* [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt
@ 2018-05-06 16:19 Martin Bark
2018-05-06 16:19 ` [Buildroot] [PATCH 2/2] package/ca-certificates: bump version to 20180409 Martin Bark
2018-05-29 6:50 ` [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Peter Korsgaard
0 siblings, 2 replies; 7+ messages in thread
From: Martin Bark @ 2018-05-06 16:19 UTC (permalink / raw)
To: buildroot
Copy certificates.crt to /etc/ssl/certs after we run c_rehash to
prevent it getting hashed by mistake.
Signed-off-by: Martin Bark <martin@barkynet.com>
---
package/ca-certificates/ca-certificates.mk | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
index cb0e961465..b99e6f47ca 100644
--- a/package/ca-certificates/ca-certificates.mk
+++ b/package/ca-certificates/ca-certificates.mk
@@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS
# Create symlinks to certificates under /etc/ssl/certs
# and generate the bundle
+ rm -f $(@D)/ca-certificates.crt
cd $(TARGET_DIR) ;\
for i in `find usr/share/ca-certificates -name "*.crt"` ; do \
ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\
- cat $$i >>etc/ssl/certs/ca-certificates.crt ;\
+ cat $$i >>$(@D)/ca-certificates.crt ;\
done
# Create symlinks to the certificates by their hash values
$(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
+
+ # Install the certificates bundle we just created
+ $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \
+ $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt
+
endef
$(eval $(generic-package))
--
2.17.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] package/ca-certificates: bump version to 20180409
2018-05-06 16:19 [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Martin Bark
@ 2018-05-06 16:19 ` Martin Bark
2018-05-29 6:52 ` Peter Korsgaard
2018-05-29 6:50 ` [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Peter Korsgaard
1 sibling, 1 reply; 7+ messages in thread
From: Martin Bark @ 2018-05-06 16:19 UTC (permalink / raw)
To: buildroot
Update Mozilla certificate authority bundle to version 2.22.
The following certificate authorities were added (+):
+ "GDCA TrustAUTH R5 ROOT"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Low-Value Services Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "CA Disig Root R1"
- "CNNIC ROOT"
- "Camerfirma Chambers of Commerce Root"
- "Camerfirma Global Chambersign Root"
- "Certinomis - Autorit? Racine"
- "Certum Root CA"
- "China Internet Network Information Center EV Certificates Root"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "GeoTrust Global CA 2"
- "PSCProcert"
- "Security Communication EV RootCA1"
- "Swisscom Root CA 1"
- "Swisscom Root CA 2"
- "Swisscom Root EV CA 2"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "UTN USERFirst Hardware Root CA"
Signed-off-by: Martin Bark <martin@barkynet.com>
---
package/ca-certificates/ca-certificates.hash | 4 ++--
package/ca-certificates/ca-certificates.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/ca-certificates/ca-certificates.hash b/package/ca-certificates/ca-certificates.hash
index 00296e2a8c..8100dde357 100644
--- a/package/ca-certificates/ca-certificates.hash
+++ b/package/ca-certificates/ca-certificates.hash
@@ -1,3 +1,3 @@
# hashes from: $(CA_CERTIFICATES_SITE)/ca-certificates_$(CA_CERTIFICATES_VERSION).dsc :
-sha1 4c093ceee1f1428d5aa7e9a5324b92961c0c0f06 ca-certificates_20170717.tar.xz
-sha256 e487639b641fa75445174734dd6e9d600373e3248b3d86a7e3c6d0f6977decd2 ca-certificates_20170717.tar.xz
+sha1 edf0ec04b02fcbc90cc65906ff83fb042894a3b7 ca-certificates_20180409.tar.xz
+sha256 7af6f5bfc619fd29cbf0258c1d95107c38ce840ad6274e343e1e0d971fc72b51 ca-certificates_20180409.tar.xz
diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
index b99e6f47ca..d628157c0f 100644
--- a/package/ca-certificates/ca-certificates.mk
+++ b/package/ca-certificates/ca-certificates.mk
@@ -4,9 +4,9 @@
#
################################################################################
-CA_CERTIFICATES_VERSION = 20170717
+CA_CERTIFICATES_VERSION = 20180409
CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.xz
-CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20170814T210836Z/pool/main/c/ca-certificates
+CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20180411T111033Z/pool/main/c/ca-certificates
CA_CERTIFICATES_DEPENDENCIES = host-openssl
# ca-certificates can be built with either python 2 or python 3
# but it must be at least python 2.7
--
2.17.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt
2018-05-06 16:19 [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Martin Bark
2018-05-06 16:19 ` [Buildroot] [PATCH 2/2] package/ca-certificates: bump version to 20180409 Martin Bark
@ 2018-05-29 6:50 ` Peter Korsgaard
2018-05-29 9:48 ` Martin Bark
1 sibling, 1 reply; 7+ messages in thread
From: Peter Korsgaard @ 2018-05-29 6:50 UTC (permalink / raw)
To: buildroot
>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
> Copy certificates.crt to /etc/ssl/certs after we run c_rehash to
> prevent it getting hashed by mistake.
