From gitlab at salsa.debian.org Fri Aug 1 18:40:49 2025 From: gitlab at salsa.debian.org (=?UTF-8?B?QmFzdGllbiBSb3VjYXJpw6hzIChAcm91Y2Ep?=) Date: Fri, 01 Aug 2025 17:40:49 +0000 Subject: [Git][java-team/ca-certificates-java][master] Add salsa-ci Message-ID: <688cfc21f0126_5e81f364a0c27552f@godard.mail> Bastien Roucari?s pushed to branch master at Debian Java Maintainers / ca-certificates-java Commits: 3a13c534 by Bastien Roucari?s at 2025-08-01T19:09:32+02:00 Add salsa-ci - - - - - 2 changed files: - debian/changelog - + debian/salsa-ci.yml Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +ca-certificates-java (20250801) UNRELEASED; urgency=medium + + * Enable salsa-ci + + -- Bastien Roucari?s Fri, 01 Aug 2025 19:09:25 +0200 + ca-certificates-java (20240118) unstable; urgency=medium [ Vladimir Petko ] ===================================== debian/salsa-ci.yml ===================================== @@ -0,0 +1,4 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/3a13c534b2434a17c7c6f4ade924191ed8d22c02 -- View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/3a13c534b2434a17c7c6f4ade924191ed8d22c02 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Aug 1 19:23:08 2025 From: gitlab at salsa.debian.org (=?UTF-8?B?QmFzdGllbiBSb3VjYXJpw6hzIChAcm91Y2Ep?=) Date: Fri, 01 Aug 2025 18:23:08 +0000 Subject: [Git][java-team/ca-certificates-java][bullseye] 41 commits: switch to debhelper-compat (= 13) Message-ID: <688d060c33e6f_5e81f364df4278625@godard.mail> Bastien Roucari?s pushed to branch bullseye at Debian Java Maintainers / ca-certificates-java Commits: b59b0dcf by Andreas Beckmann at 2021-02-18T21:13:17+01:00 switch to debhelper-compat (= 13) - - - - - bb08d9e8 by Andreas Beckmann at 2021-02-18T21:18:22+01:00 use dh_installinit to install /etc/default/cacerts - - - - - ec56da1d by Andreas Beckmann at 2021-02-18T21:23:17+01:00 use dh_install to install jar and hook - - - - - c0c962f4 by Andreas Beckmann at 2021-02-19T21:11:35+01:00 ship /etc/default/cacerts with mode 0600 - - - - - dfd0e87a by Andreas Beckmann at 2021-02-19T21:20:07+01:00 add test with empty command - - - - - 5ee5835f by Andreas Beckmann at 2021-02-19T21:22:38+01:00 UpdateCertificates.java: ignore empty lines in stdin - - - - - 63507424 by Andreas Beckmann at 2021-02-19T23:00:18+01:00 avoid warning about missing /etc/ssl/certs/java/cacerts on initial install - - - - - 18fa5707 by Andreas Beckmann at 2021-02-19T23:04:29+01:00 do not be satisfied by java7-runtime-headless - - - - - 1e3e4280 by Andreas Beckmann at 2021-02-19T23:24:30+01:00 remove support for upgrading from versions predating wheezy - - - - - 3bc73bdb by Andreas Beckmann at 2021-02-19T23:47:14+01:00 clean up misplaced symlinks from ancient versions - - - - - 62313abf by Andreas Beckmann at 2021-02-20T00:28:53+01:00 remove redundant bits from the maintainer scripts - - - - - 049a5639 by Andreas Beckmann at 2021-02-20T01:11:43+01:00 set Rules-Requires-Root: no - - - - - 3d8a3e1b by Andreas Beckmann at 2021-02-23T12:02:35+01:00 drop libnss3 manipulations - - - - - 651ef32a by Andreas Beckmann at 2021-02-23T12:07:01+01:00 postinst: add a shared update_cacerts() function - - - - - eba4aea5 by Andreas Beckmann at 2021-02-23T12:08:21+01:00 run convert_pkcs12_keystore_to_jks from update_cacerts - - - - - c45c3c9b by Andreas Beckmann at 2021-02-23T02:01:09+01:00 let update_cacerts handle initial creation of cacerts - - - - - adec85a6 by Andreas Beckmann at 2021-02-23T12:13:02+01:00 move processing of +/- certs to new update-ca-certificates-java trigger the hook script is executed in the context of ca-certificates and nothing is known at that time about the configuration state of ca-certificates-java or its rdepends so just record the pending updates and execute them in a context where ca-certificates-java and its rdepends are in a usable state - - - - - be511adf by Andreas Beckmann at 2021-02-23T12:13:12+01:00 add update-ca-certificates-java-fresh trigger - - - - - 8821ee55 by Andreas Beckmann at 2021-02-23T12:13:17+01:00 remove obsolete certificates when building a fresh cacerts file - - - - - 6260c58f by Andreas Beckmann at 2021-02-23T13:45:49+01:00 bump ca-certificates dependency to 20210120 - - - - - 58057f06 by Andreas Beckmann at 2021-02-23T13:46:35+01:00 skip Java certificates setup if no JRE is available pending actions will be stored in /var/lib/ca-certificates-java - - - - - 9825a4a7 by Andreas Beckmann at 2021-02-23T13:46:39+01:00 add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE becomes available - - - - - 7d2d460c by Andreas Beckmann at 2021-02-23T13:47:17+01:00 demote JRE dependency to Recommends to break dependency cycle - - - - - 33232621 by Andreas Beckmann at 2021-02-23T13:48:32+01:00 Standards-Version: 4.5.1 - - - - - ed71672c by Andreas Beckmann at 2021-02-23T13:58:20+01:00 simplify setup_path() - - - - - 96009a75 by Andreas Beckmann at 2021-02-23T15:34:19+01:00 close more fixed bugs - - - - - 7b5bfb4e by Matthias Klose at 2022-07-19T16:05:59+02:00 * Support Java 18-21. - - - - - ea49e45b by Matthias Klose at 2022-07-19T16:06:50+02:00 * Bump Standards-Version to 4.6.0. - - - - - 0fa31d3f by Matthias Klose at 