[pkg-java] r13564 - in trunk: . ca-certificates-java ca-certificates-java/debian ca-certificates-java/debian/source
Torsten Werner
twerner at alioth.debian.org
Sun Apr 24 22:06:35 UTC 2011
Author: twerner
Date: 2011-04-24 22:06:29 +0000 (Sun, 24 Apr 2011)
New Revision: 13564
Added:
trunk/ca-certificates-java/
trunk/ca-certificates-java/debian/
trunk/ca-certificates-java/debian/README.Debian
trunk/ca-certificates-java/debian/changelog
trunk/ca-certificates-java/debian/compat
trunk/ca-certificates-java/debian/control
trunk/ca-certificates-java/debian/copyright
trunk/ca-certificates-java/debian/default
trunk/ca-certificates-java/debian/jks-keystore.hook
trunk/ca-certificates-java/debian/postinst
trunk/ca-certificates-java/debian/postrm
trunk/ca-certificates-java/debian/rules
trunk/ca-certificates-java/debian/source/
trunk/ca-certificates-java/debian/source/format
Log:
[svn-inject] Installing original source of ca-certificates-java (20100412)
Added: trunk/ca-certificates-java/debian/README.Debian
===================================================================
--- trunk/ca-certificates-java/debian/README.Debian (rev 0)
+++ trunk/ca-certificates-java/debian/README.Debian 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,15 @@
+ca-certificates-java for Debian
+-------------------------------
+
+This package uses the hooks of the ca-certificates package to update the
+JKS keystore used for many java runtimes. The alias used to store the
+certificate is the basename without the trailing '.crt', with all uppercase
+letters translated to lowercase letters, and all repeated non alphanumeric
+characters replaced and squeezed by a single `_'.
+
+Could be part of ca-certificates, if openjdk is in main.
+
+ca-certificates-java doesn't automagically handle local certificates,
+although these are not overwritten on updates.
+
+ -- Matthias Klose <doko at ubuntu.com> Mon, 02 Jun 2008 14:52:46 +0000
Added: trunk/ca-certificates-java/debian/changelog
===================================================================
--- trunk/ca-certificates-java/debian/changelog (rev 0)
+++ trunk/ca-certificates-java/debian/changelog 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,105 @@
+ca-certificates-java (20100412) unstable; urgency=low
+
+ * Upload to unstable.
+
+ -- Matthias Klose <doko at ubuntu.com> Mon, 12 Apr 2010 03:15:47 +0200
+
+ca-certificates-java (20100406ubuntu1) lucid; urgency=low
+
+ * Make the installation and import of certificates more robust,
+ if the NSS based security provider is disabled or not built.
+
+ -- Matthias Klose <doko at ubuntu.com> Sun, 11 Apr 2010 20:54:43 +0200
+
+ca-certificates-java (20100406) unstable; urgency=low
+
+ * Explicitely fail the installation, if /proc is not mounted.
+ Currently required by the java tools, changed in OpenJDK7.
+ Closes: #576453. LP: #556044.
+ * Print name of JVM in case of errors.
+ * Set priority to optional, set section to java. Closes: #566855.
+ * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853.
+
+ -- Matthias Klose <doko at debian.org> Tue, 06 Apr 2010 21:41:39 +0200
+
+ca-certificates-java (20091021) unstable; urgency=low
+
+ * Clarify output for keytool errors (although it shouldnn't be
+ necessary anymore). Closes: #540490.
+
+ -- Matthias Klose <doko at ubuntu.com> Wed, 21 Oct 2009 22:00:53 +0200
+
+ca-certificates-java (20090928) karmic; urgency=low
+
+ * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with
+ ca-certificates 20090814.
+
+ -- Matthias Klose <doko at ubuntu.com> Mon, 28 Sep 2009 16:47:09 +0200
+
+ca-certificates-java (20090629) unstable; urgency=low
+
+ * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out
+ SHA384withECDSA certificates since keytool won't support them.
+ LP: #392104, closes: #534520.
+ * Fix typo in hook. Closes: #534533.
+ * Use java6-runtime-headless as alternative dependency. Closes: #512293.
+
+ -- Matthias Klose <doko at ubuntu.com> Mon, 29 Jun 2009 11:27:59 +0200
+
+ca-certificates-java (20081028) unstable; urgency=low
+
+ * Ignore LANG and LC_ALL setting when running keytool. LP: #289934.
+
+ -- Matthias Klose <doko at debian.org> Tue, 28 Oct 2008 07:20:16 +0100
+
+ca-certificates-java (20081027) unstable; urgency=medium
+
+ * Merge from Ubuntu:
+ - Don't try to import certificates, which are listed in
+ /etc/ca-certificates.conf, but not available on the system.
