From 890c360c55230ab8ee711e7498e66019643becaa Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Mon, 12 May 2025 17:02:50 +0800 Subject: ca-certificates: upgrade 20241223 -> 20250419 0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch 0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch refreshed for 20250419 0002-sbin-update-ca-certificates-add-a-sysroot-option.patch removed since it's included in 20250419 (From OE-Core rev: e39cc1fb7234bf2b37856296d3c0d10ddf8cae64) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- ...lla-certdata2pem.py-print-a-warning-for-e.patch | 6 +- ...ertificates-don-t-use-Debianisms-in-run-p.patch | 6 +- ...date-ca-certificates-add-a-sysroot-option.patch | 36 ---------- .../ca-certificates/ca-certificates_20241223.bb | 84 ---------------------- .../ca-certificates/ca-certificates_20250419.bb | 83 +++++++++++++++++++++ 5 files changed, 89 insertions(+), 126 deletions(-) delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates_20241223.bb create mode 100644 meta/recipes-support/ca-certificates/ca-certificates_20250419.bb diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch index da2a247e51..1226508c98 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch @@ -1,4 +1,4 @@ -From 630736f427c0a1bd0be0b5a2f6d51d63b2c4c9fd Mon Sep 17 00:00:00 2001 +From 743774cd53ed1c45bb660eddacf6dadb5ee3e145 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Mon, 18 Oct 2021 12:05:49 +0200 Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired @@ -16,10 +16,10 @@ Signed-off-by: Alexander Kanavin 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/debian/changelog b/debian/changelog -index 52d41ca..bdb2c8a 100644 +index dbe3e9c..496e05d 100644 --- a/debian/changelog +++ b/debian/changelog -@@ -138,7 +138,6 @@ ca-certificates (20211004) unstable; urgency=low +@@ -156,7 +156,6 @@ ca-certificates (20211004) unstable; urgency=low - "Trustis FPS Root CA" - "Staat der Nederlanden Root CA - G3" * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch index cad30929f5..1a29da756f 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch @@ -1,4 +1,4 @@ -From 348163df412e53b1b7ec3e81ae5f22caa0227c37 Mon Sep 17 00:00:00 2001 +From 63086d41f76b1c3357e23c6509df72d3f75af20c Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Mon, 6 Jul 2015 15:19:41 +0100 Subject: [PATCH] ca-certificates: remove Debianism in run-parts invocation @@ -22,10 +22,10 @@ Signed-off-by: Maciej Borzecki 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates -index 36cdd9a..2d3e1fe 100755 +index 91d8024..1e737b9 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates -@@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ] +@@ -210,9 +210,7 @@ if [ -d "$HOOKSDIR" ] then echo "Running hooks in $HOOKSDIR..." diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch b/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch deleted file mode 100644 index ba5bb69657..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d6bb773745c2e95fd1a414e916fbed64e0d8df66 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Mon, 31 Mar 2025 17:42:25 +0200 -Subject: [PATCH] sbin/update-ca-certificates: add a --sysroot option - -This allows using the script in cross-compilation environments -where the script needs to prefix the sysroot to every other -directory it operates on. There are individual options -to set those directories, but using a common prefix option -instead is a lot less clutter and more robust. - -Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/13] -Signed-off-by: Alexander Kanavin ---- - sbin/update-ca-certificates | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates -index 4bb77a0..1e737b9 100755 ---- a/sbin/update-ca-certificates -+++ b/sbin/update-ca-certificates -@@ -59,6 +59,14 @@ do - --hooksdir) - shift - HOOKSDIR="$1";; -+ --sysroot) -+ shift -+ SYSROOT="$1" -+ CERTSCONF="$1/${CERTSCONF}" -+ CERTSDIR="$1/${CERTSDIR}" -+ LOCALCERTSDIR="$1/${LOCALCERTSDIR}" -+ ETCCERTSDIR="$1/${ETCCERTSDIR}" -+ HOOKSDIR="$1/${HOOKSDIR}";; - --help|-h|*) - echo "$0: [--verbose] [--fresh]" - exit;; diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb deleted file mode 100644 index 676e9e0c78..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb +++ /dev/null @@ -1,84 +0,0 @@ -SUMMARY = "Common CA certificates" -DESCRIPTION = "This package includes PEM files of CA certificates to allow \ -SSL-based applications to check for the authenticity of SSL connections. \ -This derived from Debian's CA Certificates." -HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" -SECTION = "misc" -LICENSE = "GPL-2.0-or-later & MPL-2.0" -LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e" - -# This is needed to ensure we can run the postinst at image creation time -DEPENDS = "" -DEPENDS:class-native = "openssl-native" -DEPENDS:class-nativesdk = "openssl-native" -# Need rehash from openssl and run-parts from debianutils -PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" - -SRC_URI[sha256sum] = "dd8286d0a9dd35c756fea5f1df3fed1510fb891f376903891b003cd9b1ad7e03" -SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \ - file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ - file://0002-sbin-update-ca-certificates-add-a-sysroot-option.patch \ - file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ - file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ - " -S = "${WORKDIR}/ca-certificates" -inherit allarch - -EXTRA_OEMAKE = "\ - 'CERTSDIR=${datadir}/ca-certificates' \ - 'SBINDIR=${sbindir}' \ -" - -do_compile:prepend() { - oe_runmake clean -} - -do_install () { - install -d ${D}${datadir}/ca-certificates \ - ${D}${sysconfdir}/ssl/certs \ - ${D}${sysconfdir}/ca-certificates/update.d - oe_runmake 'DESTDIR=${D}' install - - install -d ${D}${mandir}/man8 - install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/ - - install -d ${D}${sysconfdir} - { - echo "# Lines starting with # will be ignored" - echo "# Lines starting with ! will remove certificate on next update" - echo "#" - find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \ - sed 's,^${D}${datadir}/ca-certificates/,,' | sort - } >${D}${sysconfdir}/ca-certificates.conf -} - -do_install:append:class-target () { - sed -i -e 's,/etc/,${sysconfdir}/,' \ - -e 's,/usr/share/,${datadir}/,' \ - -e 's,/usr/local,${prefix}/local,' \ - ${D}${sbindir}/update-ca-certificates \ - ${D}${mandir}/man8/update-ca-certificates.8 -} - -pkg_postinst:${PN}:class-target () { - $D${sbindir}/update-ca-certificates --sysroot $D -} - -CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf" - -# Rather than make a postinst script that works for both target and nativesdk, -# we just run update-ca-certificate from do_install() for nativesdk. -CONFFILES:${PN}:append:class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt" -do_install:append:class-nativesdk () { - ${D}${sbindir}/update-ca-certificates --sysroot ${D}${SDKPATHNATIVE} -} - -do_install:append:class-native () { - ${D}${sbindir}/update-ca-certificates --sysroot ${D}${base_prefix} -} - -RDEPENDS:${PN}:append:class-target = " openssl-bin openssl" -RDEPENDS:${PN}:append:class-native = " openssl-native" -RDEPENDS:${PN}:append:class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb b/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb new file mode 100644 index 0000000000..f06a30bd6d --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb @@ -0,0 +1,83 @@ +SUMMARY = "Common CA certificates" +DESCRIPTION = "This package includes PEM files of CA certificates to allow \ +SSL-based applications to check for the authenticity of SSL connections. \ +This derived from Debian's CA Certificates." +HOMEPAGE = "http://packages.debian.org/sid/ca-certificates" +SECTION = "misc" +LICENSE = "GPL-2.0-or-later & MPL-2.0" +LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e" + +# This is needed to ensure we can run the postinst at image creation time +DEPENDS = "" +DEPENDS:class-native = "openssl-native" +DEPENDS:class-nativesdk = "openssl-native" +# Need rehash from openssl and run-parts from debianutils +PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" + +SRC_URI[sha256sum] = "33b44ef78653ecd3f0f2f13e5bba6be466be2e7da72182f737912b81798ba5d2" +SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \ + file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ + file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ + file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ + " +S = "${WORKDIR}/ca-certificates" +inherit allarch + +EXTRA_OEMAKE = "\ + 'CERTSDIR=${datadir}/ca-certificates' \ + 'SBINDIR=${sbindir}' \ +" + +do_compile:prepend() { + oe_runmake clean +} + +do_install () { + install -d ${D}${datadir}/ca-certificates \ + ${D}${sysconfdir}/ssl/certs \ + ${D}${sysconfdir}/ca-certificates/update.d + oe_runmake 'DESTDIR=${D}' install + + install -d ${D}${mandir}/man8 + install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/ + + install -d ${D}${sysconfdir} + { + echo "# Lines starting with # will be ignored" + echo "# Lines starting with ! will remove certificate on next update" + echo "#" + find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \ + sed 's,^${D}${datadir}/ca-certificates/,,' | sort + } >${D}${sysconfdir}/ca-certificates.conf +} + +do_install:append:class-target () { + sed -i -e 's,/etc/,${sysconfdir}/,' \ + -e 's,/usr/share/,${datadir}/,' \ + -e 's,/usr/local,${prefix}/local,' \ + ${D}${sbindir}/update-ca-certificates \ + ${D}${mandir}/man8/update-ca-certificates.8 +} + +pkg_postinst:${PN}:class-target () { + $D${sbindir}/update-ca-certificates --sysroot $D +} + +CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf" + +# Rather than make a postinst script that works for both target and nativesdk, +# we just run update-ca-certificate from do_install() for nativesdk. +CONFFILES:${PN}:append:class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt" +do_install:append:class-nativesdk () { + ${D}${sbindir}/update-ca-certificates --sysroot ${D}${SDKPATHNATIVE} +} + +do_install:append:class-native () { + ${D}${sbindir}/update-ca-certificates --sysroot ${D}${base_prefix} +} + +RDEPENDS:${PN}:append:class-target = " openssl-bin openssl" +RDEPENDS:${PN}:append:class-native = " openssl-native" +RDEPENDS:${PN}:append:class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf