| |
@@ -70,15 +70,15 @@
|
| |
|
| |
# OpenSSL PEM bundle that includes trust flags
|
| |
# (BEGIN TRUSTED CERTIFICATE)
|
| |
- /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
|
| |
- /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
| |
- /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
| |
- /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
| |
- /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
|
| |
- /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
|
| |
+ /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
|
| |
+ /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
| |
+ /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
| |
+ /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
| |
+ /usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
|
| |
+ /usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
|
| |
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
|
| |
# by GnuTLS)
|
| |
- /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
| |
+ /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
| |
|
| |
# p11-kit extract will have made this directory unwritable; when run with
|
| |
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
|
| |
The main motivation behind this is to allow the p11-kit utilities to
be split into a subpackage (p11-kit-tools). As ca-certificates only
uses "p11-kit extract" command invocation, which can be replaced with
"trust" command, we only need the p11-kit-trust package at
installation time.
Signed-off-by: Daiki Ueno dueno@redhat.com