[Git][java-team/ca-certificates-java][master] 26 commits: switch to debhelper-compat (= 13)
Matthias Klose
gitlab at salsa.debian.org
Fri Mar 19 11:14:24 GMT 2021
Matthias Klose pushed to branch master at Debian Java Maintainers / ca-certificates-java
Commits:
b59b0dcf by Andreas Beckmann at 2021-02-18T21:13:17+01:00
switch to debhelper-compat (= 13)
- - - - -
bb08d9e8 by Andreas Beckmann at 2021-02-18T21:18:22+01:00
use dh_installinit to install /etc/default/cacerts
- - - - -
ec56da1d by Andreas Beckmann at 2021-02-18T21:23:17+01:00
use dh_install to install jar and hook
- - - - -
c0c962f4 by Andreas Beckmann at 2021-02-19T21:11:35+01:00
ship /etc/default/cacerts with mode 0600
- - - - -
dfd0e87a by Andreas Beckmann at 2021-02-19T21:20:07+01:00
add test with empty command
- - - - -
5ee5835f by Andreas Beckmann at 2021-02-19T21:22:38+01:00
UpdateCertificates.java: ignore empty lines in stdin
- - - - -
63507424 by Andreas Beckmann at 2021-02-19T23:00:18+01:00
avoid warning about missing /etc/ssl/certs/java/cacerts on initial install
- - - - -
18fa5707 by Andreas Beckmann at 2021-02-19T23:04:29+01:00
do not be satisfied by java7-runtime-headless
- - - - -
1e3e4280 by Andreas Beckmann at 2021-02-19T23:24:30+01:00
remove support for upgrading from versions predating wheezy
- - - - -
3bc73bdb by Andreas Beckmann at 2021-02-19T23:47:14+01:00
clean up misplaced symlinks from ancient versions
- - - - -
62313abf by Andreas Beckmann at 2021-02-20T00:28:53+01:00
remove redundant bits from the maintainer scripts
- - - - -
049a5639 by Andreas Beckmann at 2021-02-20T01:11:43+01:00
set Rules-Requires-Root: no
- - - - -
3d8a3e1b by Andreas Beckmann at 2021-02-23T12:02:35+01:00
drop libnss3 manipulations
- - - - -
651ef32a by Andreas Beckmann at 2021-02-23T12:07:01+01:00
postinst: add a shared update_cacerts() function
- - - - -
eba4aea5 by Andreas Beckmann at 2021-02-23T12:08:21+01:00
run convert_pkcs12_keystore_to_jks from update_cacerts
- - - - -
c45c3c9b by Andreas Beckmann at 2021-02-23T02:01:09+01:00
let update_cacerts handle initial creation of cacerts
- - - - -
adec85a6 by Andreas Beckmann at 2021-02-23T12:13:02+01:00
move processing of +/- certs to new update-ca-certificates-java trigger
the hook script is executed in the context of ca-certificates
and nothing is known at that time about the configuration state
of ca-certificates-java or its rdepends
so just record the pending updates and execute them in a context
where ca-certificates-java and its rdepends are in a usable state
- - - - -
be511adf by Andreas Beckmann at 2021-02-23T12:13:12+01:00
add update-ca-certificates-java-fresh trigger
- - - - -
8821ee55 by Andreas Beckmann at 2021-02-23T12:13:17+01:00
remove obsolete certificates when building a fresh cacerts file
- - - - -
6260c58f by Andreas Beckmann at 2021-02-23T13:45:49+01:00
bump ca-certificates dependency to 20210120
- - - - -
58057f06 by Andreas Beckmann at 2021-02-23T13:46:35+01:00
skip Java certificates setup if no JRE is available
pending actions will be stored in /var/lib/ca-certificates-java
- - - - -
9825a4a7 by Andreas Beckmann at 2021-02-23T13:46:39+01:00
add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE becomes available
- - - - -
7d2d460c by Andreas Beckmann at 2021-02-23T13:47:17+01:00
demote JRE dependency to Recommends to break dependency cycle
- - - - -
33232621 by Andreas Beckmann at 2021-02-23T13:48:32+01:00
Standards-Version: 4.5.1
- - - - -
ed71672c by Andreas Beckmann at 2021-02-23T13:58:20+01:00
simplify setup_path()
- - - - -
96009a75 by Andreas Beckmann at 2021-02-23T15:34:19+01:00
close more fixed bugs
- - - - -
18 changed files:
- debian/default → debian/ca-certificates-java.cacerts.default
- debian/ca-certificates-java.dirs
- + debian/ca-certificates-java.install
- + debian/ca-certificates-java.lintian-overrides
- + debian/ca-certificates-java.postinst
- + debian/ca-certificates-java.postrm
- + debian/ca-certificates-java.preinst
- debian/ca-certificates-java.triggers
- debian/changelog
- − debian/compat
- debian/control
- + debian/jks-keystore
- − debian/jks-keystore.hook
- − debian/postinst
- − debian/postrm
- debian/rules
- src/main/java/org/debian/security/UpdateCertificates.java
- src/test/java/org/debian/security/UpdateCertificatesTest.java
Changes:
=====================================
debian/default → debian/ca-certificates-java.cacerts.default
=====================================
=====================================
debian/ca-certificates-java.dirs
=====================================
@@ -1,3 +1,2 @@
-etc/default
etc/ssl/certs/java
-etc/ca-certificates/update.d
+var/lib/ca-certificates-java
=====================================
debian/ca-certificates-java.install
=====================================
@@ -0,0 +1,2 @@
+debian/jks-keystore etc/ca-certificates/update.d/
+target/ca-certificates-java.jar usr/share/ca-certificates-java/
=====================================
debian/ca-certificates-java.lintian-overrides
=====================================
@@ -0,0 +1 @@
+non-standard-file-perm etc/default/cacerts 0600 != 0644
=====================================
debian/ca-certificates-java.postinst
=====================================
@@ -0,0 +1,181 @@
+#!/bin/sh
+set -e
+
+# use the locale C.UTF-8
+unset LC_ALL
+LC_CTYPE=C.UTF-8
+export LC_CTYPE
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+ . /etc/default/cacerts
+fi
+
+arch=`dpkg --print-architecture`
+JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+
+setup_path()
+{
+ for version in 8 9 10 11 12 13 14 15 16 17 ; do
+ for jvm in \
+ java-${version}-openjdk-${arch} \
+ java-${version}-openjdk \
+ oracle-java${version}-jre-${arch} \
+ oracle-java${version}-server-jre-${arch} \
+ oracle-java${version}-jdk-${arch}
+ do
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
+ break 2
+ fi
+ done
+ done
+
+ if ! which java >/dev/null; then
+ echo "No JRE found. Skipping Java certificates setup."
+ exit 0
+ fi
+}
+
+check_proc()
+{
+ if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+ fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+ check_proc
+ if ! keytool -importkeystore \
+ -srckeystore /etc/ssl/certs/java/cacerts \
+ -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+ -srcstoretype PKCS12 \
+ -deststoretype JKS \
+ -srcstorepass "$storepass" \
+ -deststorepass "$storepass" \
+ -noprompt; then
+ echo "failed to convert PKCS12 keystore to JKS" >&2
+ exit 1
+ fi
+
+ # only update if /etc/default/cacerts allows
+ if [ "$cacerts_updates" = "yes" ]; then
+ mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+ mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+ fi
+}
+
+find_pem_files()
+{
+ find $ETCCERTSDIR -type l -name \*.pem | sort | while read symlink ; do
+ case $(readlink "$symlink") in
+ $CERTSDIR*|$LOCALCERTSDIR*)
+ echo "$symlink"
+ ;;
+ esac
+ done
+}
+
+update_cacerts()
+{
+ if [ "$cacerts_updates" != "yes" ] || [ "$CACERT_UPDATES" = "disabled" ]; then
+ echo "Updates of cacerts keystore are disabled."
+ exit 0
+ fi
+
+ setup_path
+
+ if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
+ convert_pkcs12_keystore_to_jks
+ rm /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+ fi
+
+ if [ -f /var/lib/ca-certificates-java/fresh ]; then
+ >/var/lib/ca-certificates-java/fresh
+ pem_files=$(find_pem_files)
+
+ if [ -f "$CACERTS" ]; then
+ check_proc
+ cacerts_aliases=$(keytool -cacerts -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+ etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
+ for alias in $cacerts_aliases ; do
+ case " $etc_ssl_certs_aliases " in
+ *" ${alias} "*)
+ : # keep
+ ;;
+ *)
+ echo "-${alias}" >> /var/lib/ca-certificates-java/fresh
+ ;;
+ esac
+ done
+ fi
+
+ for pem in $pem_files ; do
+ echo "+${pem}" >> /var/lib/ca-certificates-java/fresh
+ done
+ fi
+
+ if [ -s /var/lib/ca-certificates-java/fresh ]; then
+ java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/fresh
+ elif [ -s /var/lib/ca-certificates-java/pending ]; then
+ java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/pending
+ fi
+ echo "done."
+
+ rm -f /var/lib/ca-certificates-java/fresh
+ rm -f /var/lib/ca-certificates-java/pending
+}
+
+#DEBHELPER#
+
+if [ "$1" = "configure" ]; then
+ if dpkg --compare-versions "$2" lt-nl "20210218" ; then
+ # clean up misplaced symlinks from ancient versions (#688415)
+ if [ -L /libnss3.so ]; then
+ rm -v /libnss3.so
+ fi
+ if [ -L /libsoftokn3.so ]; then
+ rm -v /libsoftokn3.so
+ fi
+
+ if [ -f /etc/default/cacerts ]; then
+ chmod 0600 /etc/default/cacerts
+ fi
+ fi
+
+ if dpkg --compare-versions "$2" lt-nl "20180516"; then
+ if [ -e /etc/ssl/certs/java/cacerts ] && \
+ [ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+ touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+ fi
+ fi
+
+ # older versions may not have received all updates from ca-certificates
+ if dpkg --compare-versions "$2" lt-nl "20210218" ; then
+ touch /var/lib/ca-certificates-java/fresh
+ fi
+
+ # initial install
+ if [ -z "$2" ]; then
+ touch /var/lib/ca-certificates-java/fresh
+ fi
+
+ update_cacerts
+fi
+
+if [ "$1" = "triggered" ]; then
+ case " $2 " in
+ *" update-ca-certificates-java-fresh "*)
+ touch /var/lib/ca-certificates-java/fresh
+ ;;
+ esac
+
+ update_cacerts
+fi
=====================================
debian/ca-certificates-java.postrm
=====================================
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "purge" ]; then
+ rm -rf /etc/ssl/certs/java
+ rmdir /etc/ssl/certs 2>/dev/null || true
+ rm -rf /var/lib/ca-certificates-java
+fi
+
+#DEBHELPER#
=====================================
debian/ca-certificates-java.preinst
=====================================
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+# rebuild cacerts on reinstallation after removal since certificate updates
+# that happened while the package was removed are missing
+if [ "$1" = "install" ] && [ -n "$2" ]; then
+ mkdir -p /var/lib/ca-certificates-java
+ touch /var/lib/ca-certificates-java/fresh
+fi
+
+#DEBHELPER#
=====================================
debian/ca-certificates-java.triggers
=====================================
@@ -1 +1,3 @@
-activate update-ca-certificates
+interest update-ca-certificates-java
+interest update-ca-certificates-java-fresh
+interest /usr/lib/jvm
=====================================
debian/changelog
=====================================
@@ -1,3 +1,36 @@
+ca-certificates-java (20210218) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * Switch to debhelper-compat (= 13).
+ * Set Rules-Requires-Root: no.
+ * UpdateCertificates.java: Ignore empty lines in stdin. (Closes: #795244)
+ * Avoid warning about missing /etc/ssl/certs/java/cacerts on initial
+ install.
+ * Do not be satisfied by java7-runtime-headless.
+ * Remove support for upgrading from versions predating wheezy.
+ * Clean up misplaced symlinks in the root directory left over by ancient
+ versions. (Closes: #688415)
+ * Drop libnss3 manipulations, no longer needed since openjdk-6-jre-headless
+ at least.
+ * Add update-ca-certificates-java trigger and let jks-keystore record the
+ pending certificate updates and postpone them to the processing of this
+ trigger. (Closes: #908858)
+ * Add update-ca-certificates-java-fresh trigger, will be activated by
+ update-ca-certificates -f. (Closes: #922981)
+ * Remove obsolete certificates when building a fresh cacerts file.
