PR#9: upcate-ca-trust: Use "trust" command instead of "p11-kit extract" - rpms/ca-certificates

rpms / ca-certificates

#9 upcate-ca-trust: Use "trust" command instead of "p11-kit extract"

Opened 3 months ago by ueno. Modified 3 months ago

rpms/ ueno/ca-certificates wip/p11-kit-tools into rawhide

upcate-ca-trust: Use "trust" command instead of "p11-kit extract"

Daiki Ueno • 3 months ago

b6bd008

ca-certificates.spec

file modified

-2

		`@@ -72,9 +72,7 @@`
		`Requires: bash`
		`Requires: grep`
		`Requires: sed`
		`- Requires(post): p11-kit >= 0.23`
		`Requires(post): p11-kit-trust >= 0.23`
		`- Requires: p11-kit >= 0.23`
		`Requires: p11-kit-trust >= 0.23`

		`BuildRequires: perl-interpreter`

update-ca-trust

file modified

+7 -7

		`@@ -70,15 +70,15 @@`

		`# OpenSSL PEM bundle that includes trust flags`
		`# (BEGIN TRUSTED CERTIFICATE)`
		`- /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"`
		`- /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"`
		`- /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"`
		`- /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"`
		`- /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"`
		`- /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"`
		`+ /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"`
		`+ /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"`
		`+ /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"`
		`+ /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"`
		`+ /usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"`
		`+ /usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"`
		`# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and`
		`# by GnuTLS)`
		`- /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"`
		`+ /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"`

		`# p11-kit extract will have made this directory unwritable; when run with`
		`# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may`

ueno commented 3 months ago

The main motivation behind this is to allow the p11-kit utilities to
be split into a subpackage (p11-kit-tools). As ca-certificates only
uses "p11-kit extract" command invocation, which can be replaced with
"trust" command, we only need the p11-kit-trust package at
installation time.

Signed-off-by: Daiki Ueno dueno@redhat.com