Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Feb 2023 11:06:09 GMT
From:      Tijl Coosemans <tijl@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 8672992ef7f0 - main - security/p11-kit: Use base system CA certificates
Message-ID:  <202302011106.311B69eg003549@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by tijl:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8672992ef7f072f87304e953231de77179143f1d

commit 8672992ef7f072f87304e953231de77179143f1d
Author:     Tijl Coosemans <tijl@FreeBSD.org>
AuthorDate: 2022-08-13 16:52:35 +0000
Commit:     Tijl Coosemans <tijl@FreeBSD.org>
CommitDate: 2023-02-01 11:05:18 +0000

    security/p11-kit: Use base system CA certificates
    
    Drop dependency on ca_root_nss and use base system root certificates
    instead.  This allows users to add their own certificates.
    
    trust_paths now points to a directory and that directory contains
    "anchors" and "blocklist" symlinks pointing to the base system
    certificate directories.  This is based on the documentation from
    https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html.
    The list of certificates known to p11-kit can be verified by running
    "trust list".
    
    PR:             268841
    Approved by:    novel (maintainer)
---
 security/p11-kit/Makefile  | 17 ++++++++++++-----
 security/p11-kit/pkg-plist |  2 ++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/security/p11-kit/Makefile b/security/p11-kit/Makefile
index 268a528714b3..3c0f87d563c1 100644
--- a/security/p11-kit/Makefile
+++ b/security/p11-kit/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	p11-kit
 DISTVERSION=	0.24.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security devel
 MASTER_SITES=	https://github.com/p11-glue/p11-kit/releases/download/${DISTVERSION}/
 
@@ -11,9 +11,7 @@ WWW=		https://p11-glue.freedesktop.org/p11-kit.html
 LICENSE=	BSD3CLAUSE
 LICENSE_FILE=	${WRKSRC}/COPYING
 
-BUILD_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss \
-		bash-completion>=0:shells/bash-completion
-RUN_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
+BUILD_DEPENDS=	bash-completion>=0:shells/bash-completion
 LIB_DEPENDS=	libffi.so:devel/libffi \
 		libtasn1.so:security/libtasn1
 
@@ -26,7 +24,7 @@ MESON_ARGS=	-Dbash_completion=enabled \
 		-Dlibffi=enabled \
 		-Dnls=false \
 		-Dtrust_module=enabled \
-		-Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt
+		-Dtrust_paths=${DATADIR}/certs
 
 OPTIONS_DEFINE=		DOCS MANPAGES TEST
 OPTIONS_SUB=		yes
@@ -43,9 +41,18 @@ MANPAGES_MESON_TRUE=	man
 
 TEST_MESON_TRUE=	test
 
+.include <bsd.port.options.mk>
+
 post-install:
 	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	${MV} ${STAGEDIR}${PREFIX}/etc/pkcs11/pkcs11.conf.example ${STAGEDIR}${EXAMPLESDIR}
 	${RMDIR} ${STAGEDIR}${PREFIX}/etc/pkcs11
+	${MKDIR} ${STAGEDIR}${DATADIR}/certs
+	${LN} -s /usr/share/certs/trusted ${STAGEDIR}${DATADIR}/certs/anchors
+.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1400024
+	${LN} -s /usr/share/certs/blacklisted ${STAGEDIR}${DATADIR}/certs/blocklist
+.else
+	${LN} -s /usr/share/certs/untrusted ${STAGEDIR}${DATADIR}/certs/blocklist
+.endif
 
 .include <bsd.port.mk>
diff --git a/security/p11-kit/pkg-plist b/security/p11-kit/pkg-plist
index 7341c822cc7f..dac887134044 100644
--- a/security/p11-kit/pkg-plist
+++ b/security/p11-kit/pkg-plist
@@ -61,5 +61,7 @@ share/bash-completion/completions/trust
 %%DOCS%%share/gtk-doc/html/p11-kit/trust.html
 %%DOCS%%share/gtk-doc/html/p11-kit/up-insensitive.png
 %%DOCS%%share/gtk-doc/html/p11-kit/up.png
+%%DATADIR%%/certs/anchors
+%%DATADIR%%/certs/blocklist
 %%DATADIR%%/modules/p11-kit-trust.module
 %%EXAMPLESDIR%%/pkcs11.conf.example



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302011106.311B69eg003549>