[Git][java-team/ca-certificates-java][bullseye] 41 commits: switch to debhelper-compat (= 13)

Bastien Roucariès (@rouca) gitlab at salsa.debian.org
Fri Aug 1 19:23:08 BST 2025



Bastien Roucariès pushed to branch bullseye at Debian Java Maintainers / ca-certificates-java


Commits:
b59b0dcf by Andreas Beckmann at 2021-02-18T21:13:17+01:00
switch to debhelper-compat (= 13)

- - - - -
bb08d9e8 by Andreas Beckmann at 2021-02-18T21:18:22+01:00
use dh_installinit to install /etc/default/cacerts

- - - - -
ec56da1d by Andreas Beckmann at 2021-02-18T21:23:17+01:00
use dh_install to install jar and hook

- - - - -
c0c962f4 by Andreas Beckmann at 2021-02-19T21:11:35+01:00
ship /etc/default/cacerts with mode 0600

- - - - -
dfd0e87a by Andreas Beckmann at 2021-02-19T21:20:07+01:00
add test with empty command

- - - - -
5ee5835f by Andreas Beckmann at 2021-02-19T21:22:38+01:00
UpdateCertificates.java: ignore empty lines in stdin

- - - - -
63507424 by Andreas Beckmann at 2021-02-19T23:00:18+01:00
avoid warning about missing /etc/ssl/certs/java/cacerts on initial install

- - - - -
18fa5707 by Andreas Beckmann at 2021-02-19T23:04:29+01:00
do not be satisfied by java7-runtime-headless

- - - - -
1e3e4280 by Andreas Beckmann at 2021-02-19T23:24:30+01:00
remove support for upgrading from versions predating wheezy

- - - - -
3bc73bdb by Andreas Beckmann at 2021-02-19T23:47:14+01:00
clean up misplaced symlinks from ancient versions

- - - - -
62313abf by Andreas Beckmann at 2021-02-20T00:28:53+01:00
remove redundant bits from the maintainer scripts

- - - - -
049a5639 by Andreas Beckmann at 2021-02-20T01:11:43+01:00
set Rules-Requires-Root: no

- - - - -
3d8a3e1b by Andreas Beckmann at 2021-02-23T12:02:35+01:00
drop libnss3 manipulations

- - - - -
651ef32a by Andreas Beckmann at 2021-02-23T12:07:01+01:00
postinst: add a shared update_cacerts() function

- - - - -
eba4aea5 by Andreas Beckmann at 2021-02-23T12:08:21+01:00
run convert_pkcs12_keystore_to_jks from update_cacerts

- - - - -
c45c3c9b by Andreas Beckmann at 2021-02-23T02:01:09+01:00
let update_cacerts handle initial creation of cacerts

- - - - -
adec85a6 by Andreas Beckmann at 2021-02-23T12:13:02+01:00
move processing of +/- certs to new update-ca-certificates-java trigger

the hook script is executed in the context of ca-certificates
and nothing is known at that time about the configuration state
of ca-certificates-java or its rdepends

so just record the pending updates and execute them in a context
where ca-certificates-java and its rdepends are in a usable state

- - - - -
be511adf by Andreas Beckmann at 2021-02-23T12:13:12+01:00
add update-ca-certificates-java-fresh trigger

- - - - -
8821ee55 by Andreas Beckmann at 2021-02-23T12:13:17+01:00
remove obsolete certificates when building a fresh cacerts file

- - - - -
6260c58f by Andreas Beckmann at 2021-02-23T13:45:49+01:00
bump ca-certificates dependency to 20210120

- - - - -
58057f06 by Andreas Beckmann at 2021-02-23T13:46:35+01:00
skip Java certificates setup if no JRE is available

pending actions will be stored in /var/lib/ca-certificates-java

- - - - -
9825a4a7 by Andreas Beckmann at 2021-02-23T13:46:39+01:00
add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE becomes available

