diff --git a/TODO.ELEMENTS b/TODO.ELEMENTS index 85a23622e..c0d49f5f6 100644 --- a/TODO.ELEMENTS +++ b/TODO.ELEMENTS @@ -69,8 +69,6 @@ components/gc.yml: check patch components/openjdk.yml: fix update url components/nvidia-settings.yml: check patch components/udisks.yml: check update url -components/make-ca.yml: fix certdata.txt file -components/make-ca.yml: do we need this after ca-certificates components/openjdk-bin.yml: fix update url components/openldap.yml: fix post-script and configurations components/apr-util.yml: fix update url diff --git a/elements/collections/core.yml b/elements/collections/core.yml index 64ceb3fcc..ffe7e7c8c 100644 --- a/elements/collections/core.yml +++ b/elements/collections/core.yml @@ -3,7 +3,7 @@ merge: [version.yml, elements/include/meta.yml] depends: - components/busybox.yml - - components/ca-certificates.yml + - components/make-ca.yml - components/coreutils.yml - components/dbus.yml - components/diffutils.yml diff --git a/elements/components/ca-certificates.yml b/elements/components/ca-certificates.yml deleted file mode 100644 index a21143c2a..000000000 --- a/elements/components/ca-certificates.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: ca-certificates -version: 2023-08-22 -about: | - CA Root certificates bundle from Mozilla - -sources: - - https://curl.se/ca/cacert-%{version}.pem - -script: | - install -D -m 644 %{build-root}/cacert-%{version}.pem \ - %{install-root}/%{sysconfdir}/ssl/cert.pem - - install -d %{install-root}/%{sysconfdir}/ssl/certs - ln -s /etc/ssl/cert.pem %{install-root}/%{sysconfdir}/ssl/certs/ca-certificates.crt - ln -s /etc/ssl/cert.pem %{install-root}/%{sysconfdir}/ssl/ca-bundle.crt diff --git a/elements/components/core.yml b/elements/components/core.yml index b03096ede..cdf585ee9 100644 --- a/elements/components/core.yml +++ b/elements/components/core.yml @@ -8,7 +8,7 @@ script: | depends: - components/busybox.yml - - components/ca-certificates.yml + - components/make-ca.yml - components/coreutils.yml - components/dbus.yml - components/diffutils.yml diff --git a/elements/components/curl.yml b/elements/components/curl.yml index f2113998a..973759011 100644 --- a/elements/components/curl.yml +++ b/elements/components/curl.yml @@ -7,8 +7,7 @@ sources: build-type: autotools depends: - components/glibc.yml - - components/ca-certificates.yml configure: >- --enable-threaded-resolver - --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt + --with-ca-path=/etc/ssl/certs --with-openssl diff --git a/elements/components/gnutls.yml b/elements/components/gnutls.yml index 5098a303d..6991c8df7 100644 --- a/elements/components/gnutls.yml +++ b/elements/components/gnutls.yml @@ -5,9 +5,7 @@ about: transport layer configure: >- - --disable-guile - --disable-rpath - --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt + --with-default-trust-store-pkcs11="pkcs11:" depends: - components/nettle.yml diff --git a/elements/components/make-ca.yml b/elements/components/make-ca.yml index d371dba84..d58bd7d3e 100644 --- a/elements/components/make-ca.yml +++ b/elements/components/make-ca.yml @@ -1,15 +1,20 @@ id: make-ca -version: "1.7" +version: 1.13 about: MakeCA -release: 0 + depends: - components/p11-kit.yml - components/nss.yml sources: - - https://github.com/djlucas/make-ca/releases/download/v1.7/make-ca-1.7.tar.xz + - https://github.com/lfs-book/make-ca/releases/download/v%{version}/make-ca-%{version}.tar.xz + script: |- - # install -v -D -m 0644 /files/certdata.txt -t %{install-root}%{sysconfdir}/ssl/ - make install LIBEXECDIR=/usr/lib SBINDIR=/usr/bin DESTDIR=%{install-root} + make install LIBEXECDIR=%{libdir}/make-ca SBINDIR=%{bindir} DESTDIR=%{install-root} + + install -vDm 0754 /dev/stdin %{install-root}%{sysconfdir}/cron.weekly/update-pki.sh << "EOF" + #!/bin/bash + %{bindir}/make-ca -g + EOF -# TODO: fix certdata.txt file -# TODO: do we need this after ca-certificates +integration: |- + make-ca -g \ No newline at end of file diff --git a/elements/components/mercurial.yml b/elements/components/mercurial.yml index 9fe4ae83e..a008d4871 100644 --- a/elements/components/mercurial.yml +++ b/elements/components/mercurial.yml @@ -26,5 +26,5 @@ script: |- install -m 755 -d %{install-root}%{sysconfdir}/mercurial cat <<-EOF > %{install-root}%{sysconfdir}/mercurial/hgrc [web] - cacerts = %{sysconfdir}/ssl/certs/ca-certificates.crt + cacerts = %{sysconfdir}/pki/tls/certs/ca-bundle.crt EOF diff --git a/elements/components/mono.yml b/elements/components/mono.yml index d18c12425..eb9283e07 100644 --- a/elements/components/mono.yml +++ b/elements/components/mono.yml @@ -3,7 +3,6 @@ version: 6.12.0.205 about: Free implementation of the .NET platform including runtime and compiler depends: - - components/ca-certificates.yml - components/libgdiplus.yml - components/python.yml - components/zlib.yml diff --git a/elements/components/p11-kit.yml b/elements/components/p11-kit.yml index 0923a39e4..2431d007b 100644 --- a/elements/components/p11-kit.yml +++ b/elements/components/p11-kit.yml @@ -1,15 +1,22 @@ id: p11-kit -version: 0.25.0 +version: 0.25.3 about: | Provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules +pre-script: |- + sed '20,$ d' -i trust/trust-extract-compat + cat >> trust/trust-extract-compat << "EOF" + %{libdir}/make-ca/copy-trust-modifications + %{bindir}/make-ca -f -g + EOF + post-script: |- ln -sfv ./pkcs11/p11-kit-trust.so %{install-root}%{libdir}/libnssckbi.so - -build-type: autotools + ln -s %{libdir}/p11-kit/trust-extract-compat %{install-root}%{bindir}/update-ca-trust configure: >- - --with-trust-paths=%{sysconfdir}/pki/anchors + -D trust_paths=%{sysconfdir}/pki/anchors + -D module_path=%{libdir}/pkcs11 depends: - components/libtasn1.yml diff --git a/elements/components/rustc.yml b/elements/components/rustc.yml index 39fcb25db..eb28e55b5 100644 --- a/elements/components/rustc.yml +++ b/elements/components/rustc.yml @@ -18,7 +18,6 @@ build-depends: - components/cmake.yml - components/gdb.yml - components/ninja.yml - - components/ca-certificates.yml sources: - https://static.rust-lang.org/dist/rustc-%{version}-src.tar.xz diff --git a/elements/components/wget.yml b/elements/components/wget.yml index 10b7b31b9..1eab5ffc2 100644 --- a/elements/components/wget.yml +++ b/elements/components/wget.yml @@ -10,7 +10,6 @@ sources: depends: - components/glibc.yml - - components/ca-certificates.yml - components/openssl.yml - components/util-linux.yml - components/libidn2.yml