diff options
Diffstat (limited to 'meta/recipes-support/ca-certificates')
-rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch | 80 | ||||
-rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch | 20 | ||||
-rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch | 34 | ||||
-rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates_20211016.bb (renamed from meta/recipes-support/ca-certificates/ca-certificates_20210119.bb) | 13 |
4 files changed, 86 insertions, 61 deletions
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000000..5c4a32f526 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex@linutronix.de> | ||
3 | Date: Mon, 18 Oct 2021 12:05:49 +0200 | ||
4 | Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired | ||
5 | certificates." | ||
6 | |||
7 | This avoids a dependency on python3-cryptography, and only checks | ||
8 | for expired certs (which is upstream concern, but not ours). | ||
9 | |||
10 | Upstream-Status: Inappropriate [oe-core specific] | ||
11 | Signed-off-by: Alexander Kanavin <alex@linutronix.de> | ||
12 | --- | ||
13 | debian/changelog | 1 - | ||
14 | debian/control | 2 +- | ||
15 | mozilla/certdata2pem.py | 11 ----------- | ||
16 | 3 files changed, 1 insertion(+), 13 deletions(-) | ||
17 | |||
18 | diff --git a/debian/changelog b/debian/changelog | ||
19 | index 531e4d0..4006509 100644 | ||
20 | --- a/debian/changelog | ||
21 | +++ b/debian/changelog | ||
22 | @@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low | ||
23 | - "Trustis FPS Root CA" | ||
24 | - "Staat der Nederlanden Root CA - G3" | ||
25 | * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) | ||
26 | - * mozilla/certdata2pem.py: print a warning for expired certificates. | ||
27 | |||
28 | -- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200 | ||
29 | |||
30 | diff --git a/debian/control b/debian/control | ||
31 | index 4434b7a..5c6ba24 100644 | ||
32 | --- a/debian/control | ||
33 | +++ b/debian/control | ||
34 | @@ -3,7 +3,7 @@ Section: misc | ||
35 | Priority: optional | ||
36 | Maintainer: Julien Cristau <jcristau@debian.org> | ||
37 | Build-Depends: debhelper-compat (= 13), po-debconf | ||
38 | -Build-Depends-Indep: python3, openssl, python3-cryptography | ||
39 | +Build-Depends-Indep: python3, openssl | ||
40 | Standards-Version: 4.5.0.2 | ||
41 | Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git | ||
42 | Vcs-Browser: https://salsa.debian.org/debian/ca-certificates | ||
43 | diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py | ||
44 | index ede23d4..7d796f1 100644 | ||
45 | --- a/mozilla/certdata2pem.py | ||
46 | +++ b/mozilla/certdata2pem.py | ||
47 | @@ -21,16 +21,12 @@ | ||
48 | # USA. | ||
49 | |||
50 | import base64 | ||
51 | -import datetime | ||
52 | import os.path | ||
53 | import re | ||
54 | import sys | ||
55 | import textwrap | ||
56 | import io | ||
57 | |||
58 | -from cryptography import x509 | ||
59 | - | ||
60 | - | ||
61 | objects = [] | ||
62 | |||
63 | # Dirty file parser. | ||
64 | @@ -121,13 +117,6 @@ for obj in objects: | ||
65 | if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': | ||
66 | if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: | ||
67 | continue | ||
68 | - | ||
69 | - cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) | ||
70 | - if cert.not_valid_after < datetime.datetime.now(): | ||
71 | - print('!'*74) | ||
72 | - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) | ||
73 | - print('!'*74) | ||
74 | - | ||
75 | bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ | ||
76 | .replace(' ', '_')\ | ||
77 | .replace('(', '=')\ | ||
78 | -- | ||
79 | 2.20.1 | ||
80 | |||
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch deleted file mode 100644 index a113fa8b15..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Let us alter the install destination of the script via SBINDIR | ||
4 | |||
5 | --- ca-certificates-20130119.orig/sbin/Makefile | ||
6 | +++ ca-certificates-20130119/sbin/Makefile | ||
7 | @@ -3,9 +3,12 @@ | ||
8 | # | ||
9 | # | ||
10 | |||
11 | +SBINDIR = /usr/sbin | ||
12 | + | ||
13 | all: | ||
14 | |||
15 | clean: | ||
16 | |||
