- Matthias Klose <[email protected]> Fri, 24 Oct 2008 15:10:48 +0200 + +ca-certificates-java (20081022) unstable; urgency=low + + * debian/jks-keystore.hook: + - Don't stop after first error during the update. LP: #244412. + Closes: #489748. + - Call keytool with -noprompt. + * On initial install, add locally added certificates. LP: #244410. + Closes: #489748. + * Install /etc/default/cacerts to set options: + - storepass, holding the password for the keystore. + - updates, to enable/disable updates of the keystore. + * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587. + + -- Matthias Klose <[email protected]> Wed, 22 Oct 2008 20:51:24 +0200 + +ca-certificates-java (20080712) unstable; urgency=low + + * Upload to main. + + -- Matthias Klose <[email protected]> Sat, 12 Jul 2008 12:19:00 +0200 + +ca-certificates-java (20080711) unstable; urgency=low + + * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408. + + -- Matthias Klose <[email protected]> Fri, 11 Jul 2008 20:38:04 +0200 + +ca-certificates-java (20080514) unstable; urgency=low + + * Initial release. + + -- Matthias Klose <[email protected]> Mon, 02 Jun 2008 14:52:46 +0000 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..1e8b314 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +6 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..a5a5786 --- /dev/null +++ b/debian/control @@ -0,0 +1,15 @@ +Source: ca-certificates-java +Section: java +Priority: optional +Maintainer: OpenJDK Team <[email protected]> +Uploaders: Matthias Klose <[email protected]> +Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) +Standards-Version: 3.8.4 + +Package: ca-certificates-java +Architecture: all +Depends: ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends} +Recommends: libnss3-1d +Description: Common CA certificates (JKS keystore) + This package uses the hooks of the ca-certificates package to update the + cacerts JKS keystore used for many java runtimes. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..6e0de7d --- /dev/null +++ b/debian/copyright @@ -0,0 +1,15 @@ +This package was debianized by Matthias Klose <[email protected]> +on Mon, 02 Jun 2008 14:52:46 +0000. + +Upstream Author: + + Matthias Klose <[email protected]> + +Copyright: + + <Copyright (C) 2008 Canonical Ltd> + +License: + +The Debian package is (C) 2008, Canonical Ltd and +is licensed under the GPL, see `/usr/share/common-licenses/GPL'. diff --git a/debian/default b/debian/default new file mode 100644 index 0000000..d03ec9d --- /dev/null +++ b/debian/default @@ -0,0 +1,10 @@ +# defaults for ca-certificates-java + +# The password which is used to protect the integrity of the keystore. +# storepass must be at least 6 characters long. It must be provided to +# all commands that access the keystore contents. +# Only change this if adding private certificates. +#storepass='' + +# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts +cacerts_updates=yes diff --git a/debian/jks-keystore.hook b/debian/jks-keystore.hook new file mode 100644 index 0000000..37a8e41 --- /dev/null +++ b/debian/jks-keystore.hook @@ -0,0 +1,112 @@ +#! /bin/sh + +set -e + +storepass='changeit' +if [ -f /etc/default/cacerts ]; then + . /etc/default/cacerts +fi + +KEYSTORE=/etc/ssl/certs/java/cacerts + +echo "" +if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then + echo "updates of cacerts keystore disabled." + exit 0 +fi + +if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 +fi + +for jvm in java-6-openjdk java-6-sun java-6-cacao; do + if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then + break + fi +done +export JAVA_HOME=/usr/lib/jvm/$jvm +PATH=$JAVA_HOME/bin:$PATH + +temp_jvm_cfg= +if [ ! -f /etc/$jvm/jvm.cfg ]; then + # the jre is not yet configured, but jvm.cfg is needed to run it + temp_jvm_cfg=/etc/$jvm/jvm.cfg + mkdir -p /etc/$jvm + printf -- "-server KNOWN\n" > $temp_jvm_cfg +fi + +# read lines of the form: [+-]/etc/ssl/certs/*.pem + +echo "updating keystore $KEYSTORE..." + +errors=0 +log=$(tempfile) +while read line; do + pem=${line#[+-]*} + alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _) + alias=${alias%*_} + LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \ + -storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \ + && exists=yes || exists=no + case "$line" in + +*) + if [ "$exists" = yes ]; then + echo " already exists: ${line#+*}" + else + if LANG=C LC_ALL=C keytool -importcert -trustcacerts \ + -keystore $KEYSTORE -noprompt -storepass "$storepass" \ + -alias "$alias" -file "$pem" > $log 2>&1 + then + echo " added: ${line#+*}" + elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \ + -keystore $KEYSTORE -noprompt -storepass "$storepass" \ + -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg '${java.home}/lib/security/nss.cfg' \ + -alias "$alias" -file "$pem" > $log 2>&1 + then + echo " added: ${line#+*} (using NSS provider)" + elif grep -q 'Signature not available' $log; then + echo " ignored import, signature not available: ${line#+*}" + cat $log + else + echo >&2 " error adding ${line#+*}" + errors=$(expr $errors + 1) + fi; + fi + ;; + -*) + if [ "$exists" = yes ]; then + if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ + -noprompt -storepass "$storepass" \ + -alias "$alias" + then + echo " removed ${line#-*}" + elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ + -noprompt -storepass "$storepass" \ + -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg '${java.home}/lib/security/nss.cfg' \ + -alias "$alias" + then + echo " removed ${line#-*} (using NSS provider)" + else + echo >&2 " error removing ${line#+*}" + errors=$(expr $errors + 1) + fi + else + echo " does not exist: ${line#-*}" + fi + ;; + *) + echo >&2 " $0: Unknown line $line" + esac +done +rm -f $log + +[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg + +if [ $errors -gt 0 ]; then + echo >&2 "failed (VM used: $jvm)." + exit 1 +fi +echo "done." diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..5261208 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,133 @@ +#!