Your message dated Wed, 16 May 2018 21:19:16 +0000
with message-id <[email protected]>
and subject line Bug#898678: fixed in ca-certificates-java 20180516
has caused the Debian Bug report #898678,
regarding ca-certificates-java: convert PKCS12 cacerts keystore to JKS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
898678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898678
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates-java
Version: 20180413
Severity: important
Dear Maintainer,
The fix for bug #894979 which updated ca-certificates-java to generate
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only
fixes new installs.
Any user already affected by that issue won't benefit from the fix, as
the file /etc/ssl/certs/java/cacerts is at most updated by the
jks-keystore hook. The only way to actually change it from the PKCS12
to the JKS format is to remove the cacerts file and then calling
'update-ca-certificates -f' - which is also accomplished by removing and
then reinstalling the ca-certificates-java package.
The attached patch fixes this behavior by:
1) Detecting if a PKCS12 cacert exists
2) Converting it to JKS and saving it to cacerts.dpkg-new
Finally, if, and only if, 'cacerts_updates' is set to 'yes':
3) Moving the old PKCS12 cacerts to a cacerts.dpkg-old and the dpkg-new
into /etc/ssl/certs/java/cacerts.
Additionally, a few other fixes are also addressed in the debdiff:
1) Only set JAVA_HOME if a jvm is found. Previously if none of the the
jvms in the list were found the last one jvm was used - although that
didn't cause any unexpected errors, it was wrong.
2) Avoid generating a jvm.cfg as openjdk has it's own logic for
providing a well defined default jvm.cfg in such scenarios.
3) On Ubuntu it should depend on openjdk-11-jre-headless instead
of openjdk-8.
Please review and consider applying the provided debdiff.
Regards,
Tiago Daitx
-- System Information:
Debian Release: buster/sid
APT prefers cosmic
APT policy: (500, 'cosmic'), (400, 'cosmic-proposed')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-20-lowlatency (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru ca-certificates-java-20180413/debian/changelog
ca-certificates-java-20180413.1/debian/changelog
--- ca-certificates-java-20180413/debian/changelog 2018-04-13
09:15:39.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/changelog 2018-05-14
23:16:43.000000000 -0300
@@ -1,3 +1,18 @@
+ca-certificates-java (20180413.1) unstable; urgency=medium
+
+ [ Tiago Stürmer Daitx ]
+ * debian/jks-keystore.hook.in: Don't create a jvm-*.cfg file, a default file
+ with the right configuration is already supplied by the openjdk packages.
+ * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
+ and update PATH if a known jvm was found.
+ * debian/postinst.in: Detect PKCS12 cacert keystore generated by
+ previous ca-certificates-java and convert them to JKS.
+
+ [ Matthias Klose ]
+ * Explicitly depend on openjdk-11-jre-headless, needed to configure.
+
+ -- Tiago Stürmer Daitx <[email protected]> Tue, 15 May 2018 02:16:43
+0000
+
ca-certificates-java (20180413) unstable; urgency=medium
* Team upload.
diff -Nru ca-certificates-java-20180413/debian/jks-keystore.hook.in
ca-certificates-java-20180413.1/debian/jks-keystore.hook.in
--- ca-certificates-java-20180413/debian/jks-keystore.hook.in 2018-04-13
09:02:14.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/jks-keystore.hook.in 2018-05-14
23:16:43.000000000 -0300
@@ -45,20 +45,12 @@
oracle-java10-jre-$arch oracle-java10-server-jre-$arch
oracle-java10-jdk-$arch \
java-11-openjdk-$arch java-11-openjdk \
oracle-java11-jre-$arch oracle-java11-server-jre-$arch
oracle-java11-jdk-$arch; do
-if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
break
-fi
+ fi
done
-export JAVA_HOME=/usr/lib/jvm/$jvm
-PATH=$JAVA_HOME/bin:$PATH
-
-temp_jvm_cfg=
-if [ ! -f /etc/${jvm%-$arch}/jvm-$arch.cfg ]; then
- # the jre is not yet configured, but jvm.cfg is needed to run it
- temp_jvm_cfg=/etc/${jvm%-$arch}/jvm-$arch.cfg
- mkdir -p /etc/${jvm%-$arch}
- printf -- "-server KNOWN\n" > $temp_jvm_cfg
-fi
if dpkg-query --version >/dev/null; then
nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n
's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
diff -Nru ca-certificates-java-20180413/debian/postinst.in
ca-certificates-java-20180413.1/debian/postinst.in
--- ca-certificates-java-20180413/debian/postinst.in 2018-04-13
09:03:15.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/postinst.in 2018-05-14
23:16:43.000000000 -0300
@@ -35,12 +35,50 @@
oracle-java10-jre-$arch oracle-java10-server-jre-$arch
oracle-java10-jdk-$arch \
java-11-openjdk-$arch java-11-openjdk \
oracle-java11-jre-$arch oracle-java11-server-jre-$arch
oracle-java11-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- break
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
+ break
fi
done
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
+}
+
+check_proc()
+{
+ if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+ fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+ if ! keytool -importkeystore \
+ -srckeystore /etc/ssl/certs/java/cacerts \
+ -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+ -srcstoretype PKCS12 \
+ -deststoretype JKS \
+ -srcstorepass "$storepass" \
+ -deststorepass "$storepass" \
+ -noprompt; then
+ echo "failed to convert PKCS12 keystore to JKS" >&2
+ exit 1
+ fi
+
+ # only update if /etc/default/cacerts allows
+ if [ "$cacerts_updates" = "yes" ]; then
+ mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+ mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+ fi
+}
+
+do_cleanup()
+{
+ [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+ if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
+ then
+ rm -f $nssjdk/libnss3.so
+ fi
}
first_install()
@@ -74,15 +112,6 @@
echo "done."
