From nobody Mon Jan 29 16:12:55 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TNtcm1nySz58yQq; Mon, 29 Jan 2024 16:12:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TNtcm1JP7z4mvn; Mon, 29 Jan 2024 16:12:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706544776; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KK6UN4Ab3QoWWILU8l8jBFbU/YDRdGeh6e5CjZ8sggw=; b=cC4bFyTwfUeifzIJ9ETYl9tdv2FNfBLb2mNcAYipPF7AjJiLoNiIqtEvQGpo2wWYw9Wi// OlKFbRjBZvBpJawIJxljzUCyI4b60Hjy3LapvpSlZ7OP7P7iioC4diQmxjUcBrG2szSLQF Wx4FVCJugVTsODuQBJg+rDsWxE+ZWbPt5p831vcezlIXShE7ArvDmKQVWWtgIFN7EpT+k5 j2axijx86RIzElu5TpimxipMbiPvOMR/V9mlE+S5jK449vcudY0H5yBrXWGvb7OrMtBgr3 A2dz3bKhx1yKd3UmbcxESWAujd+C/c28+8s3fBhx6djqY006ff8nvmliCKQSpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706544776; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KK6UN4Ab3QoWWILU8l8jBFbU/YDRdGeh6e5CjZ8sggw=; b=g0zMzVsIgI6Dzp1SPloGlAD8O2o+LHoCisPEYK6GCqe9wVP45tZtXer5Uf002hXmPaqoOS RO4HZuJ2V6/xci8oBjQYtFzIaTf4WaywzwZs4YanSo5A7vqtQqsPmndmPGu35YxvZmbb0w MJ7NarTgfhkCp6OmboELBlpFdd1/DEZRdVyYwcfdRJLGl548Ykcl+5MPKAgSeaVfiUH0ZN cwuesP018ZZ54kBEfnQaQo+kl8UnQlcwnNA2KfuJF1YxgdndbiizcVQwCsXQuTonvYlma3 10ho/l7jcFoIMZrZ9RW5TDWhqFc4JgIQAJ9f4T19QUmc7V2oN3d1B37At8IwSw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1706544776; a=rsa-sha256; cv=none; b=LAOjMp5AKxMfCXYTTwNQpOTfA7zpkqhdVBhSRsoNiw6E7Uknbip1njj3RFU3tPjRBcL3bL sqokUOWgrmvQdoHz6glNdFzvXhiukGeZHcBRMFoAPrSld2/t4wj6xhBzxNBV4zYmeudEDO cYF02b9FPaBaN2u7dA2cSniIOlKgf5Vik+AROJVzgANU+QW0NDIpNTV1vBdcf9rV9GfXj+ ygHOLe/y3k9NFGdBNszh7cCBDt7Bj6AySGzGFdCRksgZ075UgmQzsb2gMOWIBYd6BSSc6q bruWVbFTzvGTHzpejyQn4rGOEdwaPDy83WvsKUpQn1+W4hm6IjxPllbYU6OCtQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TNtcm0MJzzy12; Mon, 29 Jan 2024 16:12:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40TGCtt9070649; Mon, 29 Jan 2024 16:12:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40TGCtbQ070646; Mon, 29 Jan 2024 16:12:55 GMT (envelope-from git) Date: Mon, 29 Jan 2024 16:12:55 GMT Message-Id: <202401291612.40TGCtbQ070646@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Florian Smeets Subject: git: 6d25994b8ea2 - main - security/certspotter: Add new port List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: flo X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6d25994b8ea26a536e4826452d795156617eff69 Auto-Submitted: auto-generated The branch main has been updated by flo: URL: https://cgit.FreeBSD.org/ports/commit/?id=6d25994b8ea26a536e4826452d795156617eff69 commit 6d25994b8ea26a536e4826452d795156617eff69 Author: Florian Smeets AuthorDate: 2024-01-29 16:11:04 +0000 Commit: Florian Smeets CommitDate: 2024-01-29 16:11:04 +0000 security/certspotter: Add new port Cert Spotter is a Certificate Transparency log monitor from SSLMate that alerts you when an SSL/TLS certificate is issued for one of your domains. Cert Spotter is easier to use