+ Just warn about those. LP: #289091.
+ - Need to run keytool, when the jre is unpacked, but not yet configured.
+ Create a temporary jvm.cfg for the time in that postinst and the
+ jks-keystore.hook are run, and remove it afterwards. LP: #289199.
+
+ -- Matthias Klose <doko at debian.org> Mon, 27 Oct 2008 13:58:14 +0100
+
+ca-certificates-java (20081024) unstable; urgency=low
+
+ * Install /etc/default/cacerts with mode 600.
+
+ -- Matthias Klose <doko at debian.org> Fri, 24 Oct 2008 15:10:48 +0200
+
+ca-certificates-java (20081022) unstable; urgency=low
+
+ * debian/jks-keystore.hook:
+ - Don't stop after first error during the update. LP: #244412.
+ Closes: #489748.
+ - Call keytool with -noprompt.
+ * On initial install, add locally added certificates. LP: #244410.
+ Closes: #489748.
+ * Install /etc/default/cacerts to set options:
+ - storepass, holding the password for the keystore.
+ - updates, to enable/disable updates of the keystore.
+ * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587.
+
+ -- Matthias Klose <doko at ubuntu.com> Wed, 22 Oct 2008 20:51:24 +0200
+
+ca-certificates-java (20080712) unstable; urgency=low
+
+ * Upload to main.
+
+ -- Matthias Klose <doko at ubuntu.com> Sat, 12 Jul 2008 12:19:00 +0200
+
+ca-certificates-java (20080711) unstable; urgency=low
+
+ * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408.
+
+ -- Matthias Klose <doko at ubuntu.com> Fri, 11 Jul 2008 20:38:04 +0200
+
+ca-certificates-java (20080514) unstable; urgency=low
+
+ * Initial release.
+
+ -- Matthias Klose <doko at ubuntu.com> Mon, 02 Jun 2008 14:52:46 +0000
+
Added: trunk/ca-certificates-java/debian/compat
===================================================================
--- trunk/ca-certificates-java/debian/compat (rev 0)
+++ trunk/ca-certificates-java/debian/compat 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1 @@
+6
Added: trunk/ca-certificates-java/debian/control
===================================================================
--- trunk/ca-certificates-java/debian/control (rev 0)
+++ trunk/ca-certificates-java/debian/control 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,15 @@
+Source: ca-certificates-java
+Section: java
+Priority: optional
+Maintainer: OpenJDK Team <openjdk at lists.launchpad.net>
+Uploaders: Matthias Klose <doko at ubuntu.com>
+Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
+Standards-Version: 3.8.4
+
+Package: ca-certificates-java
+Architecture: all
+Depends: ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends}
+Recommends: libnss3-1d
+Description: Common CA certificates (JKS keystore)
+ This package uses the hooks of the ca-certificates package to update the
+ cacerts JKS keystore used for many java runtimes.
Added: trunk/ca-certificates-java/debian/copyright
===================================================================
--- trunk/ca-certificates-java/debian/copyright (rev 0)
+++ trunk/ca-certificates-java/debian/copyright 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,15 @@
+This package was debianized by Matthias Klose <doko at ubuntu.com>
+on Mon, 02 Jun 2008 14:52:46 +0000.
+
+Upstream Author:
+
+ Matthias Klose <doko at ubuntu.com>
+
+Copyright:
+
+ <Copyright (C) 2008 Canonical Ltd>
+
+License:
+
+The Debian package is (C) 2008, Canonical Ltd and
+is licensed under the GPL, see `/usr/share/common-licenses/GPL'.
Added: trunk/ca-certificates-java/debian/default
===================================================================
--- trunk/ca-certificates-java/debian/default (rev 0)
+++ trunk/ca-certificates-java/debian/default 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,10 @@
+# defaults for ca-certificates-java
+
+# The password which is used to protect the integrity of the keystore.
+# storepass must be at least 6 characters long. It must be provided to
+# all commands that access the keystore contents.
+# Only change this if adding private certificates.
+#storepass=''
+
+# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts
+cacerts_updates=yes
Added: trunk/ca-certificates-java/debian/jks-keystore.hook
===================================================================
--- trunk/ca-certificates-java/debian/jks-keystore.hook (rev 0)
+++ trunk/ca-certificates-java/debian/jks-keystore.hook 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,112 @@
+#! /bin/sh
+
+set -e
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+ . /etc/default/cacerts
+fi
+
+KEYSTORE=/etc/ssl/certs/java/cacerts
+
+echo ""
+if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
+ echo "updates of cacerts keystore disabled."