- - - - -
7d2d460c by Andreas Beckmann at 2021-02-23T13:47:17+01:00
demote JRE dependency to Recommends to break dependency cycle

- - - - -
33232621 by Andreas Beckmann at 2021-02-23T13:48:32+01:00
Standards-Version: 4.5.1

- - - - -
ed71672c by Andreas Beckmann at 2021-02-23T13:58:20+01:00
simplify setup_path()

- - - - -
96009a75 by Andreas Beckmann at 2021-02-23T15:34:19+01:00
close more fixed bugs

- - - - -
7b5bfb4e by Matthias Klose at 2022-07-19T16:05:59+02:00
  * Support Java 18-21.

- - - - -
ea49e45b by Matthias Klose at 2022-07-19T16:06:50+02:00
  * Bump Standards-Version to 4.6.0.

- - - - -
0fa31d3f by Matthias Klose at 2022-07-19T16:15:04+02:00
 - prepare for upload

- - - - -
7ed1dec5 by Matthias Klose at 2023-01-03T09:12:32+01:00
  * Promote again the JRE recommendation to a dependency. Otherwise
    non-default OpenJDK versions are uninstallable.

- - - - -
8c64d971 by Matthias Klose at 2023-06-14T09:37:18+02:00
  [ Vladimir Petko ]
  * Resolve circular JRE dependency (LP: #2003750, LP: #1999103, LP: #2004061)
    Closes: #1030129, #1037478, #1023748.
    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
      stage.
    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
      not found. Certificates are refreshed only in response to the trigger
      activated by OpenJDK packages.
    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
      Java 8. Closes: #1015771.
    - debian/control: remove JRE dependency.
    - debian/control: add Breaks condition.
    - debian/tests: add smoke tests.
    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
      explicitly declare triggers as -await.

- - - - -
aa98c9a9 by Matthias Klose at 2023-06-14T09:37:57+02:00
  * Bump standards version.

- - - - -
5cc3caad by Matthias Klose at 2023-06-14T09:42:02+02:00
  * Build-depend on default-jdk-headless instead of default-jdk.

- - - - -
1d366c43 by Matthias Klose at 2023-06-14T18:51:34+02:00
revert Vladimir's changes

- - - - -
561054ed by Matthias Klose at 2023-06-20T06:13:02+02:00
  [ Vladimir Petko ]
  * d/ca-certificates-java.postinst: Work-around not yet configured jre.

- - - - -
ff182104 by Matthias Klose at 2023-07-05T15:26:08+02:00
  [ Vladimir Petko ]
  * Resolve circular JRE dependency:
    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
      stage.
    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
      not found. Certificates are refreshed only in response to the trigger
      activated by OpenJDK packages.
    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
      Java 8.
    - debian/control: remove JRE dependency.
    - debian/control: add Breaks condition.
    - debian/tests: add smoke tests.
    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
      explicitly declare triggers as -await.

  [ Matthias Klose ]
  * Adjust the breaks for Debian versions.

- - - - -
7cc751df by Matthias Klose at 2023-07-07T11:14:05+02:00
 upload to unstable

- - - - -
420db8ec by Matthias Klose at 2023-07-10T10:01:05+02:00
  * Add apt-utils to the test dependencies.

- - - - -
4488fcff by Andreas Beckmann at 2024-12-22T13:44:32+00:00
Import Debian version 20230710~deb12u1

ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium
.
  * Non-maintainer upload.
  * Rebuild for bookworm.  (Closes: #1041419, #1037478, #929685)

- - - - -
9df36402 by Bastien Roucariès at 2025-08-01T18:58:55+02:00
Merge branch 'bookworm' into bullseye

- - - - -
d20256bf by Bastien Roucariès at 2025-08-01T19:48:17+02:00
Finalize backport

- - - - -


24 changed files:

- debian/default → debian/ca-certificates-java.cacerts.default
- debian/ca-certificates-java.dirs
- + debian/ca-certificates-java.install
- + debian/ca-certificates-java.lintian-overrides
- + debian/ca-certificates-java.postinst
- + debian/ca-certificates-java.postrm
- + debian/ca-certificates-java.preinst
- debian/ca-certificates-java.triggers
- debian/changelog
- − debian/compat
- debian/control
- + debian/jks-keystore
- − debian/jks-keystore.hook
- − debian/postinst
- − debian/postrm
- debian/rules
- + debian/salsa-ci.yml
- + debian/tests/can-convert-keystore
- + debian/tests/can-install-jre
- + debian/tests/can-install-libreoffice
- + debian/tests/can-install-multiple-jdks
- + debian/tests/control
- src/main/java/org/debian/security/UpdateCertificates.java
- src/test/java/org/debian/security/UpdateCertificatesTest.java


Changes:

=====================================
debian/default → debian/ca-certificates-java.cacerts.default
=====================================


=====================================
debian/ca-certificates-java.dirs
=====================================
@@ -1,3 +1,2 @@
-etc/default
 etc/ssl/certs/java
-etc/ca-certificates/update.d
+var/lib/ca-certificates-java


=====================================
debian/ca-certificates-java.install
=====================================
@@ -0,0 +1,2 @@
+debian/jks-keystore		etc/ca-certificates/update.d/
+target/ca-certificates-java.jar	usr/share/ca-certificates-java/


=====================================
debian/ca-certificates-java.lintian-overrides
=====================================
@@ -0,0 +1 @@
+non-standard-file-perm etc/default/cacerts 0600 != 0644


=====================================
debian/ca-certificates-java.postinst
=====================================
@@ -0,0 +1,174 @@
+#!/bin/sh
+set -e
+
+# use the locale C.UTF-8
+unset LC_ALL
+LC_CTYPE=C.UTF-8
+export LC_CTYPE
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+    . /etc/default/cacerts
+fi
+
+arch=`dpkg --print-architecture`
+JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+
+check_proc()
+{
+    if ! mountpoint -q /proc; then
+        echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+        exit 1
+    fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+    check_proc
+    if ! keytool -importkeystore \
+                 -srckeystore /etc/ssl/certs/java/cacerts \
+                 -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+                 -srcstoretype PKCS12 \
+                 -deststoretype JKS \
+                 -srcstorepass "$storepass" \
+                 -deststorepass "$storepass" \
+                 -noprompt; then
+        echo "failed to convert PKCS12 keystore to JKS" >&2
+        exit 1
+    fi
+
+    # only update if /etc/default/cacerts allows
+    if [ "$cacerts_updates" = "yes" ]; then
+        mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+        mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+    fi
+}
+
+find_pem_files()
+{
+	find $ETCCERTSDIR -type l -name \*.pem | sort | while read symlink ; do
+		case $(readlink "$symlink") in
+			$CERTSDIR*|$LOCALCERTSDIR*)
+				echo "$symlink"
+				;;
+		esac
+	done
+}
+
+update_cacerts()
+{
+	if [ "$cacerts_updates" != "yes" ] || [ "$CACERT_UPDATES" = "disabled" ]; then
+		echo "Updates of cacerts keystore are disabled."
+		exit 0
+	fi
+
+	if ! which java >/dev/null; then
+		echo "No JRE found. Skipping Java certificates setup."
+		exit 0
+	fi
+
+	if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
+		convert_pkcs12_keystore_to_jks
+		rm /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+	fi
+
+	if [ -f /var/lib/ca-certificates-java/fresh ]; then
+		>/var/lib/ca-certificates-java/fresh
+		pem_files=$(find_pem_files)
+
+		if [ -f "$CACERTS" ]; then
+			check_proc
+
+			# Java 8 does not have -cacerts option
+			if java -version 2>&1 | grep "1.8" > /dev/null ;
+			then
+				castore="-keystore ${CACERTS}"
+			else
+				castore="-cacerts"
+			fi
+
+			cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
+			etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
+			for alias in $cacerts_aliases ; do
+				case " $etc_ssl_certs_aliases " in
+					*" ${alias} "*)
+						: # keep
+						;;
+					*)
+						echo "-${alias}" >> /var/lib/ca-certificates-java/fresh
+						;;
+				esac
+			done
+		fi
+
+		for pem in $pem_files ; do
+			echo "+${pem}" >> /var/lib/ca-certificates-java/fresh
+		done
+	fi
+
+	if [ -s /var/lib/ca-certificates-java/fresh ]; then
+		java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/fresh
+	elif [ -s /var/lib/ca-certificates-java/pending ]; then
+		java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/pending
+	fi
+	echo "done."
+
+	rm -f /var/lib/ca-certificates-java/fresh
+	rm -f /var/lib/ca-certificates-java/pending
+}
+
+#DEBHELPER#
+
+if [ "$1" = "configure" ]; then
+	if dpkg --compare-versions "$2" lt-nl "20210218" ; then
+		# clean up misplaced symlinks from ancient versions (#688415)
+		if [ -L /libnss3.so ]; then
+			rm -v /libnss3.so
+		fi
+		if [ -L /libsoftokn3.so ]; then
+			rm -v /libsoftokn3.so
+		fi
+
+		if [ -f /etc/default/cacerts ]; then
+			chmod 0600 /etc/default/cacerts
+		fi
+	fi
+
+	if dpkg --compare-versions "$2" lt-nl "20180516"; then
+		if [ -e /etc/ssl/certs/java/cacerts ] && \
+			[ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+			touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+		fi
+	fi
+
+	# older versions may not have received all updates from ca-certificates
+	if dpkg --compare-versions "$2" lt-nl "20210218" ; then
+		touch /var/lib/ca-certificates-java/fresh
+	fi
+
+	# initial install
+	if [ -z "$2" ]; then
+		touch /var/lib/ca-certificates-java/fresh
+	fi
+
+	update_cacerts
+fi
+
+if [ "$1" = "triggered" ]; then
+	case " $2 " in
+		*" update-ca-certificates-java-fresh "*)
+			touch /var/lib/ca-certificates-java/fresh
+			;;
+	esac
+
+	if [ ! -f $CACERTS ]; then
+		touch /var/lib/ca-certificates-java/fresh
+	fi
+
+	update_cacerts
+fi