than other open source CT monitors, since it does not require a database. It's also more robust, since it uses a special certificate parser that ensures it won't miss certificates. --- GIDs | 2 +- UIDs | 2 +- security/Makefile | 1 + security/certspotter/Makefile | 35 ++++++++++++++++++++++++ security/certspotter/distinfo | 5 ++++ security/certspotter/files/certspotter.in | 44 +++++++++++++++++++++++++++++++ security/certspotter/pkg-descr | 2 ++ security/certspotter/pkg-plist | 4 +++ 8 files changed, 93 insertions(+), 2 deletions(-) diff --git a/GIDs b/GIDs index cf53657bdd4f..a2e872ae22ab 100644 --- a/GIDs +++ b/GIDs @@ -269,7 +269,7 @@ dkfilter:*:325: smfs:*:326: _reticulum:*:327: galene:*:328: -# free: 329 +certspotter:*:329: orthanc:*:330: # free: 331 # free: 332 diff --git a/UIDs b/UIDs index d81e56e33c98..f0522ea3f17c 100644 --- a/UIDs +++ b/UIDs @@ -274,7 +274,7 @@ dkfilter:*:325:325::0:0:DK Filter Owner:/nonexistent:/usr/sbin/nologin smfs:*:326:326::0:0:SMFSAV Owner:/nonexistent:/usr/sbin/nologin _reticulum:*:327:327::0:0:Reticulum Daemon:/nonexistent:/usr/sbin/nologin galene:*:328:328::0:0:Galene Visioconference server:/nonexistent:/usr/sbin/nologin -# free: 329 +certspotter:*:329:329::0:0:Cert Spotter user:/nonexistent:/usr/sbin/nologin orthanc:*:330:330::0:0:Orthanc Daemon:/nonexistent:/usr/sbin/nologin # free: 331 # free: 332 diff --git a/security/Makefile b/security/Makefile index 99ec5c3a1f7b..c5b64253fdfa 100644 --- a/security/Makefile +++ b/security/Makefile @@ -74,6 +74,7 @@ SUBDIR += ccrypt SUBDIR += ccsrch SUBDIR += certmgr + SUBDIR += certspotter SUBDIR += cfs SUBDIR += cfssl SUBDIR += cfv diff --git a/security/certspotter/Makefile b/security/certspotter/Makefile new file mode 100644 index 000000000000..fa65f32f417d --- /dev/null +++ b/security/certspotter/Makefile @@ -0,0 +1,35 @@ +PORTNAME= certspotter +DISTVERSIONPREFIX= v +DISTVERSION= 0.18.0 +CATEGORIES= security www + +MAINTAINER= flo@FreeBSD.org +COMMENT= Certificate Transparency Monitor +WWW= https://github.com/SSLMate/certspotter + +LICENSE= MPL20 +LICENSE_FILE= ${WRKSRC}/LICENSE + +USES= go:1.21,modules +USE_RC_SUBR= certspotter +GO_MODULE= software.sslmate.com/src/certspotter +GO_TARGET= ./cmd/${PORTNAME}:${PREFIX}/sbin/${PORTNAME} + +CERTSPOTTER_USER?= certspotter +CERTSPOTTER_GROUP?= certspotter + +SUB_LIST+= CERTSPOTTER_GROUP=${CERTSPOTTER_GROUP} \ + CERTSPOTTER_USER=${CERTSPOTTER_USER} + +USERS= ${CERTSPOTTER_USER} +GROUPS= ${CERTSPOTTER_GROUP} + +PLIST_SUB+= CERTSPOTTER_GROUP=${CERTSPOTTER_GROUP} \ + CERTSPOTTER_USER=${CERTSPOTTER_USER} + +pre-install: + @${MKDIR} ${STAGEDIR}/var/db/${PORTNAME} + @${MKDIR} ${STAGEDIR}${PREFIX}/etc/${PORTNAME} + @${ECHO_CMD} "example.org" > ${STAGEDIR}${PREFIX}/etc/${PORTNAME}/watchlist.sample + @${MKDIR} ${STAGEDIR}/var/run/${PORTNAME} +.include diff --git a/security/certspotter/distinfo b/security/certspotter/distinfo