+ (Closes: #767272)
+ * Bump ca-certificates dependency to 20210120.
+ * Skip Java certificates setup if no JRE is available.
+ * Add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE
+ becomes available.
+ * Demote JRE dependency to Recommends to break dependency cycle.
+ (Closes: #929685, #940297)
+ * Foreign architecture JREs that place java in PATH are also usable.
+ (Closes: #776860, #864331)
+ * Bump Standards-Version to 4.5.1.
+
+ -- Andreas Beckmann <anbe at debian.org> Thu, 18 Feb 2021 21:12:52 +0100
+
ca-certificates-java (20190909) unstable; urgency=medium
* Team upload.
@@ -63,10 +96,11 @@ ca-certificates-java (20170930) unstable; urgency=medium
* Team upload.
* Revert the last two NMUs.
- - Depend again on openjdk-8 after the stretch release.
+ - Depend again on openjdk-8 after the stretch release. (Closes: #863803)
- Stop fiddling around with jvm-*.cfg files. ca-certificates-java
has no business with providing an initial cacerts file. This is
implemented in the openjdk packages. We are not 2008 anymore.
+ (Closes: #912187)
* Bump standards version.
* Remove Torsten Werner as uploader.
@@ -114,7 +148,7 @@ ca-certificates-java (20161107) unstable; urgency=medium
ca-certificates-java (20160321) unstable; urgency=medium
* Team upload.
- * Drop support for obsolete Java 6 (Closes: #776897)
+ * Drop support for obsolete Java 6 (Closes: #776897, #816541)
* Add support for Java 8 and 9 (Closes: #775775)
* Bump Standards-Version to 3.9.7 (no changes)
* Use secure HTTPS URI for Vcs-Browser
@@ -226,7 +260,7 @@ ca-certificates-java (20120524) unstable; urgency=low
[ James Page ]
* d/rules: Ensure java is built with source/target == 1.6 for backwards
- compatibility with openjdk-6.
+ compatibility with openjdk-6.
[ Damien Raude-Morvan ]
* Sync handling of nss.cfg between debian/jks-keystore.hook.in and
@@ -415,4 +449,3 @@ ca-certificates-java (20080514) unstable; urgency=low
* Initial release.
-- Matthias Klose <doko at ubuntu.com> Mon, 02 Jun 2008 14:52:46 +0000
-
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-11
=====================================
debian/control
=====================================
@@ -4,19 +4,24 @@ Priority: optional
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Uploaders: Matthias Klose <doko at ubuntu.com>,
James Page <james.page at ubuntu.com>
-Build-Depends: debhelper (>= 11), default-jdk, javahelper, junit4
-Standards-Version: 4.4.0
+Build-Depends:
+ debhelper-compat (= 13),
+ dh-sequence-javahelper,
+ default-jdk,
+ junit4,
+Rules-Requires-Root: no
+Standards-Version: 4.5.1
Vcs-Git: https://salsa.debian.org/java-team/ca-certificates-java.git
Vcs-Browser: https://salsa.debian.org/java-team/ca-certificates-java
Package: ca-certificates-java
Architecture: all
Multi-Arch: foreign
-Depends: ca-certificates (>= 20121114),
- default-jre-headless | java8-runtime-headless,
- libnss3 (>= 3.12.10-2~),
- ${misc:Depends}
-# We need a versioned Depends due to multiarch changes (bug #635571).
+Depends:
+ ca-certificates (>= 20210120),
+ ${misc:Depends},
+Recommends:
+ default-jre-headless (>= 2:1.8) | java8-runtime-headless,
Description: Common CA certificates (JKS keystore)
This package uses the hooks of the ca-certificates package to update the
cacerts JKS keystore used for many java runtimes.