=====================================
debian/ca-certificates-java.postrm
=====================================
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "purge" ]; then
+	rm -rf /etc/ssl/certs/java
+	rmdir /etc/ssl/certs 2>/dev/null || true
+	rm -rf /var/lib/ca-certificates-java
+fi
+
+#DEBHELPER#


=====================================
debian/ca-certificates-java.preinst
=====================================
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+# rebuild cacerts on reinstallation after removal since certificate updates
+# that happened while the package was removed are missing
+if [ "$1" = "install" ] && [ -n "$2" ]; then
+	mkdir -p /var/lib/ca-certificates-java
+	touch /var/lib/ca-certificates-java/fresh
+fi
+
+#DEBHELPER#


=====================================
debian/ca-certificates-java.triggers
=====================================
@@ -1 +1,2 @@
-activate update-ca-certificates
+interest-await update-ca-certificates-java
+interest-await update-ca-certificates-java-fresh


=====================================
debian/changelog
=====================================
@@ -1,13 +1,113 @@
-ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+ca-certificates-java (20230710~deb12u1~deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by LTS team.
+  * Backport in order to solve circular JRE dependency
+    (Closes: #1041419, #1037478, #929685)
+
+ -- Bastien Roucariès <rouca at debian.org>  Fri, 01 Aug 2025 18:58:12 +0200
+
+ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium
 
-  [ Andreas Beckmann]
   * Non-maintainer upload.
-  * Backport changes from 20230620 in sid.  (Closes: #1039472)
+  * Rebuild for bookworm.  (Closes: #1041419, #1037478, #929685)
+
+ -- Andreas Beckmann <anbe at debian.org>  Sun, 03 Dec 2023 13:04:00 +0100
+
+ca-certificates-java (20230710) unstable; urgency=medium
+
+  * Add apt-utils to the test dependencies.
+
+ -- Matthias Klose <doko at debian.org>  Mon, 10 Jul 2023 09:59:59 +0200
+
+ca-certificates-java (20230707) unstable; urgency=medium
+
+  [ Vladimir Petko ]
+  * Resolve circular JRE dependency:
+    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
+      stage.
+    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
+      not found. Certificates are refreshed only in response to the trigger
+      activated by OpenJDK packages.
+    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
+      Java 8.
+    - debian/control: remove JRE dependency.
+    - debian/control: add Breaks condition.
+    - debian/tests: add smoke tests.
+    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
+      explicitly declare triggers as -await.
+
+  [ Matthias Klose ]
+  * Adjust the breaks for Debian versions.
+
+ -- Matthias Klose <doko at debian.org>  Fri, 07 Jul 2023 11:13:17 +0200
+
+ca-certificates-java (20230620~deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bookworm.  (Closes: #1039472)
+
+ -- Andreas Beckmann <anbe at debian.org>  Sun, 06 Aug 2023 16:24:13 +0200
+
+ca-certificates-java (20230620) unstable; urgency=medium
+
+  [ Matthias Klose ]
+  * Bump standards version.
+  * Build-depend on default-jdk-headless instead of default-jdk.
 
   [ Vladimir Petko ]
   * d/ca-certificates-java.postinst: Work-around not yet configured jre.
 
- -- Andreas Beckmann <anbe at debian.org>  Thu, 27 Jul 2023 16:29:03 +0200
+ -- Matthias Klose <doko at debian.org>  Tue, 20 Jun 2023 06:09:44 +0200
+
+ca-certificates-java (20230103) unstable; urgency=medium
+
+  * Promote again the JRE recommendation to a dependency. Otherwise
+    non-default OpenJDK versions are uninstallable.
+
+ -- Matthias Klose <doko at debian.org>  Tue, 03 Jan 2023 09:10:44 +0100
+
+ca-certificates-java (20220719) unstable; urgency=medium
+
+  [ Andreas Beckmann ]
+  * Team upload.
+  * Switch to debhelper-compat (= 13).
+  * Set Rules-Requires-Root: no.
+  * UpdateCertificates.java: Ignore empty lines in stdin.  (Closes: #795244)
+  * Avoid warning about missing /etc/ssl/certs/java/cacerts on initial
+    install.
+  * Do not be satisfied by java7-runtime-headless.
+  * Remove support for upgrading from versions predating wheezy.
+  * Clean up misplaced symlinks in the root directory left over by ancient
+    versions.  (Closes: #688415)
+  * Drop libnss3 manipulations, no longer needed since openjdk-6-jre-headless
+    at least.
+  * Add update-ca-certificates-java trigger and let jks-keystore record the
+    pending certificate updates and postpone them to the processing of this
+    trigger.  (Closes: #908858)
+  * Add update-ca-certificates-java-fresh trigger, will be activated by
+    update-ca-certificates -f.  (Closes: #922981)
+  * Remove obsolete certificates when building a fresh cacerts file.
+    (Closes: #767272)
+  * Bump ca-certificates dependency to 20210120.
+  * Skip Java certificates setup if no JRE is available.
+  * Add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE
+    becomes available.
+  * Demote JRE dependency to Recommends to break dependency cycle.
+    (Closes: #929685, #940297)
+  * Foreign architecture JREs that place java in PATH are also usable.
+    (Closes: #776860, #864331)
+
+  [ Matthias Klose ]
+  * Support Java 18-21. Closes: #994152.
+  * Bump Standards-Version to 4.6.0.
+
+ -- Matthias Klose <doko at debian.org>  Tue, 19 Jul 2022 16:02:33 +0200
+
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+  [ Andreas Beckmann]
+  * Non-maintainer upload.
+  * Backport changes from 20230620 in sid.  (Closes: #1039472)
 