What is the effect of running c_rehash on it? Just an extra symlink or
any functional difference?
> Signed-off-by: Martin Bark <martin@barkynet.com>
> ---
> package/ca-certificates/ca-certificates.mk | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
> diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
> index cb0e961465..b99e6f47ca 100644
> --- a/package/ca-certificates/ca-certificates.mk
> +++ b/package/ca-certificates/ca-certificates.mk
> @@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS
> # Create symlinks to certificates under /etc/ssl/certs
> # and generate the bundle
> + rm -f $(@D)/ca-certificates.crt
> cd $(TARGET_DIR) ;\
> for i in `find usr/share/ca-certificates -name "*.crt"` ; do \
> ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\
> - cat $$i >>etc/ssl/certs/ca-certificates.crt ;\
> + cat $$i >>$(@D)/ca-certificates.crt ;\
> done
Alternatively we could redirect the entire for loop to the bundle, E.G.
done > $(@D)/ca-certificates.crt
While this seems like an improvement for when ca-certificates-reinstall
is run, I'm not sure what the relation is to $SUBJECT?
> # Create symlinks to the certificates by their hash values
> $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
> +
> + # Install the certificates bundle we just created
> + $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \
> + $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt
> +
> endef
> $(eval $(generic-package))
> --
> 2.17.0
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] package/ca-certificates: bump version to 20180409
2018-05-06 16:19 ` [Buildroot] [PATCH 2/2] package/ca-certificates: bump version to 20180409 Martin Bark
@ 2018-05-29 6:52 ` Peter Korsgaard
0 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2018-05-29 6:52 UTC (permalink / raw)
To: buildroot
>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
> Update Mozilla certificate authority bundle to version 2.22.
> The following certificate authorities were added (+):
> + "GDCA TrustAUTH R5 ROOT"
> + "SSL.com EV Root Certification Authority ECC"
> + "SSL.com EV Root Certification Authority RSA R2"
> + "SSL.com Root Certification Authority ECC"
> + "SSL.com Root Certification Authority RSA"
> + "TrustCor ECA-1"
> + "TrustCor RootCert CA-1"
> + "TrustCor RootCert CA-2"
> The following certificate authorities were removed (-):
> - "ACEDICOM Root"
> - "AddTrust Low-Value Services Root"
> - "AddTrust Public Services Root"
> - "AddTrust Qualified Certificates Root"
> - "CA Disig Root R1"
> - "CNNIC ROOT"
> - "Camerfirma Chambers of Commerce Root"
> - "Camerfirma Global Chambersign Root"
> - "Certinomis - Autorit? Racine"
> - "Certum Root CA"
> - "China Internet Network Information Center EV Certificates Root"
> - "Comodo Secure Services root"
> - "Comodo Trusted Services root"
> - "DST ACES CA X6"
> - "GeoTrust Global CA 2"
> - "PSCProcert"
> - "Security Communication EV RootCA1"
> - "Swisscom Root CA 1"
> - "Swisscom Root CA 2"
> - "Swisscom Root EV CA 2"
> - "TURKTRUST Certificate Services Provider Root 2007"
> - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
> - "UTN USERFirst Hardware Root CA"
> Signed-off-by: Martin Bark <martin@barkynet.com>
Committed to next, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt
2018-05-29 6:50 ` [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Peter Korsgaard
@ 2018-05-29 9:48 ` Martin Bark
2018-05-29 10:08 ` Peter Korsgaard
0 siblings, 1 reply; 7+ messages in thread
From: Martin Bark @ 2018-05-29 9:48 UTC (permalink / raw)
To: buildroot
Peter,
On 29 May 2018 at 07:50, Peter Korsgaard <peter@korsgaard.com> wrote:
> >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
>
> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to
> > prevent it getting hashed by mistake.
>
> What is the effect of running c_rehash on it? Just an extra symlink or
> any functional difference?
>
c_rehash hashes certificates.crt by mistake and that symlink clashes with
one of the CA certificates. The end result is one of the hashes
incorrectly points to certificates.crt instead of the CA certificate. I
noticed this during testing because i checked /etc/ssl/certs was the same
as under ubuntu.