+ exit 0
+fi
+
+if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+fi
+
+for jvm in java-6-openjdk java-6-sun java-6-cacao; do
+ if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
+ break
+ fi
+done
+export JAVA_HOME=/usr/lib/jvm/$jvm
+PATH=$JAVA_HOME/bin:$PATH
+
+temp_jvm_cfg=
+if [ ! -f /etc/$jvm/jvm.cfg ]; then
+ # the jre is not yet configured, but jvm.cfg is needed to run it
+ temp_jvm_cfg=/etc/$jvm/jvm.cfg
+ mkdir -p /etc/$jvm
+ printf -- "-server KNOWN\n" > $temp_jvm_cfg
+fi
+
+# read lines of the form: [+-]/etc/ssl/certs/*.pem
+
+echo "updating keystore $KEYSTORE..."
+
+errors=0
+log=$(tempfile)
+while read line; do
+ pem=${line#[+-]*}
+ alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
+ alias=${alias%*_}
+ LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
+ -storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
+ && exists=yes || exists=no
+ case "$line" in
+ +*)
+ if [ "$exists" = yes ]; then
+ echo " already exists: ${line#+*}"
+ else
+ if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+ -keystore $KEYSTORE -noprompt -storepass "$storepass" \
+ -alias "$alias" -file "$pem" > $log 2>&1
+ then
+ echo " added: ${line#+*}"
+ elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+ -keystore $KEYSTORE -noprompt -storepass "$storepass" \
+ -providerClass sun.security.pkcs11.SunPKCS11 \
+ -providerArg '${java.home}/lib/security/nss.cfg' \
+ -alias "$alias" -file "$pem" > $log 2>&1
+ then
+ echo " added: ${line#+*} (using NSS provider)"
+ elif grep -q 'Signature not available' $log; then
+ echo " ignored import, signature not available: ${line#+*}"
+ cat $log
+ else
+ echo >&2 " error adding ${line#+*}"
+ errors=$(expr $errors + 1)
+ fi;
+ fi
+ ;;
+ -*)
+ if [ "$exists" = yes ]; then
+ if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+ -noprompt -storepass "$storepass" \
+ -alias "$alias"
+ then
+ echo " removed ${line#-*}"
+ elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+ -noprompt -storepass "$storepass" \
+ -providerClass sun.security.pkcs11.SunPKCS11 \
+ -providerArg '${java.home}/lib/security/nss.cfg' \
+ -alias "$alias"
+ then
+ echo " removed ${line#-*} (using NSS provider)"
+ else
+ echo >&2 " error removing ${line#+*}"
+ errors=$(expr $errors + 1)
+ fi
+ else
+ echo " does not exist: ${line#-*}"
+ fi
+ ;;
+ *)
+ echo >&2 " $0: Unknown line $line"
+ esac
+done
+rm -f $log
+
+[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+
+if [ $errors -gt 0 ]; then
+ echo >&2 "failed (VM used: $jvm)."
+ exit 1
+fi
+echo "done."
Added: trunk/ca-certificates-java/debian/postinst
===================================================================
--- trunk/ca-certificates-java/debian/postinst (rev 0)
+++ trunk/ca-certificates-java/debian/postinst 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,133 @@
+#!/bin/bash
+
+set -e
+
+KEYSTORE=/etc/ssl/certs/java/cacerts
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+ . /etc/default/cacerts
+fi
+
+setup_path()
+{
+ for jvm in java-6-openjdk java-6-sun; do
+ if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
+ break
+ fi
+ done
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
+}
+
+first_install()
+{
+ cacertdir=/usr/share/ca-certificates
+ log=$(tempfile)
+
+ # aliases of pregenerated files
+ pregenerated=$(tempfile)
+ LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
+ | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
+ | sort > $pregenerated
+
+ grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \
+ errors=0
+ while read line; do
+ pem=${line#!*}
+ alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
+ alias=${alias%*_}
+ case "$line" in
+ !*)
+ # remove untrusted certificate
+ if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+ -storepass "$storepass" -alias "$alias" >/dev/null
+ then
+ echo " removed untrusted certificate $pem"
+ else
+ # not (anymore) in keystore
+ :
+ fi;;
+ *)
+ # add certificate not yet in keystore
+ if [ ! -f "$cacertdir/$pem" ]; then
+ echo >&2 "warning: /etc/ca-certificates.conf lists $pem,"
+ echo >&2 "warning: but $cacertdir/$pem does not exist."