 ca-certificates-java (20190909) unstable; urgency=medium
 
@@ -74,10 +174,11 @@ ca-certificates-java (20170930) unstable; urgency=medium
 
   * Team upload.
   * Revert the last two NMUs.
-    - Depend again on openjdk-8 after the stretch release.
+    - Depend again on openjdk-8 after the stretch release. (Closes: #863803)
     - Stop fiddling around with jvm-*.cfg files. ca-certificates-java
       has no business with providing an initial cacerts file. This is
       implemented in the openjdk packages. We are not 2008 anymore.
+      (Closes: #912187)
   * Bump standards version.
   * Remove Torsten Werner as uploader.
 
@@ -125,7 +226,7 @@ ca-certificates-java (20161107) unstable; urgency=medium
 ca-certificates-java (20160321) unstable; urgency=medium
 
   * Team upload.
-  * Drop support for obsolete Java 6 (Closes: #776897)
+  * Drop support for obsolete Java 6 (Closes: #776897, #816541)
   * Add support for Java 8 and 9 (Closes: #775775)
   * Bump Standards-Version to 3.9.7 (no changes)
   * Use secure HTTPS URI for Vcs-Browser
@@ -426,4 +527,3 @@ ca-certificates-java (20080514) unstable; urgency=low
   * Initial release.
 
  -- Matthias Klose <doko at ubuntu.com>  Mon, 02 Jun 2008 14:52:46 +0000
-


=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-11


=====================================
debian/control
=====================================
@@ -4,19 +4,29 @@ Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
 Uploaders: Matthias Klose <doko at ubuntu.com>,
            James Page <james.page at ubuntu.com>
-Build-Depends: debhelper (>= 11), default-jdk, javahelper, junit4
-Standards-Version: 4.4.0
+Build-Depends:
+ debhelper-compat (= 13),
+ dh-sequence-javahelper,
+ default-jdk-headless,
+ junit4,
+Rules-Requires-Root: no
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/java-team/ca-certificates-java.git
 Vcs-Browser: https://salsa.debian.org/java-team/ca-certificates-java
 
 Package: ca-certificates-java
 Architecture: all
 Multi-Arch: foreign
-Depends: ca-certificates (>= 20121114),
-         default-jre-headless | java8-runtime-headless,
-         libnss3 (>= 3.12.10-2~),
-         ${misc:Depends}
-# We need a versioned Depends due to multiarch changes (bug #635571).
+Depends:
+ ca-certificates (>= 20210120),
+ ${misc:Depends},
+Breaks: openjdk-8-jre-headless  (<< 8u382~b04-2~),
+        openjdk-11-jre-headless (<< 11.0.19+7~1~),
+        openjdk-17-jre-headless (<< 17.0.8~6-3~),
+        openjdk-18-jre-headless (<< 18.0.2+9-2ubuntu1~),
+        openjdk-19-jre-headless (<< 19.0.2+7-0ubuntu4~),
+        openjdk-20-jre-headless (<< 20.0.1+9~1~),
+        openjdk-21-jre-headless (<< 21~9ea-1~)
 Description: Common CA certificates (JKS keystore)
  This package uses the hooks of the ca-certificates package to update the
  cacerts JKS keystore used for many java runtimes.


=====================================
debian/jks-keystore
=====================================
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+if [ -t 0 ]; then
+	echo "This hook script expects the list of PEM files to be added/removed" >&2
+	echo "prefixed with '+'/'-' to be piped into stdin." >&2
+	exit 1
+fi
+
+# record the pending certificate updates for later execution by the
+# triggers in ca-certificates-java
+
+mkdir -p /var/lib/ca-certificates-java
+cat - >> /var/lib/ca-certificates-java/pending
+
+case "$1" in
+	-f|--fresh)
+		dpkg-trigger --no-await update-ca-certificates-java-fresh
+		;;
+	*)
+		dpkg-trigger --no-await update-ca-certificates-java
+		;;
+esac
+
+# if the hook was activated by a manual run of update-ca-certificates
+# (and not from a maintainer script), ensure the triggers get processed
+
+if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
+	dpkg --triggers-only --pending
+fi


