[Git][java-team/ca-certificates-java][bullseye] 41 commits: switch to debhelper-compat (= 13)
Bastien Roucariès (@rouca)
gitlab at salsa.debian.org
Fri Aug 1 19:23:08 BST 2025
Bastien Roucariès pushed to branch bullseye at Debian Java Maintainers / ca-certificates-java
Commits:
b59b0dcf by Andreas Beckmann at 2021-02-18T21:13:17+01:00
switch to debhelper-compat (= 13)
- - - - -
bb08d9e8 by Andreas Beckmann at 2021-02-18T21:18:22+01:00
use dh_installinit to install /etc/default/cacerts
- - - - -
ec56da1d by Andreas Beckmann at 2021-02-18T21:23:17+01:00
use dh_install to install jar and hook
- - - - -
c0c962f4 by Andreas Beckmann at 2021-02-19T21:11:35+01:00
ship /etc/default/cacerts with mode 0600
- - - - -
dfd0e87a by Andreas Beckmann at 2021-02-19T21:20:07+01:00
add test with empty command
- - - - -
5ee5835f by Andreas Beckmann at 2021-02-19T21:22:38+01:00
UpdateCertificates.java: ignore empty lines in stdin
- - - - -
63507424 by Andreas Beckmann at 2021-02-19T23:00:18+01:00
avoid warning about missing /etc/ssl/certs/java/cacerts on initial install
- - - - -
18fa5707 by Andreas Beckmann at 2021-02-19T23:04:29+01:00
do not be satisfied by java7-runtime-headless
- - - - -
1e3e4280 by Andreas Beckmann at 2021-02-19T23:24:30+01:00
remove support for upgrading from versions predating wheezy
- - - - -
3bc73bdb by Andreas Beckmann at 2021-02-19T23:47:14+01:00
clean up misplaced symlinks from ancient versions
- - - - -
62313abf by Andreas Beckmann at 2021-02-20T00:28:53+01:00
remove redundant bits from the maintainer scripts
- - - - -
049a5639 by Andreas Beckmann at 2021-02-20T01:11:43+01:00
set Rules-Requires-Root: no
- - - - -
3d8a3e1b by Andreas Beckmann at 2021-02-23T12:02:35+01:00
drop libnss3 manipulations
- - - - -
651ef32a by Andreas Beckmann at 2021-02-23T12:07:01+01:00
postinst: add a shared update_cacerts() function
- - - - -
eba4aea5 by Andreas Beckmann at 2021-02-23T12:08:21+01:00
run convert_pkcs12_keystore_to_jks from update_cacerts
- - - - -
c45c3c9b by Andreas Beckmann at 2021-02-23T02:01:09+01:00
let update_cacerts handle initial creation of cacerts
- - - - -
adec85a6 by Andreas Beckmann at 2021-02-23T12:13:02+01:00
move processing of +/- certs to new update-ca-certificates-java trigger
the hook script is executed in the context of ca-certificates
and nothing is known at that time about the configuration state
of ca-certificates-java or its rdepends
so just record the pending updates and execute them in a context
where ca-certificates-java and its rdepends are in a usable state
- - - - -
be511adf by Andreas Beckmann at 2021-02-23T12:13:12+01:00
add update-ca-certificates-java-fresh trigger
- - - - -
8821ee55 by Andreas Beckmann at 2021-02-23T12:13:17+01:00
remove obsolete certificates when building a fresh cacerts file
- - - - -
6260c58f by Andreas Beckmann at 2021-02-23T13:45:49+01:00
bump ca-certificates dependency to 20210120
- - - - -
58057f06 by Andreas Beckmann at 2021-02-23T13:46:35+01:00
skip Java certificates setup if no JRE is available
pending actions will be stored in /var/lib/ca-certificates-java
- - - - -
9825a4a7 by Andreas Beckmann at 2021-02-23T13:46:39+01:00
add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE becomes available
- - - - -
7d2d460c by Andreas Beckmann at 2021-02-23T13:47:17+01:00
demote JRE dependency to Recommends to break dependency cycle
- - - - -
33232621 by Andreas Beckmann at 2021-02-23T13:48:32+01:00
Standards-Version: 4.5.1
- - - - -
ed71672c by Andreas Beckmann at 2021-02-23T13:58:20+01:00
simplify setup_path()
- - - - -
96009a75 by Andreas Beckmann at 2021-02-23T15:34:19+01:00
close more fixed bugs
- - - - -
7b5bfb4e by Matthias Klose at 2022-07-19T16:05:59+02:00
* Support Java 18-21.
