Hello community, here is the log from the commit of package ca-certificates-mozilla for openSUSE:Factory checked in at 2013-07-25 13:18:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ca-certificates-mozilla (Old) and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ca-certificates-mozilla" Changes: -------- --- /work/SRC/openSUSE:Factory/ca-certificates-mozilla/ca-certificates-mozilla.changes 2013-07-03 10:15:10.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/ca-certificates-mozilla.changes 2013-07-25 13:18:19.000000000 +0200 @@ -1,0 +2,15 @@ +Wed Jul 24 15:05:31 UTC 2013 - lnussel@suse.de + +- remove superfluous double quotes from certificate names + +------------------------------------------------------------------- +Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de + +- add fake basic contraints to Entrust root so p11-kit export the cert + (bnc#829471) +- add nssckbi.h that matches certdata.txt; make sure package has the + correct version number which is currently 1.93. No actual content + change in certdata.txt compared to 1.85, it's just that the + versioning scheme changed. + +------------------------------------------------------------------- New: ---- Entrust_net_Premium_2048_Secure_Server_CA.p11-kit nssckbi.h ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ca-certificates-mozilla.spec ++++++ --- /var/tmp/diff_new_pack.kNIjM0/_old 2013-07-25 13:18:21.000000000 +0200 +++ /var/tmp/diff_new_pack.kNIjM0/_new 2013-07-25 13:18:21.000000000 +0200 @@ -24,28 +24,35 @@ BuildRequires: python Name: ca-certificates-mozilla -Version: 1.85 +# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: +# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/ns... +Version: 1.93 Release: 0 Summary: CA certificates for OpenSSL License: MPL-2.0 Group: Productivity/Networking/Security Url: http://www.mozilla.org # IMPORTANT: procedure to update certificates: -# - Check the CVS log of the cert file: -# http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/buil... -# Alternatively hg: +# - Check the log of the cert file: # http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckf... # - download the new certdata.txt -# wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certda..." +# wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/ns..." # - run compareoldnew to show fingerprints of new and changed certificates # - check the bugs referenced in cvs log and compare the checksum # to output of compareoldnew # - Watch out that blacklisted or untrusted certificates are not # accidentally included! -Source: certdata.txt -Source1: certdata2pem.py -Source2: %{name}.COPYING -Source3: compareoldnew +Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/ns... +Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/ns... +# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval. +Source10: certdata2pem.py +Source11: %{name}.COPYING +Source12: compareoldnew +# make p11-kit think there are basic constraints in the Entrust +# cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064) +# Remove after the updated cert is accepted into NSS +# https://bugzilla.mozilla.org/show_bug.cgi?id=694536 +Source99: Entrust_net_Premium_2048_Secure_Server_CA.p11-kit BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch # for update-ca-certificates @@ -64,10 +71,15 @@ %prep %setup -qcT /bin/cp %{SOURCE0} . -install -m 644 %{SOURCE2} COPYING +install -m 644 %{SOURCE11} COPYING +ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"(.*)"/\1/p' < "%{SOURCE1}"` +if [ "%{version}" != "$ver" ]; then + echo "*** Version number mismatch: spec file should be version $ver" + false +fi %build -python %{SOURCE1} +python %{SOURCE10} %install mkdir -p %{buildroot}/%{trustdir_static}/anchors @@ -92,7 +104,7 @@ openssl x509 -in "$i" "${args[@]}" } > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem" done -for i in *.p11-kit; do +for i in *.p11-kit %{SOURCE99}; do install -m 644 "$i" "%{buildroot}/%{trustdir_static}" done set -x ++++++ Entrust_net_Premium_2048_Secure_Server_CA.p11-kit ++++++ [p11-kit-object-v1] label: "Add missing BasicConstraints for Entrust root" id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70" class: x-certificate-extension object-id: 2.5.29.19 x-critical: true value: "%30%03%01%01%FF" ++++++ certdata2pem.py ++++++ --- /var/tmp/diff_new_pack.kNIjM0/_old 2013-07-25 13:18:21.000000000 +0200 +++ /var/tmp/diff_new_pack.kNIjM0/_new 2013-07-25 13:18:21.000000000 +0200 @@ -170,7 +170,7 @@ f = open(fname, 'w') if obj != None: - f.write("# alias=%s\n"%tobj['CKA_LABEL']) + f.write("# alias=%s\n"%tobj['CKA_LABEL'][1:-1]) f.write("# trust=" + " ".join(trustbits) + "\n") f.write("# distrust=" + " ".join(distrustbits) + "\n") if openssl_trustflags: ++++++ nssckbi.h ++++++ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef NSSCKBI_H #define NSSCKBI_H /* * NSS BUILTINS Version numbers. * * These are the version numbers for the builtins module packaged with * this release on NSS. To determine the version numbers of the builtin * module you are using, use the appropriate PKCS #11 calls. * * These version numbers detail changes to the PKCS #11 interface. They map * to the PKCS #11 spec versions. */ #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2 #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20 /* These version numbers detail the changes * to the list of trusted certificates. * * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped * for each NSS minor release AND whenever we change the list of * trusted certificates. 10 minor versions are allocated for each * NSS 3.x branch as follows, allowing us to change the list of * trusted certificates up to 9 times on each branch. * - NSS 3.5 branch: 3-9 * - NSS 3.6 branch: 10-19 * - NSS 3.7 branch: 20-29 * - NSS 3.8 branch: 30-39 * - NSS 3.9 branch: 40-49 * - NSS 3.10 branch: 50-59 * - NSS 3.11 branch: 60-69 * ... * - NSS 3.12 branch: 70-89 * - NSS 3.13 branch: 90-99 * - NSS 3.14 branch: 100-109 * ... * - NSS 3.29 branch: 250-255 * * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear * whether we may use its full range (0-255) or only 0-99 because * of the comment in the CK_VERSION type definition. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93 #define NSS_BUILTINS_LIBRARY_VERSION "1.93" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0 /* These version numbers detail the semantic changes to ckbi itself * (new PKCS #11 objects), etc. */ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0 #endif /* NSSCKBI_H */ -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org