17 | install: | ||
18 | - install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/ | ||
19 | + install -d $(DESTDIR)$(SBINDIR) | ||
20 | + install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/ | ||
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch deleted file mode 100644 index 6e2171f758..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 30378026d136efa779732e3f6664e2ecf461e458 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Ohly <patrick.ohly@intel.com> | ||
3 | Date: Thu, 17 Mar 2016 12:38:09 +0100 | ||
4 | Subject: [PATCH] update-ca-certificates: support Toybox | ||
5 | |||
6 | "mktemp -t" is deprecated and does not work when using Toybox. Replace | ||
7 | with something that works also with Toybox. | ||
8 | |||
9 | Upstream-Status: Pending | ||
10 | |||
11 | Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> | ||
12 | --- | ||
13 | sbin/update-ca-certificates | 6 +++--- | ||
14 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates | ||
17 | index 79c41bb..ae9e3f1 100755 | ||
18 | --- a/sbin/update-ca-certificates | ||
19 | +++ b/sbin/update-ca-certificates | ||
20 | @@ -113,9 +113,9 @@ trap cleanup 0 | ||
21 | |||
22 | # Helper files. (Some of them are not simple arrays because we spawn | ||
23 | # subshells later on.) | ||
24 | -TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" | ||
25 | -ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" | ||
26 | -REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" | ||
27 | +TEMPBUNDLE="$(mktemp -p${TMPDIR:-/tmp} "${CERTBUNDLE}.tmp.XXXXXX")" | ||
28 | +ADDED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")" | ||
29 | +REMOVED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")" | ||
30 | |||
31 | # Adds a certificate to the list of trusted ones. This includes a symlink | ||
32 | # in /etc/ssl/certs to the certificate file and its inclusion into the | ||
33 | -- | ||
34 | 2.1.4 | ||
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb index 888a235c1a..a54d6b458a 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb | |||
@@ -14,15 +14,14 @@ DEPENDS_class-nativesdk = "openssl-native" | |||
14 | # Need rehash from openssl and run-parts from debianutils | 14 | # Need rehash from openssl and run-parts from debianutils |
15 | PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" | 15 | PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" |
16 | 16 | ||
17 | SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" | 17 | SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" |
18 | 18 | ||
19 | SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ | 19 | SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \ |
20 | file://0002-update-ca-certificates-use-SYSROOT.patch \ | 20 | file://0002-update-ca-certificates-use-SYSROOT.patch \ |
21 | file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ | 21 | file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ |
22 | file://update-ca-certificates-support-Toybox.patch \ | ||
23 | file://default-sysroot.patch \ | 22 | file://default-sysroot.patch \ |
24 | file://sbindir.patch \ | ||
25 | file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ | 23 | file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ |
24 | file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ | ||
26 | " | 25 | " |
27 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" | 26 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" |
28 | 27 | ||
@@ -83,8 +82,8 @@ do_install_append_class-native () { | |||
83 | SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates | 82 | SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates |
84 | } | 83 | } |
85 | 84 | ||
86 | RDEPENDS_${PN}_class-target = "openssl-bin" | 85 | RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" |
87 | RDEPENDS_${PN}_class-native = "openssl-native" | 86 | RDEPENDS_${PN}_append_class-native = " openssl-native" |
88 | RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin" | 87 | RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" |
89 | 88 | ||
90 | BBCLASSEXTEND = "native nativesdk" | 89 | BBCLASSEXTEND = "native nativesdk" |