- - - - -
ea49e45b by Matthias Klose at 2022-07-19T16:06:50+02:00
* Bump Standards-Version to 4.6.0.
- - - - -
0fa31d3f by Matthias Klose at 2022-07-19T16:15:04+02:00
- prepare for upload
- - - - -
7ed1dec5 by Matthias Klose at 2023-01-03T09:12:32+01:00
* Promote again the JRE recommendation to a dependency. Otherwise
non-default OpenJDK versions are uninstallable.
- - - - -
8c64d971 by Matthias Klose at 2023-06-14T09:37:18+02:00
[ Vladimir Petko ]
* Resolve circular JRE dependency (LP: #2003750, LP: #1999103, LP: #2004061)
Closes: #1030129, #1037478, #1023748.
- debian/ca-certificates-java.postinst: remove setup_path from "configure"
stage.
- debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
not found. Certificates are refreshed only in response to the trigger
activated by OpenJDK packages.
- debian/ca-certificates-java.postinst: fix cacert enumeration command for
Java 8. Closes: #1015771.
- debian/control: remove JRE dependency.
- debian/control: add Breaks condition.
- debian/tests: add smoke tests.
- debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
explicitly declare triggers as -await.
- - - - -
aa98c9a9 by Matthias Klose at 2023-06-14T09:37:57+02:00
* Bump standards version.
- - - - -
5cc3caad by Matthias Klose at 2023-06-14T09:42:02+02:00
* Build-depend on default-jdk-headless instead of default-jdk.
- - - - -
1d366c43 by Matthias Klose at 2023-06-14T18:51:34+02:00
revert Vladimir's changes
- - - - -
561054ed by Matthias Klose at 2023-06-20T06:13:02+02:00
[ Vladimir Petko ]
* d/ca-certificates-java.postinst: Work-around not yet configured jre.
- - - - -
ff182104 by Matthias Klose at 2023-07-05T15:26:08+02:00
[ Vladimir Petko ]
* Resolve circular JRE dependency:
- debian/ca-certificates-java.postinst: remove setup_path from "configure"
stage.
- debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
not found. Certificates are refreshed only in response to the trigger
activated by OpenJDK packages.
- debian/ca-certificates-java.postinst: fix cacert enumeration command for
Java 8.
- debian/control: remove JRE dependency.
- debian/control: add Breaks condition.
- debian/tests: add smoke tests.
- debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
explicitly declare triggers as -await.
[ Matthias Klose ]
* Adjust the breaks for Debian versions.
- - - - -
7cc751df by Matthias Klose at 2023-07-07T11:14:05+02:00
upload to unstable
- - - - -
420db8ec by Matthias Klose at 2023-07-10T10:01:05+02:00
* Add apt-utils to the test dependencies.
- - - - -
4488fcff by Andreas Beckmann at 2024-12-22T13:44:32+00:00
Import Debian version 20230710~deb12u1
ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm. (Closes: #1041419, #1037478, #929685)
- - - - -
9df36402 by Bastien Roucariès at 2025-08-01T18:58:55+02:00
Merge branch 'bookworm' into bullseye
- - - - -
d20256bf by Bastien Roucariès at 2025-08-01T19:48:17+02:00
Finalize backport
- - - - -
24 changed files:
- debian/default → debian/ca-certificates-java.cacerts.default
- debian/ca-certificates-java.dirs
- + debian/ca-certificates-java.install
- + debian/ca-certificates-java.lintian-overrides
- + debian/ca-certificates-java.postinst
- + debian/ca-certificates-java.postrm
- + debian/ca-certificates-java.preinst
- debian/ca-certificates-java.triggers
- debian/changelog
- − debian/compat
- debian/control
- + debian/jks-keystore
- − debian/jks-keystore.hook
- − debian/postinst
- − debian/postrm
- debian/rules
- + debian/salsa-ci.yml
- + debian/tests/can-convert-keystore
- + debian/tests/can-install-jre
- + debian/tests/can-install-libreoffice
- + debian/tests/can-install-multiple-jdks
- + debian/tests/control