=====================================
debian/jks-keystore
=====================================
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+if [ -t 0 ]; then
+ echo "This hook script expects the list of PEM files to be added/removed" >&2
+ echo "prefixed with '+'/'-' to be piped into stdin." >&2
+ exit 1
+fi
+
+# record the pending certificate updates for later execution by the
+# triggers in ca-certificates-java
+
+mkdir -p /var/lib/ca-certificates-java
+cat - >> /var/lib/ca-certificates-java/pending
+
+case "$1" in
+ -f|--fresh)
+ dpkg-trigger --no-await update-ca-certificates-java-fresh
+ ;;
+ *)
+ dpkg-trigger --no-await update-ca-certificates-java
+ ;;
+esac
+
+# if the hook was activated by a manual run of update-ca-certificates
+# (and not from a maintainer script), ensure the triggers get processed
+
+if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
+ dpkg --triggers-only --pending
+fi
=====================================
debian/jks-keystore.hook deleted
=====================================
@@ -1,89 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# use the locale C.UTF-8
-unset LC_ALL
-LC_CTYPE=C.UTF-8
-export LC_CTYPE
-
-storepass='changeit'
-if [ -f /etc/default/cacerts ]; then
- . /etc/default/cacerts
-fi
-
-arch=`dpkg --print-architecture`
-JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
-
-nsslib_name()
-{
- if dpkg --assert-multi-arch 2>/dev/null; then
- echo "libnss3:${arch}"
- else
- echo "libnss3"
- fi
-}
-
-echo ""
-if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then
- echo "updates of cacerts keystore disabled."
- exit 0
-fi
-
-if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs (/proc)."
- exit 1
-fi
-
-for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
- java-8-openjdk-$arch java-8-openjdk \
- oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
- java-9-openjdk-$arch java-9-openjdk \
- oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
- java-10-openjdk-$arch java-10-openjdk \
- oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
- java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- break
- fi
-done
-
-if dpkg-query --version >/dev/null; then
- nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
- nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
- nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
- ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
- fi
- softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1)
- if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then
- ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so
- fi
-fi
-
-do_cleanup()
-{
- [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libnss3.so
- fi
- if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \
- && [ "$softokn3pkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libsoftokn3.so
- fi
-}
-
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
- do_cleanup
-else
- do_cleanup
- exit 1
-fi
-
-echo "done."
=====================================
debian/postinst deleted
=====================================
@@ -1,165 +0,0 @@
-#!/bin/bash
-set -e
-
-# use the locale C.UTF-8
-unset LC_ALL
-LC_CTYPE=C.UTF-8
-export LC_CTYPE
-
-storepass='changeit'
-if [ -f /etc/default/cacerts ]; then
- . /etc/default/cacerts
-fi
-
-arch=`dpkg --print-architecture`
-JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
-
-nsslib_name()
-{
- if dpkg --assert-multi-arch 2>/dev/null; then
- echo "libnss3:${arch}"
- else
- echo "libnss3"
- fi
-}
-
-setup_path()
-{
- for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
- java-8-openjdk-$arch java-8-openjdk \
- oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
- java-9-openjdk-$arch java-9-openjdk \
- oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
- java-10-openjdk-$arch java-10-openjdk \
- oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
- java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \
- java-12-openjdk-$arch java-12-openjdk \
- oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \
- java-13-openjdk-$arch java-13-openjdk \
- oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \
- java-14-openjdk-$arch java-14-openjdk \
- oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \
- java-15-openjdk-$arch java-15-openjdk \
- oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \
- java-16-openjdk-$arch java-16-openjdk \
- oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \
- java-17-openjdk-$arch java-17-openjdk \
- oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- break
- fi
- done
-}
-
-check_proc()
-{
- if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs (/proc)."
- exit 1
- fi
-}
-
-convert_pkcs12_keystore_to_jks()
-{
- if ! keytool -importkeystore \
- -srckeystore /etc/ssl/certs/java/cacerts \
- -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
- -srcstoretype PKCS12 \
- -deststoretype JKS \
- -srcstorepass "$storepass" \
- -deststorepass "$storepass" \
- -noprompt; then
- echo "failed to convert PKCS12 keystore to JKS" >&2
- exit 1
- fi
-
- # only update if /etc/default/cacerts allows
- if [ "$cacerts_updates" = "yes" ]; then
- mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
- mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
- fi
-}
-
-first_install()
-{
- if which dpkg-query >/dev/null; then
- nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
- nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
- nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
- ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
- fi
- fi
-
- # Forcibly remove diginotar cert (LP: #920758)
- if [ -n "$FIXOLD" ]; then
- echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \
- java -Xmx64m -jar $JAR -storepass "$storepass"
- fi
-
- find /etc/ssl/certs -name \*.pem | \
- while read filename; do
- alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
- alias=${alias%*_}
- if [ -n "$FIXOLD" ]; then
- echo "-${alias}"
- echo "-${alias}_pem"
- fi
- echo "+${filename}"
- done | \
- java -Xmx64m -jar $JAR -storepass "$storepass"
- echo "done."
