summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/ca-certificates
Commit message (Collapse)AuthorAgeFilesLines
* ca-certificates: avoid using += with an over-rideAndre McCurdy2018-07-061-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using += with an over-ride can be a source of confusion so try to avoid the construct in core recipes. In this case, the commit which added the over-ride seems to have been buggy - the commit message mentions "add to SYSROOT_DIRS" rather than a correct description of what the change actually did, ie "over-ride SYSROOT_DIRS": http://git.openembedded.org/openembedded-core/commit/?id=355e49e19abb3e729c82a6de46ada8da8a257f58 The commit also appears to have been unnecessary as ${sysconfdir} is appended to SYSROOT_DIRS for -native recipes by default from within staging.bbclass. To workaround the bug introduced by the first commit, a subsequent commit later added ${datadir}/ca-certificates to the over-ride value (which would not normally be necessary as ${datadir} is included in the default value of SYSROOT_DIRS - ie the value which was lost due to being over-ridden): http://git.openembedded.org/openembedded-core/commit/?id=09bb7718d74573be9a5db4d0737fb14126f6489c Therefore the fix seem to be to remove the SYSROOT_DIRS over-ride entirely - the default value of SYSROOT_DIRS set by staging.bbclass includes both ${datadir} and ${sysconfdir} when building for -native. (From OE-Core rev: c1f18efda0280644b4a4ce6f2988fb7ada71faf6) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: use relative symlinks from $ETCCERTSDIRAndré Draszik2018-03-312-2/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | update-ca-certificates symlinks (trusted) certificates from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR. update-ca-certificates can call hook scripts installed into /etc/ca-certificates/update.d. Those scripts are passed the pem file in /etc/ssl/certs/ that was added or removed in this run and those pem files are absolute symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment. When running update-ca-certificates during image build time, they thusly all point into the host's file system, not into the $SYSROOT. This means: * the host's file system layout must match the one produced by OE, and * it also means that the host must have installed the same (or more) certificates as the target in $CERTSDIR and $LOCALCERTSDIR This is a problem when wanting to execute hook scripts, because they all need to be taught about $SYSROOT, and behave differently depending on whether they're called at image build time, or on the target, as otherwise they will be trying to actually read the host's certificates from $CERTSDIR or $LOCALCERTSDIR. This also is a problem when running anything else during image build time that depends on the trusted CA certificates. Changing the symlink to be relative solves all of these problems. At the same time, we have to make sure to add $CERTSDIR to SYSROOT_DIRS, so that the symlinks are still valid when somebody DEPENDS on ca-certificates-native. As a side-effect, this also fixes a problem in meta-java, where some recipes (e.g. openjdk-8-native) try to access certificates from $CERTSDIR to generate the java trustStore at build time. Do so. Upstream-Status: Inappropriate [OE-specific] (From OE-Core rev: 09bb7718d74573be9a5db4d0737fb14126f6489c) Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: change SRC_URI from Debian anonscm to salsaMikko Rapeli2018-03-281-1/+1
| | | | | | | | | | | | | | | Debian anonscm service in Alioth is shutdown and thus fetching ca-certificates sources fails. https://wiki.debian.org/Alioth "Alioth is broken, and there is nobody around to fix it. Don't ask the remaining people who give it life support to implement fixes and changes. It is being replaced by a cocktail of ?GitLab (see Salsa), read-only repos and keep-alive mechanisms. See below for more information." (From OE-Core rev: fc20ff2003cee7ee3b78ba3bc236a60a8caabc35) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: run postinst script only for -target packageAlexander Kanavin2018-03-201-2/+3
| | | | | | | | | | | | | | Nativesdk package has a special arrangement where the same thing is done in do_install(). It was assumed (in the comment) that postinsts don't run when installing nativesdk packages, but this was incorrect: they are run, but any failures were previously silently ignored. Now this missing failure reporting has been fixed, and so we get to see the failures. (From OE-Core rev: 8ebb695c1429f8d57d655072a362a4f176258699) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Add /etc to SYSROOT_DIRSPatrick Vacek2017-11-301-0/+1
