From beabc787cacb9b399f19eac39903948154dcce18 Mon Sep 17 00:00:00 2001
From: "Theodore A. Roth" <troth@openavr.org>
Date: Wed, 24 Jul 2024 08:53:19 -0600
Subject: ca-certificates: update 20211016 -> 20240203

The 20240203 version is the same as used in Ubuntu >= 24.04 and Debian
Trixie (testing).

(From OE-Core rev: ce19168885a04b0d77e81c1fd1c4262b195a47d4)

Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 ...lla-certdata2pem.py-print-a-warning-for-e.patch | 10 +--
 ...ertificates-don-t-use-Debianisms-in-run-p.patch |  6 +-
 .../ca-certificates/ca-certificates_20211016.bb    | 89 ----------------------
 .../ca-certificates/ca-certificates_20240203.bb    | 89 ++++++++++++++++++++++
 4 files changed, 97 insertions(+), 97 deletions(-)
 delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
 create mode 100644 meta/recipes-support/ca-certificates/ca-certificates_20240203.bb

(limited to 'meta')

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
index 5c4a32f526..78898f5150 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -19,7 +19,7 @@ diff --git a/debian/changelog b/debian/changelog
 index 531e4d0..4006509 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
+@@ -120,7 +120,6 @@ ca-certificates (20211004) unstable; urgency=low
      - "Trustis FPS Root CA"
      - "Staat der Nederlanden Root CA - G3"
    * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
@@ -37,9 +37,9 @@ index 4434b7a..5c6ba24 100644
  Build-Depends: debhelper-compat (= 13), po-debconf
 -Build-Depends-Indep: python3, openssl, python3-cryptography
 +Build-Depends-Indep: python3, openssl
- Standards-Version: 4.5.0.2
+ Standards-Version: 4.6.2
+ Rules-Requires-Root: no
  Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
- Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
 index ede23d4..7d796f1 100644
 --- a/mozilla/certdata2pem.py
@@ -66,8 +66,8 @@ index ede23d4..7d796f1 100644
          if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
              continue
 -
--        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
--        if cert.not_valid_after < datetime.datetime.now():
+-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+-        if cert.not_valid_after < datetime.datetime.utcnow():
 -            print('!'*74)
 -            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
 -            print('!'*74)
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
index 4a8ae5f4b5..1feefeb96a 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
@@ -21,14 +21,14 @@ Index: git/sbin/update-ca-certificates
 ===================================================================
 --- git.orig/sbin/update-ca-certificates
 +++ git/sbin/update-ca-certificates
-@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ]
+@@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ]
  then
  