-}
-
-do_cleanup()
-{
- [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libnss3.so
- fi
-}
-
-case "$1" in
- configure)
- if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
- FIXOLD="true"
- if [ -e /etc/ssl/certs/java/cacerts ]; then
- cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
- fi
- fi
-
- setup_path
-
- if dpkg --compare-versions "$2" lt "20180516"; then
- if [ -e /etc/ssl/certs/java/cacerts \
- -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
- check_proc
- convert_pkcs12_keystore_to_jks
- fi
- fi
-
- if [ -z "$2" -o -n "$FIXOLD" ]; then
- check_proc
- trap do_cleanup EXIT
- first_install
- fi
- chmod 600 /etc/default/cacerts || true
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
- ;;
-
- *)
- echo "postinst called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
=====================================
debian/postrm deleted
=====================================
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-set -e
-
-case "$1" in
- purge)
- rm -f /etc/ca-certificates/update.d/jks-keystore
- rm -rf /etc/ssl/certs/java
- rmdir /etc/ssl/certs 2>/dev/null || true
- ;;
- remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- ;;
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
-
-
=====================================
debian/rules
=====================================
@@ -1,7 +1,7 @@
#!/usr/bin/make -f
%:
- dh $@ --with javahelper
+ dh $@
override_dh_auto_build:
mkdir target
@@ -27,12 +27,8 @@ ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
org.debian.security.UpdateCertificatesTest org.debian.security.KeyStoreHandlerTest
endif
-override_dh_auto_install:
- install -m755 debian/jks-keystore.hook debian/ca-certificates-java/etc/ca-certificates/update.d/jks-keystore
- install -m600 debian/default debian/ca-certificates-java/etc/default/cacerts
+override_dh_installinit:
+ dh_installinit --name=cacerts
- dh_install target/ca-certificates-java.jar /usr/share/ca-certificates-java/
-
-override_dh_link:
- dh_link
- rm debian/ca-certificates-java/etc/default/ca-certificates-java
+execute_after_dh_fixperms:
+ chmod 0600 debian/ca-certificates-java/etc/default/cacerts
=====================================
src/main/java/org/debian/security/UpdateCertificates.java
=====================================
@@ -86,6 +86,9 @@ public class UpdateCertificates {
* or {@link #deleteAlias(String)}.
*/
protected void parseLine(final String line) throws GeneralSecurityException, IOException, UnknownInputException {
+ if (line.isEmpty()) {
+ return;
+ }
String path = line.substring(1);
String filename = path.substring(path.lastIndexOf("/") + 1);
String alias = "debian:" + filename;
@@ -93,9 +96,6 @@ public class UpdateCertificates {
keystore.addAlias(alias, path);
} else if (line.startsWith("-")) {
keystore.deleteAlias(alias);
- // Remove old non-prefixed aliases, too. This code should be
- // removed after the release of Wheezy.
- keystore.deleteAlias(filename);
} else {
throw new UnknownInputException(line);
}
=====================================
src/test/java/org/debian/security/UpdateCertificatesTest.java
=====================================
@@ -49,6 +49,16 @@ public class UpdateCertificatesTest {
keystore.delete();
}
+ /**
+ * Try to send an empty command ("") in parseLine
+ */
+ @Test
+ public void testEmptyCommand() throws Exception {
+ UpdateCertificates uc = new UpdateCertificates(ksFilename, ksPassword);
+ uc.parseLine("");
+ uc.finish();
+ }
+
/**
* Try to send an invalid command ("x") in parseLine : throw UnknownInput
*/
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/d1bbd3f24d600c3e5486cfcb6e372d1866d2c3c4...96009a759fa3a3b940f3f3fc86f3520bdff66f0a
--
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/d1bbd3f24d600c3e5486cfcb6e372d1866d2c3c4...96009a759fa3a3b940f3f3fc86f3520bdff66f0a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210319/437761a2/attachment.htm>
More information about the pkg-java-commits
mailing list