- src/main/java/org/debian/security/UpdateCertificates.java
- src/test/java/org/debian/security/UpdateCertificatesTest.java
Changes:
=====================================
debian/default → debian/ca-certificates-java.cacerts.default
=====================================
=====================================
debian/ca-certificates-java.dirs
=====================================
@@ -1,3 +1,2 @@
-etc/default
etc/ssl/certs/java
-etc/ca-certificates/update.d
+var/lib/ca-certificates-java
=====================================
debian/ca-certificates-java.install
=====================================
@@ -0,0 +1,2 @@
+debian/jks-keystore etc/ca-certificates/update.d/
+target/ca-certificates-java.jar usr/share/ca-certificates-java/
=====================================
debian/ca-certificates-java.lintian-overrides
=====================================
@@ -0,0 +1 @@
+non-standard-file-perm etc/default/cacerts 0600 != 0644
=====================================
debian/ca-certificates-java.postinst
=====================================
@@ -0,0 +1,174 @@
+#!/bin/sh
+set -e
+
+# use the locale C.UTF-8
+unset LC_ALL
+LC_CTYPE=C.UTF-8
+export LC_CTYPE
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+ . /etc/default/cacerts
+fi
+
+arch=`dpkg --print-architecture`
+JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+
+check_proc()
+{
+ if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+ fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+ check_proc
+ if ! keytool -importkeystore \
+ -srckeystore /etc/ssl/certs/java/cacerts \
+ -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+ -srcstoretype PKCS12 \
+ -deststoretype JKS \
+ -srcstorepass "$storepass" \
+ -deststorepass "$storepass" \
+ -noprompt; then
+ echo "failed to convert PKCS12 keystore to JKS" >&2
+ exit 1
+ fi
+
+ # only update if /etc/default/cacerts allows
+ if [ "$cacerts_updates" = "yes" ]; then
+ mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+ mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+ fi
+}
+
+find_pem_files()
+{
+ find $ETCCERTSDIR -type l -name \*.pem | sort | while read symlink ; do
+ case $(readlink "$symlink") in
+ $CERTSDIR*|$LOCALCERTSDIR*)
+ echo "$symlink"
+ ;;
+ esac
+ done
+}
+
+update_cacerts()
+{
+ if [ "$cacerts_updates" != "yes" ] || [ "$CACERT_UPDATES" = "disabled" ]; then
+ echo "Updates of cacerts keystore are disabled."
+ exit 0
+ fi
+
+ if ! which java >/dev/null; then
+ echo "No JRE found. Skipping Java certificates setup."
+ exit 0
+ fi
+
+ if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
+ convert_pkcs12_keystore_to_jks
+ rm /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+ fi
+
+ if [ -f /var/lib/ca-certificates-java/fresh ]; then
+ >/var/lib/ca-certificates-java/fresh
+ pem_files=$(find_pem_files)
+
+ if [ -f "$CACERTS" ]; then
+ check_proc
+
+ # Java 8 does not have -cacerts option
+ if java -version 2>&1 | grep "1.8" > /dev/null ;
+ then
+ castore="-keystore ${CACERTS}"
+ else
+ castore="-cacerts"
+ fi
+
+ cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
+ etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
+ for alias in $cacerts_aliases ; do
+ case " $etc_ssl_certs_aliases " in
+ *" ${alias} "*)
+ : # keep
+ ;;
+ *)
+ echo "-${alias}" >> /var/lib/ca-certificates-java/fresh
+ ;;
+ esac
+ done
+ fi
+
+ for pem in $pem_files ; do
+ echo "+${pem}" >> /var/lib/ca-certificates-java/fresh
+ done
+ fi
+
+ if [ -s /var/lib/ca-certificates-java/fresh ]; then
+ java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/fresh
+ elif [ -s /var/lib/ca-certificates-java/pending ]; then
+ java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/pending
+ fi
+ echo "done."