}
-do_cleanup()
-{
- [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libnss3.so
- fi
-}
-
case "$1" in
configure)
if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
@@ -91,14 +120,18 @@
cp -f /etc/ssl/certs/java/cacerts
/etc/ssl/certs/java/cacerts.dpkg-old
fi
fi
- if [ -z "$2" -o -n "$FIXOLD" ]; then
- setup_path
- if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs
(/proc)."
- exit 1
- fi
+ setup_path
+ if dpkg --compare-versions "$2" lt "20180413"; then
+ if [ -e /etc/ssl/certs/java/cacerts \
+ -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en
'\xfe\xed\xfe\xed')" ]; then
+ check_proc
+ convert_pkcs12_keystore_to_jks
+ fi
+ fi
+ if [ -z "$2" -o -n "$FIXOLD" ]; then
+ check_proc
trap do_cleanup EXIT
first_install
fi
diff -Nru ca-certificates-java-20180413/debian/rules
ca-certificates-java-20180413.1/debian/rules
--- ca-certificates-java-20180413/debian/rules 2018-04-13 08:54:35.000000000
-0300
+++ ca-certificates-java-20180413.1/debian/rules 2018-05-14
23:16:23.000000000 -0300
@@ -6,7 +6,7 @@
ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.9+ckbi-1.82-0ubuntu3~)" \
- -Vjre:Depends="openjdk-8-jre-headless"
+ -Vjre:Depends="openjdk-11-jre-headless"
nss_lib = libnss3
else
SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.10-2~)" \
--- End Message ---
--- Begin Message ---
Source: ca-certificates-java
Source-Version: 20180516
We believe that the bug you reported is fixed in the latest version of
ca-certificates-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <[email protected]> (supplier of updated ca-certificates-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 May 2018 23:00:38 +0200
Source: ca-certificates-java
Binary: ca-certificates-java
Architecture: source
Version: 20180516
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emmanuel Bourg <[email protected]>
Description:
ca-certificates-java - Common CA certificates (JKS keystore)
Closes: 898678
Changes:
ca-certificates-java (20180516) unstable; urgency=medium
.
* Team upload.
.
[ Tiago Stürmer Daitx ]
* debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
with the right configuration is already supplied by the openjdk packages.
* debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
and update PATH if a known jvm was found.
* debian/postinst.in: Detect PKCS12 cacert keystore generated by
previous ca-certificates-java and convert them to JKS. (Closes: #898678)
(LP: #1771363)
.
[ Matthias Klose ]
* debian/rules: Explicitly depend on openjdk-11-jre-headless, needed to
configure.
.
[ Emmanuel Bourg ]
* Use salsa.debian.org Vcs-* URLs
Checksums-Sha1:
9e13e6e9f29ff58a2690402718981690225aa48b 1790 ca-certificates-java_20180516.dsc
6427fb8d7d0c9d904d55aa79b5516e2d9016fe1d 16736
ca-certificates-java_20180516.tar.xz
649e4b79dd4d0949df9de075d040ecb5f6eb4993 11187
ca-certificates-java_20180516_source.buildinfo
Checksums-Sha256:
df3919ee1a7bc7429ac8161a19744dfd003a838166fd2c26db459359ae8846af 1790
ca-certificates-java_20180516.dsc
32f43156ca40f8eca693895224c9effe74b251f2ce371a6de2e5eb097db1308e 16736
ca-certificates-java_20180516.tar.xz
60c6391c9031df989e4153fa3e06a77a9ca95165427910e63ddec0934b411fc0 11187
ca-certificates-java_20180516_source.buildinfo
Files:
1df279fcff70fe44f6ff424091f9c9cd 1790 java optional
ca-certificates-java_20180516.dsc
8006a85e06921f710acddbb77bc420de 16736 java optional
ca-certificates-java_20180516.tar.xz
8a0f8b53a1c4c20543c2f35e59dac6db 11187 java optional
ca-certificates-java_20180516_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlr8nR4SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsGnsQAKv8dk6nXHeh0/+PmNykzLa3WhnSmbdc
rnmCe9lz1n6oq11e37qOu4GQdrhUx43rmIHy163Orh4eqo5lOnCahuBVe6B56SGy
LSNUP/h3ew432uUVknOU9iiai/socv0FjKMZB235le7eqb9pCcDJQSshAThLGkQK
PAIMMBFCnZXBbPHE5t4P098kRQBSmp+FMO5RdFuo2iM528s9Mf7xMZog51zbbmxF
IlgmTZvF2VEq7hpgK4LeuUOVKX6ek5da83tu7OAH+SQT4IvRddnZ2ILoJvhpaKT7
vIcgg07N42U0Kq2ahLLDeL91C9jCuWYFYvUNDMRxeYon+7trLqWBVGKzubCjfG3I
1s6ZFMKWM5il78fXgQQQJdlm2EzBUUkx205+nWFuS8LGu62X1+Hjq2WNjcKvhcKd
nBirA5ih/TlVvzJDqyXWIZPId1sDyZeoUTbE1xNV78IYi132A+mfGmCTNBVyeNEX
CzQbZGksIFURggtkGZvn6NAIGDPUTsZVzC/ET3jRw2L3c5QcQspZ8UDsO7vE2KX+
ZIOeOXliQGK8TGl65f34rc87t1R1ruDMavo7lgMBCxHf/mk+tZkXpNCxQ6ZcQurj
jbWcNCZF7i4wzkmDFPnJShAdz2ArzkSDq3dZSw3mKXD5IGYbtz6Ifyqqv+qLvE8Y
ngEml1OHEUoi
=ttZJ
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