Thanks Martin
>
> > Signed-off-by: Martin Bark <martin@barkynet.com>
> > ---
> > package/ca-certificates/ca-certificates.mk | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
>
> > diff --git a/package/ca-certificates/ca-certificates.mk
> b/package/ca-certificates/ca-certificates.mk
> > index cb0e961465..b99e6f47ca 100644
> > --- a/package/ca-certificates/ca-certificates.mk
> > +++ b/package/ca-certificates/ca-certificates.mk
> > @@ -30,14 +30,20 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS
>
> > # Create symlinks to certificates under /etc/ssl/certs
> > # and generate the bundle
> > + rm -f $(@D)/ca-certificates.crt
> > cd $(TARGET_DIR) ;\
> > for i in `find usr/share/ca-certificates -name "*.crt"` ; do \
> > ln -sf ../../../$$i etc/ssl/certs/`basename $${i}
> .crt`.pem ;\
> > - cat $$i >>etc/ssl/certs/ca-certificates.crt ;\
> > + cat $$i >>$(@D)/ca-certificates.crt ;\
> > done
>
> Alternatively we could redirect the entire for loop to the bundle, E.G.
>
> done > $(@D)/ca-certificates.crt
>
> While this seems like an improvement for when ca-certificates-reinstall
> is run, I'm not sure what the relation is to $SUBJECT?
>
> > # Create symlinks to the certificates by their hash values
> > $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
> > +
> > + # Install the certificates bundle we just created
> > + $(INSTALL) -D -m 644 $(@D)/ca-certificates.crt \
> > + $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt
> > +
> > endef
>
> > $(eval $(generic-package))
> > --
> > 2.17.0
>
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> Bye, Peter Korsgaard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180529/44c60e85/attachment.html>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt
2018-05-29 9:48 ` Martin Bark
@ 2018-05-29 10:08 ` Peter Korsgaard
2018-05-29 10:40 ` Martin Bark
0 siblings, 1 reply; 7+ messages in thread
From: Peter Korsgaard @ 2018-05-29 10:08 UTC (permalink / raw)
To: buildroot
>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
> Peter,
> On 29 May 2018 at 07:50, Peter Korsgaard <peter@korsgaard.com> wrote:
>> >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
>>
>> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to
>> > prevent it getting hashed by mistake.
>>
>> What is the effect of running c_rehash on it? Just an extra symlink or
>> any functional difference?
>>
> c_rehash hashes certificates.crt by mistake and that symlink clashes with
> one of the CA certificates. The end result is one of the hashes
> incorrectly points to certificates.crt instead of the CA certificate. I
> noticed this during testing because i checked /etc/ssl/certs was the same
> as under ubuntu.
Ok, can you rework the commit message with these details (and perhaps
the for loop change) and resubmit? Thanks!
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt
2018-05-29 10:08 ` Peter Korsgaard
@ 2018-05-29 10:40 ` Martin Bark
0 siblings, 0 replies; 7+ messages in thread
From: Martin Bark @ 2018-05-29 10:40 UTC (permalink / raw)
To: buildroot
Peter,
On 29 May 2018 at 11:08, Peter Korsgaard <peter@korsgaard.com> wrote:
> >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
>
> > Peter,
> > On 29 May 2018 at 07:50, Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >> >>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
> >>
> >> > Copy certificates.crt to /etc/ssl/certs after we run c_rehash to
> >> > prevent it getting hashed by mistake.
> >>
> >> What is the effect of running c_rehash on it? Just an extra symlink or
> >> any functional difference?
> >>
>
> > c_rehash hashes certificates.crt by mistake and that symlink clashes
> with
> > one of the CA certificates. The end result is one of the hashes
> > incorrectly points to certificates.crt instead of the CA certificate. I
> > noticed this during testing because i checked /etc/ssl/certs was the
> same
> > as under ubuntu.
>
> Ok, can you rework the commit message with these details (and perhaps
> the for loop change) and resubmit? Thanks!
>
Will do
Thanks
Martin
>
> --
> Bye, Peter Korsgaard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180529/9cf889bf/attachment.html>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-05-29 10:40 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-06 16:19 [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Martin Bark
2018-05-06 16:19 ` [Buildroot] [PATCH 2/2] package/ca-certificates: bump version to 20180409 Martin Bark
2018-05-29 6:52 ` Peter Korsgaard
2018-05-29 6:50 ` [Buildroot] [PATCH 1/2] package/ca-certificates: don't hash certificates.crt Peter Korsgaard
2018-05-29 9:48 ` Martin Bark
2018-05-29 10:08 ` Peter Korsgaard
2018-05-29 10:40 ` Martin Bark
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.