+
+ rm -f /var/lib/ca-certificates-java/fresh
+ rm -f /var/lib/ca-certificates-java/pending
+}
+
+#DEBHELPER#
+
+if [ "$1" = "configure" ]; then
+ if dpkg --compare-versions "$2" lt-nl "20210218" ; then
+ # clean up misplaced symlinks from ancient versions (#688415)
+ if [ -L /libnss3.so ]; then
+ rm -v /libnss3.so
+ fi
+ if [ -L /libsoftokn3.so ]; then
+ rm -v /libsoftokn3.so
+ fi
+
+ if [ -f /etc/default/cacerts ]; then
+ chmod 0600 /etc/default/cacerts
+ fi
+ fi
+
+ if dpkg --compare-versions "$2" lt-nl "20180516"; then
+ if [ -e /etc/ssl/certs/java/cacerts ] && \
+ [ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+ touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+ fi
+ fi
+
+ # older versions may not have received all updates from ca-certificates
+ if dpkg --compare-versions "$2" lt-nl "20210218" ; then
+ touch /var/lib/ca-certificates-java/fresh
+ fi
+
+ # initial install
+ if [ -z "$2" ]; then
+ touch /var/lib/ca-certificates-java/fresh
+ fi
+
+ update_cacerts
+fi
+
+if [ "$1" = "triggered" ]; then
+ case " $2 " in
+ *" update-ca-certificates-java-fresh "*)
+ touch /var/lib/ca-certificates-java/fresh
+ ;;
+ esac
+
+ if [ ! -f $CACERTS ]; then
+ touch /var/lib/ca-certificates-java/fresh
+ fi
+
+ update_cacerts
+fi
=====================================
debian/ca-certificates-java.postrm
=====================================
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "purge" ]; then
+ rm -rf /etc/ssl/certs/java
+ rmdir /etc/ssl/certs 2>/dev/null || true
+ rm -rf /var/lib/ca-certificates-java
+fi
+
+#DEBHELPER#
=====================================
debian/ca-certificates-java.preinst
=====================================
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+# rebuild cacerts on reinstallation after removal since certificate updates
+# that happened while the package was removed are missing
+if [ "$1" = "install" ] && [ -n "$2" ]; then
+ mkdir -p /var/lib/ca-certificates-java
+ touch /var/lib/ca-certificates-java/fresh
+fi
+
+#DEBHELPER#
=====================================
debian/ca-certificates-java.triggers
=====================================
@@ -1 +1,2 @@
-activate update-ca-certificates
+interest-await update-ca-certificates-java
+interest-await update-ca-certificates-java-fresh
=====================================
debian/changelog
=====================================
@@ -1,13 +1,113 @@
-ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+ca-certificates-java (20230710~deb12u1~deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by LTS team.
+ * Backport in order to solve circular JRE dependency
+ (Closes: #1041419, #1037478, #929685)
+
+ -- Bastien Roucariès <rouca at debian.org> Fri, 01 Aug 2025 18:58:12 +0200
+
+ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium
- [ Andreas Beckmann]
* Non-maintainer upload.
- * Backport changes from 20230620 in sid. (Closes: #1039472)
+ * Rebuild for bookworm. (Closes: #1041419, #1037478, #929685)
+
+ -- Andreas Beckmann <anbe at debian.org> Sun, 03 Dec 2023 13:04:00 +0100
+
+ca-certificates-java (20230710) unstable; urgency=medium
+
+ * Add apt-utils to the test dependencies.
+
+ -- Matthias Klose <doko at debian.org> Mon, 10 Jul 2023 09:59:59 +0200
+
+ca-certificates-java (20230707) unstable; urgency=medium
+
+ [ Vladimir Petko ]
+ * Resolve circular JRE dependency:
+ - debian/ca-certificates-java.postinst: remove setup_path from "configure"
+ stage.
+ - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
+ not found. Certificates are refreshed only in response to the trigger
+ activated by OpenJDK packages.
+ - debian/ca-certificates-java.postinst: fix cacert enumeration command for
+ Java 8.
+ - debian/control: remove JRE dependency.
+ - debian/control: add Breaks condition.
+ - debian/tests: add smoke tests.
+ - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
+ explicitly declare triggers as -await.
+
+ [ Matthias Klose ]
+ * Adjust the breaks for Debian versions.
+
+ -- Matthias Klose <doko at debian.org> Fri, 07 Jul 2023 11:13:17 +0200
+
+ca-certificates-java (20230620~deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bookworm. (Closes: #1039472)
+
+ -- Andreas Beckmann <anbe at debian.org> Sun, 06 Aug 2023 16:24:13 +0200
+
+ca-certificates-java (20230620) unstable; urgency=medium
+
+ [ Matthias Klose ]
+ * Bump standards version.
+ * Build-depend on default-jdk-headless instead of default-jdk.