2022-07-19T16:15:04+02:00 - prepare for upload - - - - - 7ed1dec5 by Matthias Klose at 2023-01-03T09:12:32+01:00 * Promote again the JRE recommendation to a dependency. Otherwise non-default OpenJDK versions are uninstallable. - - - - - 8c64d971 by Matthias Klose at 2023-06-14T09:37:18+02:00 [ Vladimir Petko ] * Resolve circular JRE dependency (LP: #2003750, LP: #1999103, LP: #2004061) Closes: #1030129, #1037478, #1023748. - debian/ca-certificates-java.postinst: remove setup_path from "configure" stage. - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is not found. Certificates are refreshed only in response to the trigger activated by OpenJDK packages. - debian/ca-certificates-java.postinst: fix cacert enumeration command for Java 8. Closes: #1015771. - debian/control: remove JRE dependency. - debian/control: add Breaks condition. - debian/tests: add smoke tests. - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm, explicitly declare triggers as -await. - - - - - aa98c9a9 by Matthias Klose at 2023-06-14T09:37:57+02:00 * Bump standards version. - - - - - 5cc3caad by Matthias Klose at 2023-06-14T09:42:02+02:00 * Build-depend on default-jdk-headless instead of default-jdk. - - - - - 1d366c43 by Matthias Klose at 2023-06-14T18:51:34+02:00 revert Vladimir's changes - - - - - 561054ed by Matthias Klose at 2023-06-20T06:13:02+02:00 [ Vladimir Petko ] * d/ca-certificates-java.postinst: Work-around not yet configured jre. - - - - - ff182104 by Matthias Klose at 2023-07-05T15:26:08+02:00 [ Vladimir Petko ] * Resolve circular JRE dependency: - debian/ca-certificates-java.postinst: remove setup_path from "configure" stage. - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is not found. Certificates are refreshed only in response to the trigger activated by OpenJDK packages. - debian/ca-certificates-java.postinst: fix cacert enumeration command for Java 8. - debian/control: remove JRE dependency. - debian/control: add Breaks condition. - debian/tests: add smoke tests. - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm, explicitly declare triggers as -await. [ Matthias Klose ] * Adjust the breaks for Debian versions. - - - - - 7cc751df by Matthias Klose at 2023-07-07T11:14:05+02:00 upload to unstable - - - - - 420db8ec by Matthias Klose at 2023-07-10T10:01:05+02:00 * Add apt-utils to the test dependencies. - - - - - 4488fcff by Andreas Beckmann at 2024-12-22T13:44:32+00:00 Import Debian version 20230710~deb12u1 ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * Rebuild for bookworm. (Closes: #1041419, #1037478, #929685) - - - - - 9df36402 by Bastien Roucari?s at 2025-08-01T18:58:55+02:00 Merge branch 'bookworm' into bullseye - - - - - d20256bf by Bastien Roucari?s at 2025-08-01T19:48:17+02:00 Finalize backport - - - - - 24 changed files: - debian/default ? debian/ca-certificates-java.cacerts.default - debian/ca-certificates-java.dirs - + debian/ca-certificates-java.install - + debian/ca-certificates-java.lintian-overrides - + debian/ca-certificates-java.postinst - + debian/ca-certificates-java.postrm - + debian/ca-certificates-java.preinst - debian/ca-certificates-java.triggers - debian/changelog - ? debian/compat - debian/control - + debian/jks-keystore - ? debian/jks-keystore.hook - ? debian/postinst - ? debian/postrm - debian/rules - + debian/salsa-ci.yml - + debian/tests/can-convert-keystore - + debian/tests/can-install-jre - + debian/tests/can-install-libreoffice - + debian/tests/can-install-multiple-jdks - + debian/tests/control - src/main/java/org/debian/security/UpdateCertificates.java - src/test/java/org/debian/security/UpdateCertificatesTest.java Changes: ===================================== debian/default ? debian/ca-certificates-java.cacerts.default ===================================== ===================================== debian/ca-certificates-java.dirs ===================================== @@ -1,3 +1,2 @@ -etc/default etc/ssl/certs/java -etc/ca-certificates/update.d +var/lib/ca-certificates-java ===================================== debian/ca-certificates-java.install ===================================== @@ -0,0 +1,2 @@ +debian/jks-keystore etc/ca-certificates/update.d/ +target/ca-certificates-java.jar usr/share/ca-certificates-java/ ===================================== debian/ca-certificates-java.lintian-overrides ===================================== @@ -0,0 +1 @@ +non-standard-file-perm etc/default/cacerts 0600 != 0644 ===================================== debian/ca-certificates-java.postinst ===================================== @@ -0,0 +1,174 @@ +#!