blob: b52298ef11a36971417c7a691fad34fad9253e11 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# The Debian ca-certificates package merely takes the CA database as it exists
# in the nss package and repackages it for use by openssl.
#
# The issue with using the compiled debs directly is two fold:
# - they do not update frequently enough for us to rely on them
# - they pull the CA database from nss tip of tree rather than the release
#
# So we take the Debian source tools and combine them with the latest nss
# release to produce (largely) the same end result. The difference is that
# now we know our cert database is kept in sync with nss and, if need be,
# can be sync with nss tip of tree more frequently to respond to bugs.
# Where possible, bump to stable/LTS releases of NSS for the last part
# of the version (when not using a pure Debian release).
# When triaging user reports, refer to our wiki for tips:
# https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
EAPI=8
PYTHON_COMPAT=( python3_{10..12} )
inherit python-any-r1
if [[ ${PV} == *.* ]] ; then
# Compile from source ourselves.
PRECOMPILED=false
DEB_VER=$(ver_cut 1)
NSS_VER=$(ver_cut 2-)
RTM_NAME="NSS_${NSS_VER//./_}_RTM"
else
# Debian precompiled version.
PRECOMPILED=true
inherit unpacker
fi
DESCRIPTION="Common CA Certificates PEM files"
HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
NMU_PR=""
if ${PRECOMPILED} ; then
SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
else
SRC_URI="
mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
cacert? (
https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch
)
"
fi
LICENSE="MPL-1.1"
SLOT="0"
KEYWORDS="~alpha ~amd64 arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE=""
${PRECOMPILED} || IUSE+=" cacert"
# c_rehash: we run `c_rehash`
# debianutils: we run `run-parts`
CDEPEND="
sys-apps/debianutils"
BDEPEND="${CDEPEND}"
if ! ${PRECOMPILED} ; then
BDEPEND+=" ${PYTHON_DEPS}"
fi
DEPEND=""
if ${PRECOMPILED} ; then
DEPEND+=" !<sys-apps/portage-2.1.10.41"
fi
RDEPEND="${CDEPEND}
${DEPEND}"
S="${WORKDIR}"
pkg_setup() {
# For the conversion to having it in CONFIG_PROTECT_MASK,
# we need to tell users about it once manually first.
[[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
|| ewarn "You should run update-ca-certificates manually after etc-update"
if ! ${PRECOMPILED} ; then
python-any-r1_pkg_setup
fi
}
src_unpack() {
if ! ${PRECOMPILED} ; then
default
# Initial 20200601 deb release had bad naming inside the debian source tarball.
DEB_S="${WORKDIR}/${PN}-${DEB_VER}"
DEB_BAD_S="${WORKDIR}/work"
if [[ -d "${DEB_BAD_S}" ]] && [[ ! -d "${DEB_S}" ]] ; then
mv "${DEB_BAD_S}" "${DEB_S}"
fi
fi
# Do all the work in the image subdir to avoid conflicting with source
# dirs in ${WORKDIR}. Need to perform everything in the offset #381937
mkdir -p "image/${EPREFIX}" || die
cd "image/${EPREFIX}" || die
${PRECOMPILED} && unpacker_src_unpack
}
src_prepare() {
cd "image/${EPREFIX}" || die
if ! ${PRECOMPILED} ; then
mkdir -p usr/sbin || die
cp -p "${S}"/${PN}/sbin/update-ca-certificates \
usr/sbin/ || die
if use cacert ; then
pushd "${S}"/nss-${NSS_VER} >/dev/null || die
eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
popd >/dev/null || die
fi
fi
default
eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
pushd "${S}/${PN}" >/dev/null || die
# We patch out the dep on cryptography as it's not particularly useful
# for us. Please see the discussion in bug #821706. Not to be removed lightly!
eapply "${FILESDIR}"/${PN}-20230311.3.89-no-cryptography.patch
popd >/dev/null || die
local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
sed -i \
-e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
usr/sbin/update-ca-certificates || die
}
src_compile() {
cd "image/${EPREFIX}" || die
if ! ${PRECOMPILED} ; then
local d="${S}/${PN}/mozilla" c="usr/share/${PN}"
# Grab the database from the nss sources.
cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
emake -C "${d}"
# Now move the files to the same places that the precompiled would.
mkdir -p etc/ssl/certs \
etc/ca-certificates/update.d \
"${c}"/mozilla \
|| die
if use cacert ; then
mkdir -p "${c}"/cacert.org || die
mv "${d}"/CA_Cert_Signing_Authority.crt \
"${c}"/cacert.org/cacert.org_class1.crt || die
mv "${d}"/CAcert_Class_3_Root.crt \
"${c}"/cacert.org/cacert.org_class3.crt || die
fi
mv "${d}"/*.crt "${c}"/mozilla/ || die
else
mv usr/share/doc/{ca-certificates,${PF}} || die
fi
(
echo "# Automatically generated by ${CATEGORY}/${PF}"
echo "# Do not edit."
cd "${c}" || die
find * -name '*.crt' | LC_ALL=C sort
) > etc/ca-certificates.conf
sh usr/sbin/update-ca-certificates --root "${S}/image" || die
}
src_install() {
cp -pPR image/* "${D}"/ || die
if ! ${PRECOMPILED} ; then
cd ${PN} || die
doman sbin/*.8
dodoc debian/README.* examples/ca-certificates-local/README
fi
echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates || die
doenvd 98ca-certificates
}
pkg_postinst() {
if [[ -d "${EROOT}/usr/local/share/ca-certificates" ]] ; then
# If the user has local certs, we need to rebuild again
# to include their stuff in the db.
# However it's too overzealous when the user has custom certs in place.
# --fresh is to clean up dangling symlinks
"${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
fi
if [[ -n "$(find -L "${EROOT}"/etc/ssl/certs/ -type l)" ]] ; then
ewarn "Removing the following broken symlinks:"
ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
fi
}
|