[ Vladimir Petko ]
* d/ca-certificates-java.postinst: Work-around not yet configured jre.
- -- Andreas Beckmann <anbe at debian.org> Thu, 27 Jul 2023 16:29:03 +0200
+ -- Matthias Klose <doko at debian.org> Tue, 20 Jun 2023 06:09:44 +0200
+
+ca-certificates-java (20230103) unstable; urgency=medium
+
+ * Promote again the JRE recommendation to a dependency. Otherwise
+ non-default OpenJDK versions are uninstallable.
+
+ -- Matthias Klose <doko at debian.org> Tue, 03 Jan 2023 09:10:44 +0100
+
+ca-certificates-java (20220719) unstable; urgency=medium
+
+ [ Andreas Beckmann ]
+ * Team upload.
+ * Switch to debhelper-compat (= 13).
+ * Set Rules-Requires-Root: no.
+ * UpdateCertificates.java: Ignore empty lines in stdin. (Closes: #795244)
+ * Avoid warning about missing /etc/ssl/certs/java/cacerts on initial
+ install.
+ * Do not be satisfied by java7-runtime-headless.
+ * Remove support for upgrading from versions predating wheezy.
+ * Clean up misplaced symlinks in the root directory left over by ancient
+ versions. (Closes: #688415)
+ * Drop libnss3 manipulations, no longer needed since openjdk-6-jre-headless
+ at least.
+ * Add update-ca-certificates-java trigger and let jks-keystore record the
+ pending certificate updates and postpone them to the processing of this
+ trigger. (Closes: #908858)
+ * Add update-ca-certificates-java-fresh trigger, will be activated by
+ update-ca-certificates -f. (Closes: #922981)
+ * Remove obsolete certificates when building a fresh cacerts file.
+ (Closes: #767272)
+ * Bump ca-certificates dependency to 20210120.
+ * Skip Java certificates setup if no JRE is available.
+ * Add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE
+ becomes available.
+ * Demote JRE dependency to Recommends to break dependency cycle.
+ (Closes: #929685, #940297)
+ * Foreign architecture JREs that place java in PATH are also usable.
+ (Closes: #776860, #864331)
+
+ [ Matthias Klose ]
+ * Support Java 18-21. Closes: #994152.
+ * Bump Standards-Version to 4.6.0.
+
+ -- Matthias Klose <doko at debian.org> Tue, 19 Jul 2022 16:02:33 +0200
+
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+ [ Andreas Beckmann]
+ * Non-maintainer upload.
+ * Backport changes from 20230620 in sid. (Closes: #1039472)
ca-certificates-java (20190909) unstable; urgency=medium
@@ -74,10 +174,11 @@ ca-certificates-java (20170930) unstable; urgency=medium
* Team upload.
* Revert the last two NMUs.
- - Depend again on openjdk-8 after the stretch release.
+ - Depend again on openjdk-8 after the stretch release. (Closes: #863803)
- Stop fiddling around with jvm-*.cfg files. ca-certificates-java
has no business with providing an initial cacerts file. This is
implemented in the openjdk packages. We are not 2008 anymore.
+ (Closes: #912187)
* Bump standards version.
* Remove Torsten Werner as uploader.
@@ -125,7 +226,7 @@ ca-certificates-java (20161107) unstable; urgency=medium
ca-certificates-java (20160321) unstable; urgency=medium
* Team upload.
- * Drop support for obsolete Java 6 (Closes: #776897)
+ * Drop support for obsolete Java 6 (Closes: #776897, #816541)
* Add support for Java 8 and 9 (Closes: #775775)
* Bump Standards-Version to 3.9.7 (no changes)
* Use secure HTTPS URI for Vcs-Browser
@@ -426,4 +527,3 @@ ca-certificates-java (20080514) unstable; urgency=low
* Initial release.
-- Matthias Klose <doko at ubuntu.com> Mon, 02 Jun 2008 14:52:46 +0000
-
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-11
=====================================
debian/control
=====================================
@@ -4,19 +4,29 @@ Priority: optional
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Uploaders: Matthias Klose <doko at ubuntu.com>,
James Page <james.page at ubuntu.com>
-Build-Depends: debhelper (>= 11), default-jdk, javahelper, junit4
-Standards-Version: 4.4.0
+Build-Depends:
+ debhelper-compat (= 13),
+ dh-sequence-javahelper,
+ default-jdk-headless,
+ junit4,
+Rules-Requires-Root: no
+Standards-Version: 4.6.2
Vcs-Git: https://salsa.debian.org/java-team/ca-certificates-java.git
Vcs-Browser: https://salsa.debian.org/java-team/ca-certificates-java
Package: ca-certificates-java
Architecture: all
Multi-Arch: foreign
-Depends: ca-certificates (>= 20121114),
- default-jre-headless | java8-runtime-headless,
- libnss3 (>= 3.12.10-2~),
- ${misc:Depends}
-# We need a versioned Depends due to multiarch changes (bug #635571).