/bin/sh +set -e + +# use the locale C.UTF-8 +unset LC_ALL +LC_CTYPE=C.UTF-8 +export LC_CTYPE + +storepass='changeit' +if [ -f /etc/default/cacerts ]; then + . /etc/default/cacerts +fi + +arch=`dpkg --print-architecture` +JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar +CERTSDIR=/usr/share/ca-certificates +LOCALCERTSDIR=/usr/local/share/ca-certificates +ETCCERTSDIR=/etc/ssl/certs +CACERTS=$ETCCERTSDIR/java/cacerts + +check_proc() +{ + if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 + fi +} + +convert_pkcs12_keystore_to_jks() +{ + check_proc + if ! keytool -importkeystore \ + -srckeystore /etc/ssl/certs/java/cacerts \ + -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \ + -srcstoretype PKCS12 \ + -deststoretype JKS \ + -srcstorepass "$storepass" \ + -deststorepass "$storepass" \ + -noprompt; then + echo "failed to convert PKCS12 keystore to JKS" >&2 + exit 1 + fi + + # only update if /etc/default/cacerts allows + if [ "$cacerts_updates" = "yes" ]; then + mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old + mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts + fi +} + +find_pem_files() +{ + find $ETCCERTSDIR -type l -name \*.pem | sort | while read symlink ; do + case $(readlink "$symlink") in + $CERTSDIR*|$LOCALCERTSDIR*) + echo "$symlink" + ;; + esac + done +} + +update_cacerts() +{ + if [ "$cacerts_updates" != "yes" ] || [ "$CACERT_UPDATES" = "disabled" ]; then + echo "Updates of cacerts keystore are disabled." + exit 0 + fi + + if ! which java >/dev/null; then + echo "No JRE found. Skipping Java certificates setup." + exit 0 + fi + + if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then + convert_pkcs12_keystore_to_jks + rm /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks + fi + + if [ -f /var/lib/ca-certificates-java/fresh ]; then + >/var/lib/ca-certificates-java/fresh + pem_files=$(find_pem_files) + + if [ -f "$CACERTS" ]; then + check_proc + + # Java 8 does not have -cacerts option + if java -version 2>&1 | grep "1.8" > /dev/null ; + then + castore="-keystore ${CACERTS}" + else + castore="-cacerts" + fi + + cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ') + + etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done) + for alias in $cacerts_aliases ; do + case " $etc_ssl_certs_aliases " in + *" ${alias} "*) + : # keep + ;; + *) + echo "-${alias}" >> /var/lib/ca-certificates-java/fresh + ;; + esac + done + fi + + for pem in $pem_files ; do + echo "+${pem}" >> /var/lib/ca-certificates-java/fresh + done + fi + + if [ -s /var/lib/ca-certificates-java/fresh ]; then + java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/fresh + elif [ -s /var/lib/ca-certificates-java/pending ]; then + java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/pending + fi + echo "done." + + rm -f /var/lib/ca-certificates-java/fresh + rm -f /var/lib/ca-certificates-java/pending +} + +#DEBHELPER# + +if [ "$1" = "configure" ]; then + if dpkg --compare-versions "$2" lt-nl "20210218" ; then + # clean up misplaced symlinks from ancient versions (#688415) + if [ -L /libnss3.so ]; then + rm -v /libnss3.so + fi + if [ -L /libsoftokn3.so ]; then + rm -v /libsoftokn3.so + fi + + if [ -f /etc/default/cacerts ]; then + chmod 0600 /etc/default/cacerts + fi + fi + + if dpkg --compare-versions "$2" lt-nl "20180516"; then + if [ -e /etc/ssl/certs/java/cacerts ] && \ + [ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then + touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks + fi + fi + + # older versions may not have received all updates from ca-certificates + if dpkg --compare-versions "$2" lt-nl "20210218" ; then + touch /var/lib/ca-certificates-java/fresh + fi + + # initial install + if [ -z "$2" ]; then + touch /var/lib/ca-certificates-java/fresh + fi + + update_cacerts +fi + +if [ "$1" = "triggered" ]; then + case " $2 " in + *" update-ca-certificates-java-fresh "*) + touch /var/lib/ca-certificates-java/fresh + ;; + esac + + if [ ! -f $CACERTS ]; then + touch /var/lib/ca-certificates-java/fresh + fi + + update_cacerts +fi ===================================== debian/ca-certificates-java.postrm ===================================== @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +if [ "$1" = "purge" ]; then + rm -rf /etc/ssl/certs/java + rmdir /etc/ssl/certs 2>/dev/null || true + rm -rf /var/lib/ca-certificates-java +fi + +#DEBHELPER# ===================================== debian/ca-certificates-java.preinst ===================================== @@ -0,0 +1,11 @@ +#!/bin/sh +set -e + +# rebuild cacerts on reinstallation after removal since certificate updates +# that happened while the package was removed are missing +if [ "$1" = "install" ] && [ -n "$2" ]; then + mkdir -p /var/lib/ca-certificates-java + touch /var/lib/ca-certificates-java/fresh +fi + +#DEBHELPER# ===================================== debian/ca-certificates-java.triggers ===================================== @@ -1 +1,2 @@ -activate update-ca-certificates +interest-await update-ca-certificates-java +interest-await update-ca-certificates-java-fresh ===================================== debian/changelog ===================================== @@ -1,13 +1,113 @@ -ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium +ca-certificates-java (20230710~deb12u1~deb11u1) bullseye; urgency=medium + + * Non-maintainer upload by LTS team. + * Backport in order to solve circular JRE dependency + (Closes: #1041419, #1037478, #929685) + + -- Bastien Roucari?s Fri, 01 Aug 2025 18:58:12 +0200 + +ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium - [ Andreas Beckmann] * Non-maintainer upload. - * Backport changes from 20230620 in sid. (Closes: #1039472) + * Rebuild for bookworm. (Closes: #1041419, #1037478, #929685) + + -- Andreas Beckmann Sun, 03 Dec 2023 13:04:00 +0100 + +ca-certificates-java (20230710) unstable; urgency=medium + + * Add apt-utils to the test dependencies. + + -- Matthias Klose Mon, 10 Jul 2023 09:59:59 +0200 + +ca-certificates-java (20230707) unstable; urgency=medium + + [ Vladimir Petko ] + * Resolve circular JRE dependency: + - debian/ca-certificates-java.postinst: remove setup_path from "configure" + stage. + - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is + not found. Certificates are refreshed only in response to the trigger + activated by OpenJDK packages. + - debian/ca-certificates-java.postinst: fix cacert enumeration command for + Java 8. + - debian/control: remove JRE dependency. + - debian/control: add Breaks condition. + - debian/tests: add smoke tests. + - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm, + explicitly declare triggers as -await. + + [ Matthias Klose ] + * Adjust the breaks for Debian versions. + + -- Matthias Klose Fri, 07 Jul 2023 11:13:17 +0200 + +ca-certificates-java (20230620~deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Rebuild for bookworm. (Closes: #1039472) + + -- Andreas Beckmann Sun, 06 Aug 2023 16:24:13 +0200 + +ca-certificates-java (20230620) unstable; urgency=medium + + [ Matthias Klose ] + * Bump standards version. + * Build-depend on default-jdk-headless instead of default-jdk. [ Vladimir Petko ] * d/ca-certificates-java.postinst: Work-around not yet configured jre. - -- Andreas Beckmann Thu, 27 Jul 2023 16:29:03 +0200 + -- Matthias Klose Tue, 20 Jun 2023 06:09:44 +0200 + +ca-certificates-java (20230103) unstable; urgency=medium + + * Promote again the JRE recommendation to a dependency. Otherwise + non-default OpenJDK versions are uninstallable. + + -- Matthias Klose Tue, 03 Jan 2023 09:10:44 +0100 + +ca-certificates-java (20220719) unstable; urgency=medium + + [ Andreas Beckmann ] + * Team upload. + * Switch to debhelper-compat (= 13). + * Set Rules-Requires-Root: no. + * UpdateCertificates.java: Ignore empty lines in stdin. (Closes: #795244) + * Avoid warning about missing /etc/ssl/certs/java/cacerts on initial + install. + * Do not be satisfied by java7-runtime-headless. + * Remove support for upgrading from versions predating wheezy. + * Clean up misplaced symlinks in the root directory left over by ancient + versions. (Closes: #688415) + * Drop libnss3 manipulations, no longer needed since openjdk-6-jre-headless + at least. + * Add update-ca-certificates-java trigger and let jks-keystore record the + pending certificate updates and postpone them to the processing of this + trigger. (Closes: #908858) + * Add update-ca-certificates-java-fresh trigger, will be activated by + update-ca-certificates -f. (Closes: #922981) + * Remove obsolete certificates when building a fresh cacerts file. + (Closes: #767272) + * Bump ca-certificates dependency to 20210120. + * Skip Java certificates setup if no JRE is available. + * Add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE + becomes available. + * Demote JRE dependency to Recommends to break dependency cycle. + (Closes: #929685, #940297) + * Foreign architecture JREs that place java in PATH are also usable. + (Closes: #776860, #864331) + + [ Matthias Klose ] + * Support Java 18-21. Closes: #994152. + * Bump Standards-Version to 4.6.0. + + -- Matthias Klose Tue, 19 Jul 2022 16:02:33 +0200 + +ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium + + [ Andreas Beckmann] + * Non-maintainer upload. + * Backport changes from 20230620 in sid. (Closes: #1039472) ca-certificates-java (20190909) unstable; urgency=medium @@ -74,10 +174,11 @@ ca-certificates-java (20170930) unstable; urgency=medium * Team upload. * Revert the last two NMUs. - - Depend again on openjdk-8 after the stretch release. + - Depend again on openjdk-8 after the stretch release. (Closes: #863803) - Stop fiddling around with jvm-*.cfg files. ca-certificates-java has no business with providing an initial cacerts file. This is implemented in the openjdk packages. We are not 2008 anymore. + (Closes: #912187) * Bump standards version. * Remove Torsten Werner as uploader. @@ -125,7 +226,7 @@ ca-certificates-java (20161107) unstable; urgency=medium ca-certificates-java (20160321) unstable; urgency=medium * Team upload. - * Drop support for obsolete Java 6 (Closes: #776897) + * Drop support for obsolete Java 6 (Closes: #776897, #816541) * Add support for Java 8 and 9 (Closes: #775775) * Bump Standards-Version to 3.9.7 (no changes) * Use secure HTTPS URI for Vcs-Browser @@ -426,4 +527,3 @@ ca-certificates-java (20080514) unstable; urgency=low * Initial release. -- Matthias Klose Mon, 02 Jun 2008 14:52:46 +0000 - ===================================== debian/compat deleted ===================================== @@ -1 +0,0 @@ -11 ===================================== debian/control ===================================== @@ -4,19 +4,29 @@ Priority: optional Maintainer: Debian Java Maintainers Uploaders: Matthias Klose , James Page -Build-Depends: debhelper (>= 11), default-jdk, javahelper, junit4 -Standards-Version: 4.4.0 +Build-Depends: + debhelper-compat (= 13), + dh-sequence-javahelper, + default-jdk-headless, + junit4, +Rules-Requires-Root: no +Standards-Version: 4.6.2 Vcs-Git: https://salsa.debian.org/java-team/ca-certificates-java.git Vcs-Browser: https://salsa.debian.org/java-team/ca-certificates-java Package: ca-certificates-java Architecture: all Multi-Arch: foreign -Depends: ca-certificates (>= 20121114), - default-jre-headless | java8-runtime-headless, - libnss3 (>= 3.12.10-2~), - ${misc:Depends} -# We need a versioned Depends due to multiarch changes (bug #635571). +Depends: + ca-certificates (>= 20210120), + ${misc:Depends}, +Breaks: openjdk-8-jre-headless (<< 8u382~b04-2~), + openjdk-11-jre-headless (<< 11.0.19+7~1~), + openjdk-17-jre-headless (<< 17.0.8~6-3~), + openjdk-18-jre-headless (<< 18.0.2+9-2ubuntu1~), + openjdk-19-jre-headless (<< 19.0.2+7-0ubuntu4~), + openjdk-20-jre-headless (<< 20.0.1+9~1~), + openjdk-21-jre-headless (<< 21~9ea-1~) Description: Common CA certificates (JKS keystore) This package uses the hooks of the ca-certificates package to update the cacerts JKS keystore used for many java runtimes. ===================================== debian/jks-keystore ===================================== @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +if [ -t 0 ]; then + echo "This hook script expects the list of PEM files to be added/removed" >&2 + echo "prefixed with '+'/'-' to be piped into stdin." >&2 + exit 1 +fi + +# record the pending certificate updates for later execution by the +# triggers in ca-certificates-java + +mkdir -p /var/lib/ca-certificates-java +cat - >> /var/lib/ca-certificates-java/pending + +case "$1" in + -f|--fresh) + dpkg-trigger --no-await update-ca-certificates-java-fresh + ;; + *) + dpkg-trigger --no-await update-ca-certificates-java + ;; +esac + +# if the hook was activated by a manual run of update-ca-certificates +# (and not from a maintainer script), ensure the triggers get processed + +if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then + dpkg --triggers-only --pending +fi ===================================== debian/jks-keystore.hook deleted ===================================== @@ -1,89 +0,0 @@ -#!/bin/sh - -set -e - -# use the locale C.UTF-8 -unset LC_ALL -LC_CTYPE=C.UTF-8 -export LC_CTYPE - -storepass='changeit' -if [ -f /etc/default/cacerts ]; then - . /etc/default/cacerts -fi - -arch=`dpkg --print-architecture` -JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar - -nsslib_name() -{ - if dpkg --assert-multi-arch 2>/dev/null; then - echo "libnss3:${arch}" - else - echo "libnss3" - fi -} - -echo "" -if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then - echo "updates of cacerts keystore disabled." - exit 0 -fi - -if ! mountpoint -q /proc; then - echo >&2 "the keytool command requires a mounted proc fs (/proc)." - exit 1 -fi - -for jvm in java-7-openjdk-$arch java-7-openjdk \ - oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \ - java-8-openjdk-$arch java-8-openjdk \ - oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \ - java-9-openjdk-$arch java-9-openjdk \ - oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \ - java-10-openjdk-$arch java-10-openjdk \ - oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \ - java-11-openjdk-$arch java-11-openjdk \ - oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do - if [ -x /usr/lib/jvm/$jvm/bin/java ]; then - export JAVA_HOME=/usr/lib/jvm/$jvm - PATH=$JAVA_HOME/bin:$PATH - break - fi -done - -if dpkg-query --version >/dev/null; then - nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,$.*$/libnss3\.so$,\1,p'|head -n 1) - nsscfg=/etc/${jvm%-$arch}/security/nss.cfg - nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *$.*$/\1/p' $nsscfg) - if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then - ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so - fi - softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,$.*$/libsoftokn3\.so$,\1,p'|head -n 1) - if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then - ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so - fi -fi - -do_cleanup() -{ - [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg - if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] - then - rm -f $nssjdk/libnss3.so - fi - if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \ - && [ "$softokn3pkg" != "$nssjdk" ] - then - rm -f $nssjdk/libsoftokn3.so - fi -} - -if java -Xmx64m -jar $JAR -storepass "$storepass"; then - do_cleanup -else - do_cleanup - exit 1 -fi - -echo "done." ===================================== debian/postinst deleted ===================================== @@ -1,172 +0,0 @@ -#!