From nobody Wed Feb 1 11:06:09 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P6Jxt1jYtz3bvC7; Wed, 1 Feb 2023 11:06:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P6Jxt0rVKz3srn; Wed, 1 Feb 2023 11:06:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675249570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XoHcEJW9yMgYscnQQmrYeqHJpPQu726jCciJeTiFTNM=; b=halx30LCIHdr6Z8d3li6Bqy2Gv7972LedpvOAaT/7vFpN51oaVOE6ofXY370TvpU0ASSVX XaAuoOaMjoYoWJzkG3jYJBtHp9tizwU2hHMenaUtsUCi6iD5iLYQAUmaQl51uKJMwWImwZ FduuTmrTPCRE0p072wGVd+8wS/+822ZiewoaRND9w4K/nyM7w4l7D/7pY3RyxhrpukVSF8 7RfwVCDdABWnxevtNuz2pOrpJkUNgScYmg5MM4PIWK9/b+wMn7HEU4OoqM4DHtxILT+e42 dRFjOFPrHHLUbPfM/ViiNTNRm/Dq/wcFWiOoJFaVlMe9zewZmZZMI9wQpWEQog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675249570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XoHcEJW9yMgYscnQQmrYeqHJpPQu726jCciJeTiFTNM=; b=WnoaOe2fjhp2Zq2EPPR4TGWM2krpRVRNA68Ti2zB1qHA0abcVwvGqZSFSaL+iu8cb0fjeZ U8mDmDFLXvXspxcgQPCVmU7gqWHgrlqGSTee0rBxj2W8xi8cLBTSEc+qOo68/YnfRGGQIA yp5Usn5CKKNGQYmHVAeE+0bm2x8NN7XJ4FONZYDHADaViCAg+mJ8xwRcd5YuFMsL3GSLl8 its37Z3pieaOjdkVOZ8McmU88nrPsNyOk5qrOa4msuRj3lorJ+v45OAypOHU2TLHaOxDpE 42vLR2MV0sCUXPFySGpe4uGEhvBQStfU9340I6KJrPdbpvYIb9beAieRCex6vw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675249570; a=rsa-sha256; cv=none; b=Ku7AUutCIHuWYdbQKFcz2vvHr3wENrVk/y2aj+tZWDIakwU7FUGIAyFvaE3dsgixlPwN69 0gadb54zI5G+Lv/zwDYQgJ8wIbmp2JqtkqZ2hmZiyTTrK7FAg3svBo5CoG0A4rvY4XmIUr kSWVTK4TiKMpVsnvM3TDSkJy0ggwn5nUpEQpsZ7MEBSsZZ8qJuF/tNkdWYPzOWKJuFEH33 vvHwqAbhWrAReVmn26oBr4TCq3H6HunxHYu0iwIM0N6r2iz/DO/jw4Dec5sfMjaWu+uEuM tYzDE7eaOCNVSeERauJokcG/U3vfbkx1K6O0MtAQmuiereE0GqhBt3PoXXn6qA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P6Jxs710dz1QCW; Wed, 1 Feb 2023 11:06:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 311B69Rd003550; Wed, 1 Feb 2023 11:06:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 311B69eg003549; Wed, 1 Feb 2023 11:06:09 GMT (envelope-from git) Date: Wed, 1 Feb 2023 11:06:09 GMT Message-Id: <202302011106.311B69eg003549@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Tijl Coosemans Subject: git: 8672992ef7f0 - main - security/p11-kit: Use base system CA certificates List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tijl X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8672992ef7f072f87304e953231de77179143f1d Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by tijl: URL: https://cgit.FreeBSD.org/ports/commit/?id=8672992ef7f072f87304e953231de77179143f1d commit 8672992ef7f072f87304e953231de77179143f1d Author: Tijl Coosemans AuthorDate: 2022-08-13 16:52:35 +0000 Commit: Tijl Coosemans CommitDate: 2023-02-01 11:05:18 +0000 security/p11-kit: Use base system CA certificates Drop dependency on ca_root_nss and use base system root certificates instead. This allows users to add their own certificates. trust_paths now points to a directory and that directory contains "anchors" and "blocklist" symlinks pointing to the base system certificate directories. This is based on the documentation from https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html. The list of certificates known to p11-kit can be verified by running "trust list". PR: 268841 Approved by: novel (maintainer) --- security/p11-kit/Makefile | 17 ++++++++++++----- security/p11-kit/pkg-plist | 2 ++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/security/p11-kit/Makefile b/security/p11-kit/Makefile index 268a528714b3..3c0f87d563c1 100644 --- a/security/p11-kit/Makefile +++ b/security/p11-kit/Makefile @@ -1,6 +1,6 @@ PORTNAME= p11-kit DISTVERSION= 0.24.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security devel MASTER_SITES= https://github.com/p11-glue/p11-kit/releases/download/${DISTVERSION}/ @@ -11,9 +11,7 @@ WWW= https://p11-glue.freedesktop.org/p11-kit.html LICENSE= BSD3CLAUSE LICENSE_FILE= ${WRKSRC}/COPYING -BUILD_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss \ - bash-completion>=0:shells/bash-completion -RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss +BUILD_DEPENDS= bash-completion>=0:shells/bash-completion LIB_DEPENDS= libffi.so:devel/libffi \ libtasn1.so:security/libtasn1 @@ -26,7 +24,7 @@ MESON_ARGS= -Dbash_completion=enabled \ -Dlibffi=enabled \ -Dnls=false \ -Dtrust_module=enabled \ - -Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt + -Dtrust_paths=${DATADIR}/certs OPTIONS_DEFINE= DOCS MANPAGES TEST OPTIONS_SUB= yes @@ -43,9 +41,18 @@ MANPAGES_MESON_TRUE= man TEST_MESON_TRUE= test +.include + post-install: ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} ${MV} ${STAGEDIR}${PREFIX}/etc/pkcs11/pkcs11.conf.example ${STAGEDIR}${EXAMPLESDIR} ${RMDIR} ${STAGEDIR}${PREFIX}/etc/pkcs11 + ${MKDIR} ${STAGEDIR}${DATADIR}/certs + ${LN} -s /usr/share/certs/trusted ${STAGEDIR}${DATADIR}/certs/anchors +.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1400024 + ${LN} -s /usr/share/certs/blacklisted ${STAGEDIR}${DATADIR}/certs/blocklist +.else + ${LN} -s /usr/share/certs/untrusted ${STAGEDIR}${DATADIR}/certs/blocklist +.endif .include diff --git a/security/p11-kit/pkg-plist b/security/p11-kit/pkg-plist index 7341c822cc7f..dac887134044 100644 --- a/security/p11-kit/pkg-plist +++ b/security/p11-kit/pkg-plist @@ -61,5 +61,7 @@ share/bash-completion/completions/trust %%DOCS%%share/gtk-doc/html/p11-kit/trust.html %%DOCS%%share/gtk-doc/html/p11-kit/up-insensitive.png %%DOCS%%share/gtk-doc/html/p11-kit/up.png +%%DATADIR%%/certs/anchors +%%DATADIR%%/certs/blocklist %%DATADIR%%/modules/p11-kit-trust.module %%EXAMPLESDIR%%/pkcs11.conf.example