+Depends:
+ ca-certificates (>= 20210120),
+ ${misc:Depends},
+Breaks: openjdk-8-jre-headless (<< 8u382~b04-2~),
+ openjdk-11-jre-headless (<< 11.0.19+7~1~),
+ openjdk-17-jre-headless (<< 17.0.8~6-3~),
+ openjdk-18-jre-headless (<< 18.0.2+9-2ubuntu1~),
+ openjdk-19-jre-headless (<< 19.0.2+7-0ubuntu4~),
+ openjdk-20-jre-headless (<< 20.0.1+9~1~),
+ openjdk-21-jre-headless (<< 21~9ea-1~)
Description: Common CA certificates (JKS keystore)
This package uses the hooks of the ca-certificates package to update the
cacerts JKS keystore used for many java runtimes.
=====================================
debian/jks-keystore
=====================================
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+if [ -t 0 ]; then
+ echo "This hook script expects the list of PEM files to be added/removed" >&2
+ echo "prefixed with '+'/'-' to be piped into stdin." >&2
+ exit 1
+fi
+
+# record the pending certificate updates for later execution by the
+# triggers in ca-certificates-java
+
+mkdir -p /var/lib/ca-certificates-java
+cat - >> /var/lib/ca-certificates-java/pending
+
+case "$1" in
+ -f|--fresh)
+ dpkg-trigger --no-await update-ca-certificates-java-fresh
+ ;;
+ *)
+ dpkg-trigger --no-await update-ca-certificates-java
+ ;;
+esac
+
+# if the hook was activated by a manual run of update-ca-certificates
+# (and not from a maintainer script), ensure the triggers get processed
+
+if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
+ dpkg --triggers-only --pending
+fi
=====================================
debian/jks-keystore.hook deleted
=====================================
@@ -1,89 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# use the locale C.UTF-8
-unset LC_ALL
-LC_CTYPE=C.UTF-8
-export LC_CTYPE
-
-storepass='changeit'
-if [ -f /etc/default/cacerts ]; then
- . /etc/default/cacerts
-fi
-
-arch=`dpkg --print-architecture`
-JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
-
-nsslib_name()
-{
- if dpkg --assert-multi-arch 2>/dev/null; then
- echo "libnss3:${arch}"
- else
- echo "libnss3"
- fi
-}
-
-echo ""
-if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then
- echo "updates of cacerts keystore disabled."
- exit 0
-fi
-
-if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs (/proc)."
- exit 1
-fi
-
-for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
- java-8-openjdk-$arch java-8-openjdk \
- oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
- java-9-openjdk-$arch java-9-openjdk \
- oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
- java-10-openjdk-$arch java-10-openjdk \
- oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
- java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- break
- fi
-done
-
-if dpkg-query --version >/dev/null; then
- nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
- nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
- nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
- ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
- fi
- softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1)
- if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then
- ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so
- fi
-fi
-
-do_cleanup()
-{
- [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libnss3.so
- fi
- if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \
- && [ "$softokn3pkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libsoftokn3.so
- fi
-}
-
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
- do_cleanup
-else
- do_cleanup
- exit 1
-fi
-
-echo "done."