/bin/bash -set -e - -# use the locale C.UTF-8 -unset LC_ALL -LC_CTYPE=C.UTF-8 -export LC_CTYPE - -storepass='changeit' -if [ -f /etc/default/cacerts ]; then - . /etc/default/cacerts -fi - -arch=`dpkg --print-architecture` -JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar - -nsslib_name() -{ - if dpkg --assert-multi-arch 2>/dev/null; then - echo "libnss3:${arch}" - else - echo "libnss3" - fi -} - -setup_path() -{ - for jvm in java-7-openjdk-$arch java-7-openjdk \ - oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \ - java-8-openjdk-$arch java-8-openjdk \ - oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \ - java-9-openjdk-$arch java-9-openjdk \ - oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \ - java-10-openjdk-$arch java-10-openjdk \ - oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \ - java-11-openjdk-$arch java-11-openjdk \ - oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \ - java-12-openjdk-$arch java-12-openjdk \ - oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \ - java-13-openjdk-$arch java-13-openjdk \ - oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \ - java-14-openjdk-$arch java-14-openjdk \ - oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \ - java-15-openjdk-$arch java-15-openjdk \ - oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \ - java-16-openjdk-$arch java-16-openjdk \ - oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \ - java-17-openjdk-$arch java-17-openjdk \ - oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do - if [ -x /usr/lib/jvm/$jvm/bin/java ]; then - export JAVA_HOME=/usr/lib/jvm/$jvm - PATH=$JAVA_HOME/bin:$PATH - # copy java.security to allow import to function - security_conf=/etc/${jvm%-${arch}}/security - if [ -f ${security_conf}/java.security.dpkg-new ] \ - && [ ! -f ${security_conf}/java.security ]; then - cp -v ${security_conf}/java.security.dpkg-new \ - ${security_conf}/java.security - fi - break - fi - done -} - -check_proc() -{ - if ! mountpoint -q /proc; then - echo >&2 "the keytool command requires a mounted proc fs (/proc)." - exit 1 - fi -} - -convert_pkcs12_keystore_to_jks() -{ - if ! keytool -importkeystore \ - -srckeystore /etc/ssl/certs/java/cacerts \ - -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \ - -srcstoretype PKCS12 \ - -deststoretype JKS \ - -srcstorepass "$storepass" \ - -deststorepass "$storepass" \ - -noprompt; then - echo "failed to convert PKCS12 keystore to JKS" >&2 - exit 1 - fi - - # only update if /etc/default/cacerts allows - if [ "$cacerts_updates" = "yes" ]; then - mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old - mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts - fi -} - -first_install() -{ - if which dpkg-query >/dev/null; then - nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,$.*$/libnss3\.so$,\1,p'|head -n 1) - nsscfg=/etc/${jvm%-$arch}/security/nss.cfg - nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *$.*$/\1/p' $nsscfg) - if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then - ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so - fi - fi - - # Forcibly remove diginotar cert (LP: #920758) - if [ -n "$FIXOLD" ]; then - echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \ - java -Xmx64m -jar $JAR -storepass "$storepass" - fi - - find /etc/ssl/certs -name \*.pem | \ - while read filename; do - alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _) - alias=${alias%*_} - if [ -n "$FIXOLD" ]; then - echo "-${alias}" - echo "-${alias}_pem" - fi - echo "+${filename}" - done | \ - java -Xmx64m -jar $JAR -storepass "$storepass" - echo "done." -} - -do_cleanup() -{ - [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg - if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] - then - rm -f $nssjdk/libnss3.so - fi -} - -case "$1" in - configure) - if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then - FIXOLD="true" - if [ -e /etc/ssl/certs/java/cacerts ]; then - cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old - fi - fi - - setup_path - - if dpkg --compare-versions "$2" lt "20180516"; then - if [ -e /etc/ssl/certs/java/cacerts \ - -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then - check_proc - convert_pkcs12_keystore_to_jks - fi - fi - - if [ -z "$2" -o -n "$FIXOLD" ]; then - check_proc - trap do_cleanup EXIT - first_install - fi - chmod 600 /etc/default/cacerts || true - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 ===================================== debian/postrm deleted ===================================== @@ -1,23 +0,0 @@ -#!/bin/sh - -set -e - -case "$1" in - purge) - rm -f /etc/ca-certificates/update.d/jks-keystore - rm -rf /etc/ssl/certs/java - rmdir /etc/ssl/certs 2>/dev/null || true - ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - ;; - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 - - ===================================== debian/rules ===================================== @@ -1,7 +1,7 @@ #!/usr/bin/make -f %: - dh $@ --with javahelper + dh $@ override_dh_auto_build: mkdir target @@ -27,12 +27,8 @@ ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) org.debian.security.UpdateCertificatesTest org.debian.security.KeyStoreHandlerTest endif -override_dh_auto_install: - install -m755 debian/jks-keystore.hook debian/ca-certificates-java/etc/ca-certificates/update.d/jks-keystore - install -m600 debian/default debian/ca-certificates-java/etc/default/cacerts +override_dh_installinit: + dh_installinit --name=cacerts - dh_install target/ca-certificates-java.jar /usr/share/ca-certificates-java/ - -override_dh_link: - dh_link - rm debian/ca-certificates-java/etc/default/ca-certificates-java +execute_after_dh_fixperms: + chmod 0600 debian/ca-certificates-java/etc/default/cacerts ===================================== debian/salsa-ci.yml ===================================== @@ -0,0 +1,7 @@ +--- +variables: + RELEASE: 'bullseye' + +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml ===================================== debian/tests/can-convert-keystore ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +# GIVEN a PKCS12 Java keystore +ETCCERTSDIR=/etc/ssl/certs +CACERTS=$ETCCERTSDIR/java/cacerts +rm $CACERTS +keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null +apt-get remove -y ca-certificates-java + +mkdir -p /etc/ssl/certs/java/ +mkdir -p /var/lib/ca-certificates-java/ +mv test.store $CACERTS +# WHEN ca-certificates-java is requested to convert the keystore +touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks + +# THEN conversion is successful +output=`mktemp` +apt-get install -y openjdk-8-jre-headless | tee ${output} + +if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]]; +then + echo "Certificates were not imported !!!" + exit 255 +fi ===================================== debian/tests/can-install-jre ===================================== @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +versions=$(apt-cache search jre-headless | awk '{print $1}') +for version in ${versions} +do +# WHEN openjdk-jre-headless package is installed from scratch + + # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean + # builds. Ignore it in certificate tests + if [[ ${version} == "openjdk-18-jre-headless" ]]; + then + continue + fi + output=`mktemp` + echo "installing ${version}" + apt-get install -y ${version} | tee ${output} +# THEN installation is successfull +# AND certificates are updated + if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then + echo "Certificates were not imported !!!" + exit 255 + fi + rm $output + # purge in order to remove keytstore + apt-get purge -y ca-certificates-java ${version} +done ===================================== debian/tests/can-install-libreoffice ===================================== @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +apt-get install -y libreoffice ===================================== debian/tests/can-install-multiple-jdks ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +output=`mktemp` +# WHEN multiple JDKs are installed +apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output} + +# THEN installation is successful +if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then + echo "Certificates were not imported !!!" + exit 255 +fi +rm $output ===================================== debian/tests/control ===================================== @@ -0,0 +1,9 @@ +Tests: can-convert-keystore +Depends: apt-utils, bash, default-jre-headless +Restrictions: needs-root + +Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice +# No depends, this is a test for a clean install +Depends: apt-utils, bash +Restrictions: needs-root + ===================================== src/main/java/org/debian/security/UpdateCertificates.java ===================================== @@ -86,6 +86,9 @@ public class UpdateCertificates { * or {@link #deleteAlias(String)}. */ protected void parseLine(final String line) throws GeneralSecurityException, IOException, UnknownInputException { + if (line.isEmpty()) { + return; + } String path = line.substring(1); String filename = path.substring(path.lastIndexOf("/") + 1); String alias = "debian:" + filename; @@ -93,9 +96,6 @@ public class UpdateCertificates { keystore.addAlias(alias, path); } else if (line.startsWith("-")) { keystore.deleteAlias(alias); - // Remove old non-prefixed aliases, too. This code should be - // removed after the release of Wheezy. - keystore.deleteAlias(filename); } else { throw new UnknownInputException(line); } ===================================== src/test/java/org/debian/security/UpdateCertificatesTest.java ===================================== @@ -49,6 +49,16 @@ public class UpdateCertificatesTest { keystore.delete(); } + /** + * Try to send an empty command ("") in parseLine + */ + @Test + public void testEmptyCommand() throws Exception { + UpdateCertificates uc = new UpdateCertificates(ksFilename, ksPassword); + uc.parseLine(""); + uc.finish(); + } + /** * Try to send an invalid command ("x") in parseLine : throw UnknownInput */ View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/a945dc8a3e492b905fa05b380737ab74d37ca9ad...d20256bf94a36c352c5776f598008e8f6368c1c5 -- View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/a945dc8a3e492b905fa05b380737ab74d37ca9ad...d20256bf94a36c352c5776f598008e8f6368c1c5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Aug 1 19:41:45 2025 From: gitlab at salsa.debian.org (=?UTF-8?B?QmFzdGllbiBSb3VjYXJpw6hzIChAcm91Y2Ep?