new file mode 100644 index 000000000000..d7a980228c6e --- /dev/null +++ b/security/certspotter/distinfo @@ -0,0 +1,5 @@ +TIMESTAMP = 1706474827 +SHA256 (go/security_certspotter/certspotter-v0.18.0/v0.18.0.mod) = 7999f3e078b45dae94b4b4b34bee2dda107e3a23bff847f54b584d0ce3bb549d +SIZE (go/security_certspotter/certspotter-v0.18.0/v0.18.0.mod) = 165 +SHA256 (go/security_certspotter/certspotter-v0.18.0/v0.18.0.zip) = cd52b973de3ee04cbf5ced8eb87c6634185e77ad2bf4da756a4c72b9881f2c59 +SIZE (go/security_certspotter/certspotter-v0.18.0/v0.18.0.zip) = 89899 diff --git a/security/certspotter/files/certspotter.in b/security/certspotter/files/certspotter.in new file mode 100644 index 000000000000..f22d334d210d --- /dev/null +++ b/security/certspotter/files/certspotter.in @@ -0,0 +1,44 @@ +#!/bin/sh + +# PROVIDE: certspotter +# REQUIRE: LOGIN +# KEYWORD: shutdown +# +# Add these lines to /etc/rc.conf.local or /etc/rc.conf +# to enable this service: +# +# certspotter_enable (bool): Set to YES to enable certspotter. +# Set to NO by default. +# certspotter_statedir (path): State dir. Set to /var/db/certspotter +# by default. +# certspotter_watchlist (path): File listing the monitored domains. +# Set to %%ETCIDIR%%/watchlist by default. +# certspotter_email (string): The email address notifications will be +# sent to. Set to root by default. +# certspotter_user (string): The user account used to run the daemon. +# Default: %%CERTSPOTTER_USER%% + +. /etc/rc.subr + +name=certspotter +rcvar=certspotter_enable + +load_rc_config $name + +: ${certspotter_enable:="NO"} +: ${certspotter_statedir="/var/db/certspotter"} +: ${certspotter_watchlist="%%ETCDIR%%/watchlist"} +: ${certspotter_user:="%%CERTSPOTTER_USER%%"} +: ${certspotter_email:="root"} + +pidfile=/var/run/certspotter/${name}.pid +command=%%PREFIX%%/sbin/certspotter +start_cmd="certspotter_start" + +certspotter_start() +{ + echo "Starting ${name}." + /usr/sbin/daemon -c -f -p ${pidfile} -u ${certspotter_user} %%PREFIX%%/sbin/certspotter -state_dir $certspotter_statedir -watchlist $certspotter_watchlist -email $certspotter_email -start_at_end +} + +run_rc_command "$1" diff --git a/security/certspotter/pkg-descr b/security/certspotter/pkg-descr new file mode 100644 index 000000000000..007655649d98 --- /dev/null +++ b/security/certspotter/pkg-descr @@ -0,0 +1,2 @@ +Cert Spotter is a Certificate Transparency log monitor from SSLMate that +alerts you when an SSL/TLS certificate is issued for one of your domains. diff --git a/security/certspotter/pkg-plist b/security/certspotter/pkg-plist new file mode 100644 index 000000000000..0544303c9f5d --- /dev/null +++ b/security/certspotter/pkg-plist @@ -0,0 +1,4 @@ +sbin/certspotter +@sample etc/certspotter/watchlist.sample +@dir(%%CERTSPOTTER_USER%%,%%CERTSPOTTER_GROUP%%,700) /var/db/certspotter +@dir(%%CERTSPOTTER_USER%%,%%CERTSPOTTER_GROUP%%,0775) /var/run/certspotter