=====================================
debian/postinst deleted
=====================================
@@ -1,172 +0,0 @@
-#!/bin/bash
-set -e
-
-# use the locale C.UTF-8
-unset LC_ALL
-LC_CTYPE=C.UTF-8
-export LC_CTYPE
-
-storepass='changeit'
-if [ -f /etc/default/cacerts ]; then
- . /etc/default/cacerts
-fi
-
-arch=`dpkg --print-architecture`
-JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
-
-nsslib_name()
-{
- if dpkg --assert-multi-arch 2>/dev/null; then
- echo "libnss3:${arch}"
- else
- echo "libnss3"
- fi
-}
-
-setup_path()
-{
- for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
- java-8-openjdk-$arch java-8-openjdk \
- oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
- java-9-openjdk-$arch java-9-openjdk \
- oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
- java-10-openjdk-$arch java-10-openjdk \
- oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
- java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \
- java-12-openjdk-$arch java-12-openjdk \
- oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \
- java-13-openjdk-$arch java-13-openjdk \
- oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \
- java-14-openjdk-$arch java-14-openjdk \
- oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \
- java-15-openjdk-$arch java-15-openjdk \
- oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \
- java-16-openjdk-$arch java-16-openjdk \
- oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \
- java-17-openjdk-$arch java-17-openjdk \
- oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- # copy java.security to allow import to function
- security_conf=/etc/${jvm%-${arch}}/security
- if [ -f ${security_conf}/java.security.dpkg-new ] \
- && [ ! -f ${security_conf}/java.security ]; then
- cp -v ${security_conf}/java.security.dpkg-new \
- ${security_conf}/java.security
- fi
- break
- fi
- done
-}
-
-check_proc()
-{
- if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs (/proc)."
- exit 1
- fi
-}
-
-convert_pkcs12_keystore_to_jks()
-{
- if ! keytool -importkeystore \
- -srckeystore /etc/ssl/certs/java/cacerts \
- -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
- -srcstoretype PKCS12 \
- -deststoretype JKS \
- -srcstorepass "$storepass" \
- -deststorepass "$storepass" \
- -noprompt; then
- echo "failed to convert PKCS12 keystore to JKS" >&2
- exit 1
- fi
-
- # only update if /etc/default/cacerts allows
- if [ "$cacerts_updates" = "yes" ]; then
- mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
- mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
- fi
-}
-
-first_install()
-{
- if which dpkg-query >/dev/null; then
- nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
- nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
- nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
- ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
- fi
- fi
-
- # Forcibly remove diginotar cert (LP: #920758)
- if [ -n "$FIXOLD" ]; then
- echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \
- java -Xmx64m -jar $JAR -storepass "$storepass"
- fi
-
- find /etc/ssl/certs -name \*.pem | \
- while read filename; do
- alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
- alias=${alias%*_}
- if [ -n "$FIXOLD" ]; then
- echo "-${alias}"
- echo "-${alias}_pem"
- fi
- echo "+${filename}"
- done | \
- java -Xmx64m -jar $JAR -storepass "$storepass"
- echo "done."
-}
-
-do_cleanup()
-{
- [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libnss3.so
- fi
-}
-
-case "$1" in
- configure)
- if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
- FIXOLD="true"
- if [ -e /etc/ssl/certs/java/cacerts ]; then
- cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
- fi
- fi
-
- setup_path
-
- if dpkg --compare-versions "$2" lt "20180516"; then
- if [ -e /etc/ssl/certs/java/cacerts \
- -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
- check_proc
- convert_pkcs12_keystore_to_jks
- fi
- fi
-
- if [ -z "$2" -o -n "$FIXOLD" ]; then
- check_proc
- trap do_cleanup EXIT
- first_install
- fi
- chmod 600 /etc/default/cacerts || true
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
- ;;
-
- *)
- echo "postinst called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
=====================================
debian/postrm deleted
=====================================
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-set -e
-
-case "$1" in
- purge)
- rm -f /etc/ca-certificates/update.d/jks-keystore
- rm -rf /etc/ssl/certs/java
- rmdir /etc/ssl/certs 2>/dev/null || true
- ;;
- remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- ;;
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
-
-
=====================================
debian/rules
=====================================
@@ -1,7 +1,7 @@
#!/usr/bin/make -f
%:
- dh $@ --with javahelper
+ dh $@
override_dh_auto_build:
mkdir target
@@ -27,12 +27,8 @@ ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
org.debian.security.UpdateCertificatesTest org.debian.security.KeyStoreHandlerTest
endif
-override_dh_auto_install:
- install -m755 debian/jks-keystore.hook debian/ca-certificates-java/etc/ca-certificates/update.d/jks-keystore
- install -m600 debian/default debian/ca-certificates-java/etc/default/cacerts
+override_dh_installinit:
+ dh_installinit --name=cacerts
- dh_install target/ca-certificates-java.jar /usr/share/ca-certificates-java/
-
-override_dh_link:
- dh_link
- rm debian/ca-certificates-java/etc/default/ca-certificates-java
+execute_after_dh_fixperms:
+ chmod 0600 debian/ca-certificates-java/etc/default/cacerts
=====================================
debian/salsa-ci.yml
=====================================
@@ -0,0 +1,7 @@
+---
+variables:
+ RELEASE: 'bullseye'
+
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
=====================================
debian/tests/can-convert-keystore
=====================================
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# GIVEN a PKCS12 Java keystore
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+rm $CACERTS
+keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null
+apt-get remove -y ca-certificates-java
+
+mkdir -p /etc/ssl/certs/java/
+mkdir -p /var/lib/ca-certificates-java/
+mv test.store $CACERTS
+# WHEN ca-certificates-java is requested to convert the keystore
+touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+
+# THEN conversion is successful
+output=`mktemp`
+apt-get install -y openjdk-8-jre-headless | tee ${output}
+
+if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]];
+then
+ echo "Certificates were not imported !!!"
