Date: Sun, 8 Oct 2023 04:37:45 GMT From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 52e0c40367d3 - main - security/ca_root_nss: Restore the ETC_SYMLINK. Message-ID: <202310080437.3984bjQB004810@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by des: URL: https://cgit.FreeBSD.org/ports/commit/?id=52e0c40367d3ebd09ab7169e025c37fbf70b8dee commit 52e0c40367d3ebd09ab7169e025c37fbf70b8dee Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2023-10-08 04:36:54 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-10-08 04:36:54 +0000 security/ca_root_nss: Restore the ETC_SYMLINK. It turns out that some ports have an undisclosed dependency on the symlink and cannot be trivially changed to use the system trust store instead. Amend the package message to make it clear that software which relies on this symlink is not following recommended practice. I will look into getting certctl(8) to provide cert.pem instead, but it may take a while until we can rely on this being in place on all supported releases. This partly reverts commit 483e74f44b82. PR: 274322 MFH: 2023Q4 Reviewed by: fluffy Differential Revision: https://reviews.freebsd.org/D42120 --- security/ca_root_nss/Makefile | 12 +++++++++++- security/ca_root_nss/files/pkg-message.in | 15 +++++++++++++-- security/ca_root_nss/pkg-plist | 3 +++ 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile index 3abe00856c78..91741dc352ef 100644 --- a/security/ca_root_nss/Makefile +++ b/security/ca_root_nss/Makefile @@ -1,6 +1,6 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} @@ -17,8 +17,14 @@ USE_PERL5= build NO_ARCH= yes WRKSRC_SUBDIR= nss +OPTIONS_DEFINE= ETCSYMLINK +OPTIONS_DEFAULT= ETCSYMLINK + OPTIONS_SUB= yes +ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem +ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* + CERTDIR?= share/certs PLIST_SUB+= CERTDIR=${CERTDIR} @@ -43,4 +49,8 @@ do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/openssl ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample +do-install-ETCSYMLINK-on: + ${MKDIR} ${STAGEDIR}/etc/ssl + ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem + .include <bsd.port.mk> diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in index a28b233e6599..b272b6030486 100644 --- a/security/ca_root_nss/files/pkg-message.in +++ b/security/ca_root_nss/files/pkg-message.in @@ -5,8 +5,19 @@ FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. -Assessment and verification of trust is the complete responsibility of the -system administrator. +Assessment and verification of trust is the complete responsibility of +the system administrator. + +This package installs symlinks to support root certificate discovery +for software that either uses other cryptographic libraries than +OpenSSL, or use OpenSSL but do not follow recommended practice. + +If you prefer to do this manually, replace the following symlinks with +either an empty file or your site-local certificate bundle. + + * /etc/ssl/cert.pem + * %%PREFIX%%/etc/ssl/cert.pem + * %%PREFIX%%/openssl/cert.pem EOM } ] diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist index ef04e1ffd140..81d723328b37 100644 --- a/security/ca_root_nss/pkg-plist +++ b/security/ca_root_nss/pkg-plist @@ -1,4 +1,7 @@ %%CERTDIR%%/ca-root-nss.crt +@sample etc/ssl/cert.pem.sample +@sample openssl/cert.pem.sample +%%ETCSYMLINK%%/etc/ssl/cert.pem @postexec certctl rehash @postunexec certctl rehash @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310080437.3984bjQB004810>