diff options
| -rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch | 80 | ||||
| -rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch | 26 | ||||
| -rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch | 33 | ||||
| -rw-r--r-- | meta/recipes-support/ca-certificates/ca-certificates_20211016.bb (renamed from meta/recipes-support/ca-certificates/ca-certificates_20210119.bb) | 5 |
4 files changed, 82 insertions, 62 deletions
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000000..5c4a32f526 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch | |||
| @@ -0,0 +1,80 @@ | |||
| 1 | From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alexander Kanavin <alex@linutronix.de> | ||
| 3 | Date: Mon, 18 Oct 2021 12:05:49 +0200 | ||
| 4 | Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired | ||
| 5 | certificates." | ||
| 6 | |||
| 7 | This avoids a dependency on python3-cryptography, and only checks | ||
| 8 | for expired certs (which is upstream concern, but not ours). | ||
| 9 | |||
| 10 | Upstream-Status: Inappropriate [oe-core specific] | ||
| 11 | Signed-off-by: Alexander Kanavin <alex@linutronix.de> | ||
| 12 | --- | ||
| 13 | debian/changelog | 1 - | ||
| 14 | debian/control | 2 +- | ||
| 15 | mozilla/certdata2pem.py | 11 ----------- | ||
| 16 | 3 files changed, 1 insertion(+), 13 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/debian/changelog b/debian/changelog | ||
| 19 | index 531e4d0..4006509 100644 | ||
| 20 | --- a/debian/changelog | ||
| 21 | +++ b/debian/changelog | ||
| 22 | @@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low | ||
| 23 | - "Trustis FPS Root CA" | ||
| 24 | - "Staat der Nederlanden Root CA - G3" | ||
| 25 | * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) | ||
| 26 | - * mozilla/certdata2pem.py: print a warning for expired certificates. | ||
| 27 | |||
| 28 | -- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200 | ||
| 29 | |||
| 30 | diff --git a/debian/control b/debian/control | ||
| 31 | index 4434b7a..5c6ba24 100644 | ||
| 32 | --- a/debian/control | ||
| 33 | +++ b/debian/control | ||
| 34 | @@ -3,7 +3,7 @@ Section: misc | ||
| 35 | Priority: optional | ||
| 36 | Maintainer: Julien Cristau <jcristau@debian.org> | ||
| 37 | Build-Depends: debhelper-compat (= 13), po-debconf | ||
| 38 | -Build-Depends-Indep: python3, openssl, python3-cryptography | ||
| 39 | +Build-Depends-Indep: python3, openssl | ||
| 40 | Standards-Version: 4.5.0.2 | ||
| 41 | Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git | ||
| 42 | Vcs-Browser: https://salsa.debian.org/debian/ca-certificates | ||
| 43 | diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py | ||
| 44 | index ede23d4..7d796f1 100644 | ||
| 45 | --- a/mozilla/certdata2pem.py | ||
| 46 | +++ b/mozilla/certdata2pem.py | ||
| 47 | @@ -21,16 +21,12 @@ | ||
| 48 | # USA. | ||
| 49 | |||
| 50 | import base64 | ||
| 51 | -import datetime | ||
| 52 | import os.path | ||
| 53 | import re | ||
| 54 | import sys | ||
| 55 | import textwrap | ||
| 56 | import io | ||
| 57 | |||
| 58 | -from cryptography import x509 | ||
| 59 | - | ||
| 60 | - | ||
| 61 | objects = [] | ||
| 62 | |||
| 63 | # Dirty file parser. | ||
| 64 | @@ -121,13 +117,6 @@ for obj in objects: | ||
| 65 | if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': | ||
| 66 | if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: | ||
| 67 | continue | ||
| 68 | - | ||
| 69 | - cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) | ||
| 70 | - if cert.not_valid_after < datetime.datetime.now(): | ||
| 71 | - print('!'*74) | ||
| 72 | - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) | ||
| 73 | - print('!'*74) | ||
| 74 | - | ||
| 75 | bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ | ||
| 76 | .replace(' ', '_')\ | ||
| 77 | .replace('(', '=')\ | ||
| 78 | -- | ||
| 79 | 2.20.1 | ||
| 80 | |||
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch deleted file mode 100644 index f343ebf16e..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch +++ /dev/null | |||
| @@ -1,26 +0,0 @@ | |||
| 1 | sbin/Makefile: Allow the sbin path to be configurable | ||
| 2 | |||
| 3 | Some project sharing ca-certificates from Debian allow configuration | ||
| 4 | of the installation location. Make the sbin location configurable. | ||
| 5 | |||
| 6 | Also ensure the target directory exists | ||
| 7 | |||
| 8 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
| 9 | Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] | ||
| 10 | |||
| 11 | --- ca-certificates-20130119.orig/sbin/Makefile | ||
| 12 | +++ ca-certificates-20130119/sbin/Makefile | ||
| 13 | @@ -3,9 +3,12 @@ | ||
| 14 | # | ||
| 15 | # | ||
| 16 | |||
| 17 | +SBINDIR = /usr/sbin | ||
| 18 | + | ||
| 19 | all: | ||
| 20 | |||
| 21 | clean: | ||
| 22 | |||
| 23 | install: | ||
| 24 | - install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/ | ||
| 25 | + install -d $(DESTDIR)$(SBINDIR) | ||
| 26 | + install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/ | ||
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch deleted file mode 100644 index f78790923c..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch +++ /dev/null | |||
| @@ -1,33 +0,0 @@ | |||
| 1 | update-ca-certificates: Replace deprecated mktemp -t with mktemp --tmpdir | ||
| 2 | |||
| 3 | According to coreutils docs, mktemp -t is deprecated, switch to the | ||
| 4 | --tmpdir option instead. | ||
| 5 | |||
| 6 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
| 7 | Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] | ||
| 8 | |||
| 9 | [This was originally for compatibility with toybox but toybox now | ||
| 10 | supports -t] | ||
| 11 | --- | ||
| 12 | sbin/update-ca-certificates | 6 +++--- | ||
| 13 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates | ||
| 16 | index 79c41bb..ae9e3f1 100755 | ||
| 17 | --- a/sbin/update-ca-certificates | ||
| 18 | +++ b/sbin/update-ca-certificates | ||
| 19 | @@ -113,9 +113,9 @@ trap cleanup 0 | ||
| 20 | |||
| 21 | # Helper files. (Some of them are not simple arrays because we spawn | ||
| 22 | # subshells later on.) | ||
| 23 | -TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" | ||
| 24 | -ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" | ||
| 25 | -REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" | ||
| 26 | +TEMPBUNDLE="$(mktemp --tmpdir "${CERTBUNDLE}.tmp.XXXXXX")" | ||
| 27 | +ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" | ||
| 28 | +REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" | ||
| 29 | |||
| 30 | # Adds a certificate to the list of trusted ones. This includes a symlink | ||
| 31 | # in /etc/ssl/certs to the certificate file and its inclusion into the | ||
| 32 | -- | ||
| 33 | 2.1.4 | ||
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb index 363203854f..0bb192cf0d 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb | |||
| @@ -14,15 +14,14 @@ DEPENDS:class-nativesdk = "openssl-native" | |||
| 14 | # Need rehash from openssl and run-parts from debianutils | 14 | # Need rehash from openssl and run-parts from debianutils |
| 15 | PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" | 15 | PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" |
| 16 | 16 | ||
| 17 | SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" | 17 | SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" |
| 18 | 18 | ||
| 19 | SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ | 19 | SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ |
| 20 | file://0002-update-ca-certificates-use-SYSROOT.patch \ | 20 | file://0002-update-ca-certificates-use-SYSROOT.patch \ |
| 21 | file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ | 21 | file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ |
| 22 | file://update-ca-certificates-support-Toybox.patch \ | ||
| 23 | file://default-sysroot.patch \ | 22 | file://default-sysroot.patch \ |
| 24 | file://sbindir.patch \ | ||
| 25 | file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ | 23 | file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ |
| 24 | file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ | ||
| 26 | " | 25 | " |
| 27 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" | 26 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" |
| 28 | 27 | ||