From a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2 Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Wed, 11 Nov 2015 16:05:25 +0900 Subject: [PATCH] ca-certs resource path and format changed - resource path : /usr/share/ca-certificates/* -> /usr/share/ca-certificates/certs : changed to exclude tizen code-signing root certificates which isn't related with ssl - resource format(filename) : non-format -> .[0-9] : to support backward compatibility - resource permission : root:root(644) label="_" -> root:system(664) label="System::Shared" : to writable for cert-server when ca-certificates enabled/disabled Change-Id: Iadc833adf6aa1d2f63fc2e05f4a21cf8d219235f Signed-off-by: Kyungwook Tak --- packaging/ca-certificates.spec | 6 ++++++ packaging/certbundle.run | 11 ++++++++++- packaging/update-ca-certificates | 14 +++++++++----- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/packaging/ca-certificates.spec b/packaging/ca-certificates.spec index ae07cce..83e46b1 100644 --- a/packaging/ca-certificates.spec +++ b/packaging/ca-certificates.spec @@ -16,6 +16,8 @@ Source3: certbundle.run Source1001: ca-certificates.manifest Url: http://gitorious.org/opensuse/ca-certificates Requires: openssl +Requires: smack +Requires: coreutils Requires(post): /usr/bin/rm Requires(post): openssl-misc Recommends: ca-certificates-mozilla @@ -61,6 +63,10 @@ fi # as openssl changed the hash format between 0.9.8 and 1.0 update-ca-certificates -f || true +chown root:system %{etccadir} +chmod 775 %{etccadir} +chsmack -a "System::Shared" %{etccadir} +chsmack -t %{etccadir} %files %manifest %{name}.manifest diff --git a/packaging/certbundle.run b/packaging/certbundle.run index 5fd9544..add999e 100644 --- a/packaging/certbundle.run +++ b/packaging/certbundle.run @@ -29,7 +29,12 @@ cat > "$cafile.new" <> "$cafile.new" mv "$cafile.new" "$cafile" + +chown root:system $cafile +chmod 664 $cafile +chsmack -a "System::Shared" $cafile diff --git a/packaging/update-ca-certificates b/packaging/update-ca-certificates index 7b1b8a0..84bec89 100644 --- a/packaging/update-ca-certificates +++ b/packaging/update-ca-certificates @@ -32,7 +32,8 @@ use Getopt::Long; my $certsconf = '/etc/ca-certificates.conf'; my $hooksdir1 = '/etc/ca-certificates/update.d'; my $hooksdir2 = '/usr/lib/ca-certificates/update.d'; -my $certsdir = "/usr/share/ca-certificates"; +# only search /usr/share/ca-certificates/certs because of code-signing certs +my $certsdir = "/usr/share/ca-certificates/certs"; my $localcertsdir = "/usr/local/share/ca-certificates"; my $etccertsdir = "/etc/ssl/certs"; @@ -56,6 +57,7 @@ sub addcert($) { my $f = $_[0]; my $t = targetfilename($f); + return if -e $t; unlink $t if -l $t; # dangling symlink if (symlink($f, $t)) { @@ -129,7 +131,7 @@ my @files; File::Find::find({ no_chdir => 1, wanted => sub { - -f && /\.(?:pem|crt)$/ && push @files, $_; + -f && /\.(?:pem|crt|[0-9])$/ && push @files, $_; } }, $certsdir); for my $f (@files) { @@ -146,7 +148,7 @@ for my $f (glob "$localcertsdir/*.{pem,crt}") { addcert($f); } -for my $f (glob "$etccertsdir/*.pem") { +for my $f (glob "$etccertsdir/*.{pem,[0-9]}") { if (-l $f && !-e $f) { if (startswith($f, $etccertsdir) || startswith($f, $localcertsdir)) @@ -161,8 +163,10 @@ for my $f (glob "$etccertsdir/*.pem") { chdir $etccertsdir || die "$!"; if (%added || %removed || $opt_fresh) { print "Updating certificates in $etccertsdir...\n"; - my $redir = ($opt_verbose?'':'> /dev/null'); - system("c_rehash . $redir"); +# tizen ca-certs suffix isn't .pem|.crt|.cer|.crl +# so c_rehash cannot be used. +# my $redir = ($opt_verbose?'':'> /dev/null'); +# system("c_rehash . $redir"); printf("%d added, %d removed.\n", (%added?(scalar keys %added):0), -- 2.7.4