=) Date: Fri, 01 Aug 2025 18:41:45 +0000 Subject: [Git][java-team/ca-certificates-java][bullseye] Drop hard depends on ca-certificates for backport Message-ID: <688d0a699adaa_5e81f3644942812b8@godard.mail> Bastien Roucari?s pushed to branch bullseye at Debian Java Maintainers / ca-certificates-java Commits: 11333792 by Bastien Roucari?s at 2025-08-01T20:40:52+02:00 Drop hard depends on ca-certificates for backport - - - - - 1 changed file: - debian/control Changes: ===================================== debian/control ===================================== @@ -18,7 +18,7 @@ Package: ca-certificates-java Architecture: all Multi-Arch: foreign Depends: - ca-certificates (>= 20210120), + ca-certificates (>= 20210119~), ${misc:Depends}, Breaks: openjdk-8-jre-headless (<< 8u382~b04-2~), openjdk-11-jre-headless (<< 11.0.19+7~1~), View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/113337926c78068dcb430c9a51c7f3ad61b706a0 -- View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/113337926c78068dcb430c9a51c7f3ad61b706a0 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Aug 1 19:59:03 2025 From: gitlab at salsa.debian.org (=?UTF-8?B?QmFzdGllbiBSb3VjYXJpw6hzIChAcm91Y2Ep?=) Date: Fri, 01 Aug 2025 18:59:03 +0000 Subject: [Git][java-team/ca-certificates-java][bullseye] Fix autopkgtest Message-ID: <688d0e7762626_5e81f364e1c284575@godard.mail> Bastien Roucari?s pushed to branch bullseye at Debian Java Maintainers / ca-certificates-java Commits: a4eae99e by Bastien Roucari?s at 2025-08-01T20:53:04+02:00 Fix autopkgtest - - - - - 4 changed files: - debian/tests/can-convert-keystore - debian/tests/can-install-jre - debian/tests/can-install-multiple-jdks - debian/tests/control Changes: ===================================== debian/tests/can-convert-keystore ===================================== @@ -17,7 +17,7 @@ touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks # THEN conversion is successful output=`mktemp` -apt-get install -y openjdk-8-jre-headless | tee ${output} +apt-get install -y default-jre-headless | tee ${output} if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]]; then ===================================== debian/tests/can-install-jre ===================================== @@ -2,7 +2,7 @@ set -e -versions=$(apt-cache search jre-headless | awk '{print $1}') +versions=$(apt-cache -n search jre-headless | awk '{print $1}') for version in ${versions} do # WHEN openjdk-jre-headless package is installed from scratch ===================================== debian/tests/can-install-multiple-jdks ===================================== @@ -3,8 +3,12 @@ set -e output=`mktemp` + +jdks=$(apt-cache -n search java-sdk| awk '$1 ~ /-.*-jdk$/ {print $1}') + # WHEN multiple JDKs are installed -apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output} +echo "Installing $jdks ..." +apt-get install -y $jdks | tee ${output} # THEN installation is successful if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then ===================================== debian/tests/control ===================================== @@ -6,4 +6,3 @@ Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice # No depends, this is a test for a clean install Depends: apt-utils, bash Restrictions: needs-root - View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/a4eae99edaf386b60c520c492d99bb801b0a6361 -- View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/a4eae99edaf386b60c520c492d99bb801b0a6361 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Aug 1 20:04:20 2025 From: gitlab at salsa.debian.org (=?UTF-8?B?QmFzdGllbiBSb3VjYXJpw6hzIChAcm91Y2Ep?=) Date: Fri, 01 Aug 2025 19:04:20 +0000 Subject: [Git][java-team/ca-certificates-java][master] debian/tests: Avoid depending on gpg or keyserver access Message-ID: <688d0fb43bdbd_5e81f957144285845@godard.mail> Bastien Roucari?s pushed to branch master at Debian Java Maintainers / ca-certificates-java Commits: 4bb1fb45 by Daniel Kahn Gillmor at 2025-08-01T19:03:24+00:00 debian/tests: Avoid depending on gpg or keyserver access The debian-archive-keyring package already contains the OpenPGP certificates this test is looking for. - - - - - 2 changed files: - debian/tests/can-configure-cross-compilation - debian/tests/control Changes: ===================================== debian/tests/can-configure-cross-compilation ===================================== @@ -6,10 +6,6 @@ if [ $(dpkg --print-architecture) != 'amd64' ]; then exit 0 fi -gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9 -gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 6ED0E7B82643E131 -gpg --output unstable.pgp --export 6ED0E7B82643E131 0E98404D386FA1D9 - echo "Host architecture ${host_arch}" echo "Foreign architecture ${foreign_arch}" @@ -39,7 +35,8 @@ apt-ftparchive \ popd mmdebstrap --setup-hook='copy-in /tmp/binaries /tmp' \ - --keyring unstable.pgp \ + --keyring /usr/share/keyrings/debian-archive-bullseye-automatic.gpg \ + --keyring /usr/share/keyrings/debian-archive-bookworm-automatic.gpg \ --mode=root \ --variant=essential \ --architectures=amd64,armhf \ ===================================== debian/tests/control ===================================== @@ -9,6 +9,6 @@ Restrictions: needs-root Tests: can-configure-cross-compilation # No depends, this is a test for a clean install -Depends: apt-utils, bash, mmdebstrap, gpg, moreutils +Depends: apt-utils, bash, mmdebstrap, debian-archive-keyring, moreutils Restrictions: needs-root, allow-stderr Architecture: amd64 View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/4bb1fb455129ebcefd916271500b2121bf8f5cd9 -- View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/4bb1fb455129ebcefd916271500b2121bf8f5cd9 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: