diff options
author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2023-10-08 04:36:54 +0000 |
---|---|---|
committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2023-10-08 04:36:54 +0000 |
commit | 52e0c40367d3ebd09ab7169e025c37fbf70b8dee (patch) | |
tree | 8d7d7b4aee9b0196c5f5bf14ebca84a9779804c8 /security/ca_root_nss | |
parent | ad1735c56bfa158a9b3fda41077a0db4c179e045 (diff) | |
download | ports-52e0c40367d3ebd09ab7169e025c37fbf70b8dee.tar.gz ports-52e0c40367d3ebd09ab7169e025c37fbf70b8dee.zip |
security/ca_root_nss: Restore the ETC_SYMLINK.
It turns out that some ports have an undisclosed dependency on the
symlink and cannot be trivially changed to use the system trust
store instead.
Amend the package message to make it clear that software which relies
on this symlink is not following recommended practice.
I will look into getting certctl(8) to provide cert.pem instead, but
it may take a while until we can rely on this being in place on all
supported releases.
This partly reverts commit 483e74f44b82.
PR: 274322
MFH: 2023Q4
Reviewed by: fluffy
Differential Revision: https://reviews.freebsd.org/D42120
Diffstat (limited to 'security/ca_root_nss')
-rw-r--r-- | security/ca_root_nss/Makefile | 12 | ||||
-rw-r--r-- | security/ca_root_nss/files/pkg-message.in | 15 | ||||
-rw-r--r-- | security/ca_root_nss/pkg-plist | 3 |
3 files changed, 27 insertions, 3 deletions
diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile index 3abe00856c78..91741dc352ef 100644 --- a/security/ca_root_nss/Makefile +++ b/security/ca_root_nss/Makefile @@ -1,6 +1,6 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} @@ -17,8 +17,14 @@ USE_PERL5= build NO_ARCH= yes WRKSRC_SUBDIR= nss +OPTIONS_DEFINE= ETCSYMLINK +OPTIONS_DEFAULT= ETCSYMLINK + OPTIONS_SUB= yes +ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem +ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* + CERTDIR?= share/certs PLIST_SUB+= CERTDIR=${CERTDIR} @@ -43,4 +49,8 @@ do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/openssl ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample +do-install-ETCSYMLINK-on: + ${MKDIR} ${STAGEDIR}/etc/ssl + ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem + .include <bsd.port.mk> diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in index a28b233e6599..b272b6030486 100644 --- a/security/ca_root_nss/files/pkg-message.in +++ b/security/ca_root_nss/files/pkg-message.in @@ -5,8 +5,19 @@ FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. -Assessment and verification of trust is the complete responsibility of the -system administrator. +Assessment and verification of trust is the complete responsibility of +the system administrator. + +This package installs symlinks to support root certificate discovery +for software that either uses other cryptographic libraries than +OpenSSL, or use OpenSSL but do not follow recommended practice. + +If you prefer to do this manually, replace the following symlinks with +either an empty file or your site-local certificate bundle. + + * /etc/ssl/cert.pem + * %%PREFIX%%/etc/ssl/cert.pem + * %%PREFIX%%/openssl/cert.pem EOM } ] diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist index ef04e1ffd140..81d723328b37 100644 --- a/security/ca_root_nss/pkg-plist +++ b/security/ca_root_nss/pkg-plist @@ -1,4 +1,7 @@ %%CERTDIR%%/ca-root-nss.crt +@sample etc/ssl/cert.pem.sample +@sample openssl/cert.pem.sample +%%ETCSYMLINK%%/etc/ssl/cert.pem @postexec certctl rehash @postunexec certctl rehash @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt |