1 # Copyright 1999-2018 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
4 # The Debian ca-certificates package merely takes the CA database as it exists
5 # in the nss package and repackages it for use by openssl.
7 # The issue with using the compiled debs directly is two fold:
8 # - they do not update frequently enough for us to rely on them
9 # - they pull the CA database from nss tip of tree rather than the release
11 # So we take the Debian source tools and combine them with the latest nss
12 # release to produce (largely) the same end result. The difference is that
13 # now we know our cert database is kept in sync with nss and, if need be,
14 # can be sync with nss tip of tree more frequently to respond to bugs.
16 # When triaging bugs from users, here's some handy tips:
17 # - To see what cert is hitting errors, use openssl:
18 # openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
19 # Focus on the errors written to stderr.
21 # - Look at the upstream log as to why certs were added/removed:
22 # https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
24 # - If people want to add/remove certs, tell them to file w/mozilla:
25 # https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
29 PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )
31 inherit eutils python-any-r1
33 if [[ ${PV} == *.* ]] ; then
34 # Compile from source ourselves.
38 DEB_VER=$(get_version_component_range 1)
39 NSS_VER=$(get_version_component_range 2-)
40 RTM_NAME="NSS_${NSS_VER//./_}_RTM"
42 # Debian precompiled version.
47 DESCRIPTION="Common CA Certificates PEM files"
48 HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
50 if ${PRECOMPILED} ; then
51 SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
53 SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
54 https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
56 https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch
62 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
64 ${PRECOMPILED} || IUSE+=" cacert"
67 if ${PRECOMPILED} ; then
68 DEPEND+=" !<sys-apps/portage-2.1.10.41"
70 # c_rehash: we run `c_rehash`
71 # debianutils: we run `run-parts`
76 if ! ${PRECOMPILED}; then
77 DEPEND+=" ${PYTHON_DEPS}"
83 # For the conversion to having it in CONFIG_PROTECT_MASK,
84 # we need to tell users about it once manually first.
85 [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
86 || ewarn "You should run update-ca-certificates manually after etc-update"
90 ${PRECOMPILED} || default
92 # Do all the work in the image subdir to avoid conflicting with source
93 # dirs in $WORKDIR. Need to perform everything in the offset #381937
94 mkdir -p "image/${EPREFIX}"
95 cd "image/${EPREFIX}" || die
97 ${PRECOMPILED} && unpacker_src_unpack
101 cd "image/${EPREFIX}" || die
102 if ! ${PRECOMPILED} ; then
104 cp -p "${S}"/${PN}/sbin/update-ca-certificates usr/sbin/ || die
107 pushd "${S}"/nss-${NSS_VER} >/dev/null
108 epatch "${DISTDIR}"/nss-cacert-class1-class3.patch
114 eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
115 local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')
117 -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
118 -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
119 usr/sbin/update-ca-certificates || die
123 cd "image/${EPREFIX}" || die
124 if ! ${PRECOMPILED} ; then
126 local d="${S}/${PN}/mozilla" c="usr/share/${PN}"
127 # Grab the database from the nss sources.
128 cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die
131 # Now move the files to the same places that the precompiled would.
132 mkdir -p etc/ssl/certs etc/ca-certificates/update.d "${c}"/mozilla
134 mkdir -p "${c}"/cacert.org
135 mv "${d}"/CAcert_Inc..crt "${c}"/cacert.org/cacert.org_root.crt || die
137 mv "${d}"/*.crt "${c}"/mozilla/ || die
139 mv usr/share/doc/{ca-certificates,${PF}} || die
142 if ! use insecure_certs ; then
143 elog "To prevent applications relying on system's trusted root certificate store"
144 elog "from using CAs where at least one major browser vendor Gentoo is following"
145 elog "has decided to apply trust level restrictions, the following"
146 elog "certificate(s) were removed:"
147 # Remove untrusted certs from StartCom and WoSign (bug #598072)
148 elog "$(find "${c}" -type f \( \
149 -iname '*startcom*' \
150 -o -iname '*wosign*' \
151 \) -printf '%P removed; see https://bugs.gentoo.org/598072 for details\n' -delete)"
155 echo "# Automatically generated by ${CATEGORY}/${PF}"
157 echo "# Do not edit."
159 find * -name '*.crt' | LC_ALL=C sort
160 ) > etc/ca-certificates.conf
162 sh usr/sbin/update-ca-certificates --root "${S}/image" || die
166 cp -pPR image/* "${D}"/ || die
167 if ! ${PRECOMPILED} ; then
170 dodoc debian/README.* examples/ca-certificates-local/README
173 echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
174 doenvd 98ca-certificates
178 if [ -d "${EROOT}/usr/local/share/ca-certificates" ] ; then
179 # if the user has local certs, we need to rebuild again
180 # to include their stuff in the db.
181 # However it's too overzealous when the user has custom certs in place.
182 # --fresh is to clean up dangling symlinks
183 "${EROOT}"/usr/sbin/update-ca-certificates --root "${ROOT}"
186 if [ -n "$(find -L "${EROOT}"etc/ssl/certs/ -type l)" ] ; then
187 ewarn "Removing the following broken symlinks:"
188 ewarn "$(find -L "${EROOT}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"