[people/pmueller/ipfire-3.x.git] / ca-certificates / ca-certificates.nm

###############################################################################
# IPFire.org    - An Open Source Firewall Solution                            #
# Copyright (C) - IPFire Development Team <info@ipfire.org>                   #
###############################################################################

name       = ca-certificates
version    = 2022.12
release    = 2

groups     = System/Base
url        = https://www.mozilla.org/
license    = Public Domain
summary    = The Mozilla CA root certificate bundle.

description
	This package contains the set of CA certificates chosen by the
	Mozilla Foundation for use with the Internet PKI.
end

# This package has no tarball.
sources    =

build
	arches = noarch

	requires
		openssl
		p11-kit
		python3
	end

	DIR_APP = %{DIR_SOURCE}

	build
		# Create file layout
		mkdir -pv certs
		cp certdata.txt blacklist.txt certs

		pushd certs
		python3 %{DIR_SOURCE}/certdata2pem.py
		popd

		(cat <<EOF
		# This is a bundle of X.509 certificates of public Certificate
		# Authorities.  It was generated from the Mozilla root CA list.
		# 
		# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
		#
		EOF
		) > ca-bundle.crt

		(cat <<EOF
		# This is a bundle of X.509 certificates of public Certificate
		# Authorities.  It was generated from the Mozilla root CA list.
		# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
		# format and have trust bits set accordingly.
		#
		# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
		#
		EOF
		) > ca-bundle.trust.crt

		# Collect all certs for p11-kit
		for p in certs/*.tmp-p11-kit; do
			cat "${p}" >> ca-bundle.trust.p11-kit
		done

		trust extract \
			--overwrite \
			--comment \
			--filter=certificates \
			--format=openssl-bundle \
			ca-bundle.trust
		cat ca-bundle.trust >> ca-bundle.trust.crt

		trust extract \
			--overwrite \
			--comment \
			--filter=ca-anchors \
			--format=pem-bundle \
			--purpose=server-auth \
			ca-bundle
		cat ca-bundle >> ca-bundle.crt
	end

	install
		# Create folder layout.
		mkdir -p %{BUILDROOT}/etc/pki/tls/certs/

		# Install files.
		install -p -m 644 ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
		install -p -m 644 ca-bundle.trust.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt

		ln -s certs/ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/cert.pem

		touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
		touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt

		# /etc/ssl/certs symlink for 3rd-party tools
		mkdir -pv -m 755 %{BUILDROOT}%{sysconfdir}/ssl
		ln -s ../pki/tls/certs %{BUILDROOT}%{sysconfdir}/ssl/certs
	end
end

packages
	package %{name}
end
Commit	Line	Data
057303f8 SS	1	###############################################################################
	2	# IPFire.org - An Open Source Firewall Solution #
	3	# Copyright (C) - IPFire Development Team <info@ipfire.org> #
	4	###############################################################################
	5
	6	name = ca-certificates
8f7157c0	7	version = 2022.12
fb152933	8	release = 2
057303f8 SS	9
057303f8 SS	10	groups = System/Base
aec5cbe7	11	url = https://www.mozilla.org/
057303f8 SS	12	license = Public Domain
	13	summary = The Mozilla CA root certificate bundle.
	14
	15	description
	16	This package contains the set of CA certificates chosen by the
	17	Mozilla Foundation for use with the Internet PKI.
	18	end
	19
	20	# This package has no tarball.
	21	sources =
	22
	23	build
5cd803df MT	24	arches = noarch
5cd803df MT	25
057303f8 SS	26	requires
057303f8 SS	27	openssl
fb152933 MT	28	p11-kit
fb152933 MT	29	python3
057303f8 SS	30	end
	31
	32	DIR_APP = %{DIR_SOURCE}
	33
	34	build
fb152933	35	# Create file layout
057303f8 SS	36	mkdir -pv certs
057303f8 SS	37	cp certdata.txt blacklist.txt certs
057303f8	38
fb152933 MT	39	pushd certs
	40	python3 %{DIR_SOURCE}/certdata2pem.py
	41	popd
057303f8	42
057303f8 SS	43	(cat <<EOF
	44	# This is a bundle of X.509 certificates of public Certificate
	45	# Authorities. It was generated from the Mozilla root CA list.
	46	#
	47	# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
	48	#
057303f8	49	EOF
fb152933	50	) > ca-bundle.crt
057303f8 SS	51
	52	(cat <<EOF
	53	# This is a bundle of X.509 certificates of public Certificate
	54	# Authorities. It was generated from the Mozilla root CA list.
	55	# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
	56	# format and have trust bits set accordingly.
	57	#
	58	# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
	59	#
057303f8	60	EOF
fb152933 MT	61	) > ca-bundle.trust.crt
	62
	63	# Collect all certs for p11-kit
	64	for p in certs/*.tmp-p11-kit; do
	65	cat "${p}" >> ca-bundle.trust.p11-kit
057303f8 SS	66	done
057303f8 SS	67
fb152933 MT	68	trust extract \
	69	--overwrite \
	70	--comment \
	71	--filter=certificates \
	72	--format=openssl-bundle \
	73	ca-bundle.trust
	74	cat ca-bundle.trust >> ca-bundle.trust.crt
	75
	76	trust extract \
	77	--overwrite \
	78	--comment \
	79	--filter=ca-anchors \
	80	--format=pem-bundle \
	81	--purpose=server-auth \
	82	ca-bundle
	83	cat ca-bundle >> ca-bundle.crt
057303f8 SS	84	end
	85
	86	install
	87	# Create folder layout.
	88	mkdir -p %{BUILDROOT}/etc/pki/tls/certs/
	89
	90	# Install files.
	91	install -p -m 644 ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
	92	install -p -m 644 ca-bundle.trust.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt
	93
	94	ln -s certs/ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/cert.pem
	95
	96	touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
	97	touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt
	98
	99	# /etc/ssl/certs symlink for 3rd-party tools
	100	mkdir -pv -m 755 %{BUILDROOT}%{sysconfdir}/ssl
	101	ln -s ../pki/tls/certs %{BUILDROOT}%{sysconfdir}/ssl/certs
	102	end
	103	end
	104
	105	packages
	106	package %{name}
	107	end