+ exit 255
+fi
=====================================
debian/tests/can-install-jre
=====================================
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+versions=$(apt-cache search jre-headless | awk '{print $1}')
+for version in ${versions}
+do
+# WHEN openjdk-jre-headless package is installed from scratch
+
+ # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean
+ # builds. Ignore it in certificate tests
+ if [[ ${version} == "openjdk-18-jre-headless" ]];
+ then
+ continue
+ fi
+ output=`mktemp`
+ echo "installing ${version}"
+ apt-get install -y ${version} | tee ${output}
+# THEN installation is successfull
+# AND certificates are updated
+ if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+ echo "Certificates were not imported !!!"
+ exit 255
+ fi
+ rm $output
+ # purge in order to remove keytstore
+ apt-get purge -y ca-certificates-java ${version}
+done
=====================================
debian/tests/can-install-libreoffice
=====================================
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+apt-get install -y libreoffice
=====================================
debian/tests/can-install-multiple-jdks
=====================================
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+output=`mktemp`
+# WHEN multiple JDKs are installed
+apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output}
+
+# THEN installation is successful
+if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+ echo "Certificates were not imported !!!"
+ exit 255
+fi
+rm $output
=====================================
debian/tests/control
=====================================
@@ -0,0 +1,9 @@
+Tests: can-convert-keystore
+Depends: apt-utils, bash, default-jre-headless
+Restrictions: needs-root
+
+Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice
+# No depends, this is a test for a clean install
+Depends: apt-utils, bash
+Restrictions: needs-root
+
=====================================
src/main/java/org/debian/security/UpdateCertificates.java
=====================================
@@ -86,6 +86,9 @@ public class UpdateCertificates {
* or {@link #deleteAlias(String)}.
*/
protected void parseLine(final String line) throws GeneralSecurityException, IOException, UnknownInputException {
+ if (line.isEmpty()) {
+ return;
+ }
String path = line.substring(1);
String filename = path.substring(path.lastIndexOf("/") + 1);
String alias = "debian:" + filename;
@@ -93,9 +96,6 @@ public class UpdateCertificates {
keystore.addAlias(alias, path);
} else if (line.startsWith("-")) {
keystore.deleteAlias(alias);
- // Remove old non-prefixed aliases, too. This code should be
- // removed after the release of Wheezy.
- keystore.deleteAlias(filename);
} else {
throw new UnknownInputException(line);
}
=====================================
src/test/java/org/debian/security/UpdateCertificatesTest.java
=====================================
@@ -49,6 +49,16 @@ public class UpdateCertificatesTest {
keystore.delete();
}
+ /**
+ * Try to send an empty command ("") in parseLine
+ */
+ @Test
+ public void testEmptyCommand() throws Exception {
+ UpdateCertificates uc = new UpdateCertificates(ksFilename, ksPassword);
+ uc.parseLine("");
+ uc.finish();
+ }
+
/**
* Try to send an invalid command ("x") in parseLine : throw UnknownInput
*/
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/a945dc8a3e492b905fa05b380737ab74d37ca9ad...d20256bf94a36c352c5776f598008e8f6368c1c5
--
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/a945dc8a3e492b905fa05b380737ab74d37ca9ad...d20256bf94a36c352c5776f598008e8f6368c1c5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250801/5d58cd15/attachment.htm>
More information about the pkg-java-commits
mailing list