+ continue
+ fi
+ if ! grep -q "^${alias}$" $pregenerated; then
+ if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+ -noprompt -storepass "$storepass" \
+ -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
+ then
+ echo " added certificate $pem"
+ elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+ -providerClass sun.security.pkcs11.SunPKCS11 \
+ -providerArg '${java.home}/lib/security/nss.cfg' \
+ -noprompt -storepass "$storepass" \
+ -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
+ then
+ echo " added certificate $pem (using NSS provider)"
+ elif grep -q 'Signature not available' $log; then
+ echo " ignored import, signature not available: ${line#+*}"
+ sed -e 's/^/ -> /' $log
+ else
+ echo >&2 " error adding ${line#+*}"
+ errors=$(expr $errors + 1)
+ fi
+ fi
+ esac
+ done
+ rm -f $log
+ rm -f $pregenerated
+ if [ $errors -gt 0 ]; then
+ echo >&2 "failed (VM used: $jvm)."
+ [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+ exit 1
+ fi
+ echo "done."
+ )
+}
+
+case "$1" in
+ configure)
+ if [ -z "$2" ]; then
+ setup_path
+
+ if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+ fi
+
+ if [ ! -f /etc/$jvm/jvm.cfg ]; then
+ # the jre is not yet configured, but jvm.cfg is needed to run it
+ temp_jvm_cfg=/etc/$jvm/jvm.cfg
+ mkdir -p /etc/$jvm
+ printf -- "-server KNOWN\n" > $temp_jvm_cfg
+ fi
+
+ # on first install, remove certs untrusted by the
+ # user/admininstrator, add locally added certs
+ echo "creating $KEYSTORE..."
+ cp /usr/share/ca-certificates-java/cacerts $KEYSTORE
+ first_install
+
+ [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+ fi
+ chmod 600 /etc/default/cacerts || true
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/ca-certificates-java/debian/postrm
===================================================================
--- trunk/ca-certificates-java/debian/postrm (rev 0)
+++ trunk/ca-certificates-java/debian/postrm 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ purge)
+ rm -f /etc/ca-certificates/update.d/jks-keystore
+ rm -rf /etc/ssl/certs/java
+ rmdir /etc/ssl/certs 2>/dev/null || true
+ ;;
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/ca-certificates-java/debian/rules
===================================================================
--- trunk/ca-certificates-java/debian/rules (rev 0)
+++ trunk/ca-certificates-java/debian/rules 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,85 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+d = debian/ca-certificates-java
+
+build: build-stamp
+build-stamp:
+ dh_testdir
+ rm -rf build
+ mkdir -p build
+ set -e; \
+ yes | \
+ for crt in $$(find /usr/share/ca-certificates -name '*.crt' -printf '%P '); do \
+ alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \
+ alias=$${alias%*_}; \
+ echo "IMPORT: $$crt, alias=$$alias"; \
+ if keytool -importcert -trustcacerts -keystore build/cacerts \
+ -storepass 'changeit' \
+ -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
+ then \
+ cat keytool.log; \
+ elif keytool -importcert -trustcacerts -keystore build/cacerts \
+ -providerClass sun.security.pkcs11.SunPKCS11 \
+ -providerArg '$${java.home}/lib/security/nss.cfg' \
+ -storepass 'changeit' \
+ -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
+ then \
+ cat keytool.log; \
+ elif grep -q 'Signature not available' keytool.log; then \
+ echo "IGNORED IMPORT: $$crt, alias=$$alias"; \
+ cat keytool.log; \
+ else \
+ cat keytool.log; \
+ false; \
+ fi; \
+ done
+ touch $@
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp
+ rm -rf build
+ rm -f keytool.log
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs \
+ usr/share/ca-certificates-java \
+ etc/default \
+ etc/ssl/certs/java \
+ etc/ca-certificates/update.d \
+
+ install -m755 debian/jks-keystore.hook \
+ $(d)/etc/ca-certificates/update.d/jks-keystore
+ install -m644 build/cacerts \
+ $(d)/usr/share/ca-certificates-java/
+ install -m600 debian/default \
+ $(d)/etc/default/cacerts
+
+# Build architecture-independent files here.
+binary-indep: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
Property changes on: trunk/ca-certificates-java/debian/rules
___________________________________________________________________
Added: svn:executable
+
Added: trunk/ca-certificates-java/debian/source/format
===================================================================
--- trunk/ca-certificates-java/debian/source/format (rev 0)
+++ trunk/ca-certificates-java/debian/source/format 2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1 @@
+3.0 (native)
More information about the pkg-java-commits
mailing list