| | | | | | | | | | | | For recipes that depend on native ca-certificates.crt, /etc should be added to the list of directories that automatically populate the sysroot, otherwise the file may not be there. (From OE-Core rev: 355e49e19abb3e729c82a6de46ada8da8a257f58) Signed-off-by: Patrick Vacek <patrick@advancedtelematic.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: update to 20170717Alexander Kanavin2017-08-311-2/+1
| | | | | | | | | | | | | This is actually the same version as previously; upstream didn't have a tag for it before and now it does, so we can reduce confusion. The SRCREV change is due to a few added commits which modify upstream's debian packaging (not used by us). (From OE-Core rev: 8359730165908025b0762eaa25569e2fdcd9d086) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Fix postinst dependency issuesRichard Purdie2017-08-251-5/+6
| | | | | | | | | | | | | | | | We were relying on running ca-certificates from the -native version. This meant the host and target path layouts had to match which might not be true, it certainly isn't true for the sdk builds. There was a dependency on run-parts which wasn't represented (we can get it from busybox or debianutils). Since this is an allarch script, call the script directly, making sure debianutils and openssl are available as postinst rootfs time to resolve the issues. (From OE-Core rev: d9575e05f2cb8bf293534c036ddc0d0336701256) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: update to 20170717Alexander Kanavin2017-08-131-1/+2
| | | | | | | | | | Upstream lacks a tag for this release, so make it a PR bump. (From OE-Core rev: 0b0a716b243491f026cb7b15e8f546325d6fa760) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: do not append to BBCLASSEXTENDMing Liu2017-03-101-1/+1
| | | | | | | | | | | Replace some "+=/=+" with "=" when setting BBCLASSEXTEND, they are redundant and inconsistent with the same setting in other recipes. (From OE-Core rev: 09266d6c91acd8ba4df6e8242aa44d9ba41e9cee) Signed-off-by: Ming Liu <peter.x.liu@external.atlascopco.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Add PACKAGE_WRITE_DEPS for postinstRichard Purdie2017-01-201-0/+1
| | | | | | | | The postinstall needs ca-certificates-native, mark the dependency (From OE-Core rev: 723a924adf0661167690987acfc4213803ec3305) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: update to 20161130Alexander Kanavin2016-12-171-1/+1
| | | | | | | | | | (From OE-Core rev: 81fa46071060920972f3dd1fe17c8dbada0c63b0) (From OE-Core rev: 1c665f441a70cde8450544614d78fbb3bf1664c7) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: upgrade to 20161102Alexander Kanavin2016-11-301-1/+1
| | | | | | | | (From OE-Core rev: cc47bec99794c1ac7ad3cb16c3c087f659f10d7f) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: remove -- separatorMaciej Borzecki2016-08-101-1/+5
| | | | | | | | | | | Options and directory separator -- slipped past the patch removing Debianims, thus resulting in failures on hosts running Fedora. (From OE-Core rev: a8431689983f5860173548acd899e6806906e4d1) Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: add dependency for native/nativesdk on openssl-nativePaul Eggleton2016-06-031-1/+2
| | | | | | | | | | | | When running update-ca-certificates on the build host, as we do during do_install for ca-certificates-native (and nativesdk-ca-certificates), as of OE-Core commit cea46e7b8d9463306779301fa97f651d750f380f we now need openssl-native so it can run c_rehash. (From OE-Core rev: 523c99a2f12c20ce7bfa7755609f2c860dda6717) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Add openssl as a runtime dependencyOtavio Salvador2016-05-301-0/+2
| | | | | | | | | | | | The update-ca-certificates script uses the c_rehash utility which is installed by openssl. Add openssl as a runtime dependency to fulfill the utility requirement. (From OE-Core rev: a90ba07812444ebac93cd535d11dd54994897bfd) Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Use c_rehash utilityOtavio Salvador2016-05-252-47/+0
| | | | | | | | | | As now the c_rehash utility is available, we can use it. This removes the patch to disable its usage allowing for a standard SSL behaviour. (From OE-Core rev: cea46e7b8d9463306779301fa97f651d750f380f) Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: support ToyboxPatrick Ohly2016-04-182-0/+35
| | | | | | | | | | | "mktemp -t" is deprecated and does not work when using Toybox. Replace with something that works also with Toybox. (From OE-Core rev: 8d47d075ca02612fe16e403be1aa2079edc3ef5f) Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: update to 20160104Alexander Kanavin2016-01-151-3/+2
| | | | | | | | | LICENSE checksum changed due to an updated file listing in debian/copyright (From OE-Core rev: 1b9e9e5086998fdd0ef92e300148234cd99c5f42) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Update 20141019 -> 20150426Khem Raj2015-08-104-49/+37
| | | | | | | | | | Older SRCREV was not fetchable which triggered this upgrade Change-Id: I85d028294ff0018f4c81c6bb81ae262b18af7a87 (From OE-Core rev: 39c759cd43f4e4371ef9654bf4d821436a5eaebf) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: remove Debianism in run-parts invocationRoss Burton2015-07-082-0/+34
| | | | | | | | | | | | | | ca-certificates comes from Debian but not all distros (i.e. Fedora) have a leaner run-parts that doesn't support the -- separator between options and paths, which causes this error: | Running hooks in [...]/rootfs/etc/ca-certificates/update.d... | [...]/usr/sbin/update-ca-certificates: line 194: Not: command not found (From OE-Core rev: db2116e7a06c6a35d1d24d9f28ec60926d59b9d7) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: clean up before do_compile()Andreas Oberritter2015-03-251-0/+4
| | | | | | | | | | Otherwise the script which converts mozilla certificates extracts each certificate twice. (From OE-Core rev: 3aae6a3c2786713115451f6b6fe151ba69369c1d) Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Upgrade to 20141019 (git based)Saul Wold2015-02-083-244/+10
| | | | | | | | | | | Rebase default-sysroot patch Remove backported Mozilla certdata patch License has not changed, just wording. (From OE-Core rev: 33222af134c465791ed84eccd61bbc2b69ad81f1) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Update to 20140325Saul Wold2014-06-252-3/+233
| | | | | | | | | | | | | | Changes to debian/copyright: Update to "Copyright: Mozilla Contributors" for mozilla/{certdata.txt,nssckbi.h} Backported on additional patch from ca-certificates tree [YOCTO #6454] (From OE-Core rev: 3af33d60f03afb19543247b5350137ff3a7ee7e0) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: generate CAfile for -native in do_installKoen Kooi2014-05-131-0/+4
| | | | | | | | | | | | | | | | | | | | Git-replacement-native needs the generated files in place for https:// URIs: WARNING: Failed to fetch URL git://github.com/kernelslacker/trinity.git;protocol=https, attempting MIRRORS if available ERROR: Fetcher failure: Fetch command failed with exit code 128, output: Cloning into bare repository '/build/linaro/build/build/downloads/git2/github.com.kernelslacker.trinity.git'... fatal: unable to access 'https://github.com/kernelslacker/trinity.git/': error setting certificate verify locations: CAfile: /build/linaro/build/build/tmp-eglibc/sysroots/x86_64-linux/etc/ssl/certs/ca-certificates.crt CApath: none ERROR: Function failed: Fetcher failure for URL: 'git://github.com/kernelslacker/trinity.git;protocol=https'. Unable to fetch URL from any source. ERROR: Logfile of failure stored in: /build/linaro/build/build/tmp-eglibc/work/aarch64-oe-linux/trinity/1.3-r0/temp/log.do_fetch.7843 ERROR: Task 1378 (/build/linaro/build/meta-linaro/meta-linaro/recipes-extra/trinity/trinity_1.3.bb, do_fetch) failed with exit code '1' (From OE-Core rev: 74a772727cbf4d76d2ef314041acafb3086e4ff9) Signed-off-by: Koen Kooi <koen.kooi@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: Clarify in Description that certs are Debian basedSaul Wold2013-10-181-1/+2
| | | | | | | (From OE-Core rev: f1d0b7fb15833b149b6999f4021e688212c1b6ce) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nativesdk-ca-certificates: prepopulate ca-certificates.crtChristopher Larson2013-08-261-0/+6
| | | | | | | | | | | As postinsts aren't run for nativesdk packages when populating an SDK, we need to prepopulate up-front. (From OE-Core rev: 09e768b68b3605e897d422c9c7b3815f3b994d31) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ca-certificates: add recipe (version 20130610)Christopher Larson2013-08-265-0/+239
We need this for certain nativesdk recipes, as we can't rely on the certificate path or bundle path being the same across distros, and it's useful in many cases on the target as well. This is based on the 20130119 recipe from meta-oe, with the following changes: - use the debian git repository to avoid vanishing sources - obey our target paths - default to a sysroot relative to the script location (make relocatable) - define SUMMARY - don't inherit autotools, this isn't an autotools package - add MPL-2.0 to LICENSE, as that's the license of the certdata - install the script man page - use a native rather than cross recipe, as it's not bound in any way to the target system - add nativesdk to bbclassextend, for use in SDKs (From OE-Core rev: ad2851cf0abc2ab35e0f60c96d3142c29a07c8fc) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>