/bin/bash + +set -e + +KEYSTORE=/etc/ssl/certs/java/cacerts + +storepass='changeit' +if [ -f /etc/default/cacerts ]; then + . /etc/default/cacerts +fi + +setup_path() +{ + for jvm in java-6-openjdk java-6-sun; do + if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then + break + fi + done + export JAVA_HOME=/usr/lib/jvm/$jvm + PATH=$JAVA_HOME/bin:$PATH +} + +first_install() +{ + cacertdir=/usr/share/ca-certificates + log=$(tempfile) + + # aliases of pregenerated files + pregenerated=$(tempfile) + LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \ + | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \ + | sort > $pregenerated + + grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \ + errors=0 + while read line; do + pem=${line#!*} + alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _) + alias=${alias%*_} + case "$line" in + !*) + # remove untrusted certificate + if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ + -storepass "$storepass" -alias "$alias" >/dev/null + then + echo " removed untrusted certificate $pem" + else + # not (anymore) in keystore + : + fi;; + *) + # add certificate not yet in keystore + if [ ! -f "$cacertdir/$pem" ]; then + echo >&2 "warning: /etc/ca-certificates.conf lists $pem," + echo >&2 "warning: but $cacertdir/$pem does not exist." + continue + fi + if ! grep -q "^${alias}$" $pregenerated; then + if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ + -noprompt -storepass "$storepass" \ + -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 + then + echo " added certificate $pem" + elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ + -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg '${java.home}/lib/security/nss.cfg' \ + -noprompt -storepass "$storepass" \ + -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 + then + echo " added certificate $pem (using NSS provider)" + elif grep -q 'Signature not available' $log; then + echo " ignored import, signature not available: ${line#+*}" + sed -e 's/^/ -> /' $log + else + echo >&2 " error adding ${line#+*}" + errors=$(expr $errors + 1) + fi + fi + esac + done + rm -f $log + rm -f $pregenerated + if [ $errors -gt 0 ]; then + echo >&2 "failed (VM used: $jvm)." + [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg + exit 1 + fi + echo "done." + ) +} + +case "$1" in + configure) + if [ -z "$2" ]; then + setup_path + + if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 + fi + + if [ ! -f /etc/$jvm/jvm.cfg ]; then + # the jre is not yet configured, but jvm.cfg is needed to run it + temp_jvm_cfg=/etc/$jvm/jvm.cfg + mkdir -p /etc/$jvm + printf -- "-server KNOWN\n" > $temp_jvm_cfg + fi + + # on first install, remove certs untrusted by the + # user/admininstrator, add locally added certs + echo "creating $KEYSTORE..." + cp /usr/share/ca-certificates-java/cacerts $KEYSTORE + first_install + + [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg + fi + chmod 600 /etc/default/cacerts || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 + + diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..ebf14c3 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,23 @@ +#!/bin/sh + +set -e + +case "$1" in + purge) + rm -f /etc/ca-certificates/update.d/jks-keystore + rm -rf /etc/ssl/certs/java + rmdir /etc/ssl/certs 2>/dev/null || true + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 + + diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..09088be --- /dev/null +++ b/debian/rules @@ -0,0 +1,85 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +d = debian/ca-certificates-java + +build: build-stamp +build-stamp: + dh_testdir + rm -rf build + mkdir -p build + set -e; \ + yes | \ + for crt in $$(find /usr/share/ca-certificates -name '*.crt' -printf '%P '); do \ + alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \ + alias=$${alias%*_}; \ + echo "IMPORT: $$crt, alias=$$alias"; \ + if keytool -importcert -trustcacerts -keystore build/cacerts \ + -storepass 'changeit' \ + -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \ + then \ + cat keytool.log; \ + elif keytool -importcert -trustcacerts -keystore build/cacerts \ + -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg '$${java.home}/lib/security/nss.cfg' \ + -storepass 'changeit' \ + -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \ + then \ + cat keytool.log; \ + elif grep -q 'Signature not available' keytool.log; then \ + echo "IGNORED IMPORT: $$crt, alias=$$alias"; \ + cat keytool.log; \ + else \ + cat keytool.log; \ + false; \ + fi; \ + done + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + rm -rf build + rm -f keytool.log + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs \ + usr/share/ca-certificates-java \ + etc/default \ + etc/ssl/certs/java \ + etc/ca-certificates/update.d \ + + install -m755 debian/jks-keystore.hook \ + $(d)/etc/ca-certificates/update.d/jks-keystore + install -m644 build/cacerts \ + $(d)/usr/share/ca-certificates-java/ + install -m600 debian/default \ + $(d)/etc/default/cacerts + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/ca-certificates-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