    echo "Running hooks in $HOOKSDIR..."
 -  VERBOSE_ARG=
 -  [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
--  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
-+  eval run-parts --test "$HOOKSDIR" | while read hook
+-  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook
++  eval run-parts --test "$HOOKSDIR" | while read -r hook
    do
      ( cat "$ADDED"
        cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
deleted file mode 100644
index 99abe60613..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
+++ /dev/null
@@ -1,89 +0,0 @@
-SUMMARY = "Common CA certificates"
-DESCRIPTION = "This package includes PEM files of CA certificates to allow \
-SSL-based applications to check for the authenticity of SSL connections. \
-This derived from Debian's CA Certificates."
-HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
-SECTION = "misc"
-LICENSE = "GPL-2.0-or-later & MPL-2.0"
-LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e"
-
-# This is needed to ensure we can run the postinst at image creation time
-DEPENDS = ""
-DEPENDS:class-native = "openssl-native"
-DEPENDS:class-nativesdk = "openssl-native"
-# Need rehash from openssl and run-parts from debianutils
-PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
-
-SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
-
-SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \
-           file://0002-update-ca-certificates-use-SYSROOT.patch \
-           file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
-           file://default-sysroot.patch \
-           file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
-           file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
-           "
-UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
-
-S = "${WORKDIR}/git"
-
-inherit allarch
-
-EXTRA_OEMAKE = "\
-    'CERTSDIR=${datadir}/ca-certificates' \
-    'SBINDIR=${sbindir}' \
-"
-
-do_compile:prepend() {
-    oe_runmake clean
-}
-
-do_install () {
-    install -d ${D}${datadir}/ca-certificates \
-               ${D}${sysconfdir}/ssl/certs \
-               ${D}${sysconfdir}/ca-certificates/update.d
-    oe_runmake 'DESTDIR=${D}' install
-
-    install -d ${D}${mandir}/man8
-    install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/
-
-    install -d ${D}${sysconfdir}
-    {
-        echo "# Lines starting with # will be ignored"
-        echo "# Lines starting with ! will remove certificate on next update"
-        echo "#"
-        find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \
-            sed 's,^${D}${datadir}/ca-certificates/,,' | sort
-    } >${D}${sysconfdir}/ca-certificates.conf
-}
-
-do_install:append:class-target () {
-    sed -i -e 's,/etc/,${sysconfdir}/,' \
-           -e 's,/usr/share/,${datadir}/,' \
-           -e 's,/usr/local,${prefix}/local,' \
-        ${D}${sbindir}/update-ca-certificates \
-        ${D}${mandir}/man8/update-ca-certificates.8
-}
-
-pkg_postinst:${PN}:class-target () {
-    SYSROOT="$D" $D${sbindir}/update-ca-certificates
-}
-
-CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"
-
-# Rather than make a postinst script that works for both target and nativesdk,
-# we just run update-ca-certificate from do_install() for nativesdk.
-CONFFILES:${PN}:append:class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt"
-do_install:append:class-nativesdk () {
-    SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates
-}
-
-do_install:append:class-native () {
-    SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
-}
-
-RDEPENDS:${PN}:append:class-target = " openssl-bin openssl"
-RDEPENDS:${PN}:append:class-native = " openssl-native"
-RDEPENDS:${PN}:append:class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
new file mode 100644
index 0000000000..b198ea77a9
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
@@ -0,0 +1,89 @@
+SUMMARY = "Common CA certificates"
+DESCRIPTION = "This package includes PEM files of CA certificates to allow \
+SSL-based applications to check for the authenticity of SSL connections. \
+This derived from Debian's CA Certificates."
+HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
+SECTION = "misc"
+LICENSE = "GPL-2.0-or-later & MPL-2.0"
+LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e"
+
+# This is needed to ensure we can run the postinst at image creation time
+DEPENDS = ""
+DEPENDS:class-native = "openssl-native"
+DEPENDS:class-nativesdk = "openssl-native"
+# Need rehash from openssl and run-parts from debianutils
+PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
+
+SRCREV = "ee6e0484031314090a11c04ee82689acb73d7ad8"
+
+SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \
+           file://0002-update-ca-certificates-use-SYSROOT.patch \
+           file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
+           file://default-sysroot.patch \
+           file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
+           file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
+           "
+UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
+
+S = "${WORKDIR}/git"
+
+inherit allarch
+
+EXTRA_OEMAKE = "\
+    'CERTSDIR=${datadir}/ca-certificates' \
+    'SBINDIR=${sbindir}' \
+"
+
+do_compile:prepend() {
+    oe_runmake clean
+}
+
+do_install () {
+    install -d ${D}${datadir}/ca-certificates \
+               ${D}${sysconfdir}/ssl/certs \
+               ${D}${sysconfdir}/ca-certificates/update.d
+    oe_runmake 'DESTDIR=${D}' install
+
+    install -d ${D}${mandir}/man8
+    install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/
+
+    install -d ${D}${sysconfdir}
+    {
+        echo "# Lines starting with # will be ignored"
+        echo "# Lines starting with ! will remove certificate on next update"
+        echo "#"
+        find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \
+            sed 's,^${D}${datadir}/ca-certificates/,,' | sort
+    } >${D}${sysconfdir}/ca-certificates.conf
+}
+
+do_install:append:class-target () {
+    sed -i -e 's,/etc/,${sysconfdir}/,' \
+           -e 's,/usr/share/,${datadir}/,' \
+           -e 's,/usr/local,${prefix}/local,' \
+        ${D}${sbindir}/update-ca-certificates \
+        ${D}${mandir}/man8/update-ca-certificates.8
+}
+
+pkg_postinst:${PN}:class-target () {
+    SYSROOT="$D" $D${sbindir}/update-ca-certificates
+}
+
+CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"
+
+# Rather than make a postinst script that works for both target and nativesdk,
+# we just run update-ca-certificate from do_install() for nativesdk.
+CONFFILES:${PN}:append:class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt"
+do_install:append:class-nativesdk () {
+    SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates
+}
+
+do_install:append:class-native () {
+    SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
+}
+
+RDEPENDS:${PN}:append:class-target = " openssl-bin openssl"
+RDEPENDS:${PN}:append:class-native = " openssl-native"
+RDEPENDS:${PN}:append:class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
+
+BBCLASSEXTEND = "native nativesdk"
-- 
cgit v1.2.3-54-g00ecf