=====================================
debian/jks-keystore.hook deleted
=====================================
@@ -1,89 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# use the locale C.UTF-8
-unset LC_ALL
-LC_CTYPE=C.UTF-8
-export LC_CTYPE
-
-storepass='changeit'
-if [ -f /etc/default/cacerts ]; then
-    . /etc/default/cacerts
-fi
-
-arch=`dpkg --print-architecture`
-JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
-
-nsslib_name()
-{
-    if dpkg --assert-multi-arch 2>/dev/null; then
-        echo "libnss3:${arch}"
-    else
-        echo "libnss3"
-    fi
-}
-
-echo ""
-if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then
-    echo "updates of cacerts keystore disabled."
-    exit 0
-fi
-
-if ! mountpoint -q /proc; then
-    echo >&2 "the keytool command requires a mounted proc fs (/proc)."
-    exit 1
-fi
-
-for jvm in java-7-openjdk-$arch java-7-openjdk \
-           oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
-           java-8-openjdk-$arch java-8-openjdk \
-           oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
-           java-9-openjdk-$arch java-9-openjdk \
-           oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
-           java-10-openjdk-$arch java-10-openjdk \
-           oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
-           java-11-openjdk-$arch java-11-openjdk \
-           oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
-    if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
-        export JAVA_HOME=/usr/lib/jvm/$jvm
-        PATH=$JAVA_HOME/bin:$PATH
-    	break
-    fi
-done
-
-if dpkg-query --version >/dev/null; then
-    nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
-    nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
-    nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
-    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
-        ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
-    fi
-    softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1)
-    if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then
-        ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so
-    fi
-fi
-
-do_cleanup()
-{
-    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
-    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
-    then
-        rm -f $nssjdk/libnss3.so
-    fi
-    if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \
-       && [ "$softokn3pkg" != "$nssjdk" ]
-    then
-        rm -f $nssjdk/libsoftokn3.so
-    fi
-}
-
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
-    do_cleanup
-else
-    do_cleanup
-    exit 1
-fi
-
-echo "done."


=====================================
debian/postinst deleted
=====================================
@@ -1,172 +0,0 @@
-#!/bin/bash
-set -e
-
-# use the locale C.UTF-8
-unset LC_ALL
-LC_CTYPE=C.UTF-8
-export LC_CTYPE
-
-storepass='changeit'
-if [ -f /etc/default/cacerts ]; then
-    . /etc/default/cacerts
-fi
-
-arch=`dpkg --print-architecture`
-JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
-
-nsslib_name()
-{
-    if dpkg --assert-multi-arch 2>/dev/null; then
-        echo "libnss3:${arch}"
-    else
-        echo "libnss3"
-    fi
-}
-
-setup_path()
-{
-    for jvm in java-7-openjdk-$arch java-7-openjdk \
-               oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
-               java-8-openjdk-$arch java-8-openjdk \
-               oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
-               java-9-openjdk-$arch java-9-openjdk \
-               oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
-               java-10-openjdk-$arch java-10-openjdk \
-               oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
-               java-11-openjdk-$arch java-11-openjdk \
-               oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \
-               java-12-openjdk-$arch java-12-openjdk \
-               oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \
-               java-13-openjdk-$arch java-13-openjdk \
-               oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \
-               java-14-openjdk-$arch java-14-openjdk \
-               oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \
-               java-15-openjdk-$arch java-15-openjdk \
-               oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \
-               java-16-openjdk-$arch java-16-openjdk \
-               oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \
-               java-17-openjdk-$arch java-17-openjdk \
-               oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do
-        if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
-            export JAVA_HOME=/usr/lib/jvm/$jvm
-            PATH=$JAVA_HOME/bin:$PATH
-	    # copy java.security to allow import to function
-	    security_conf=/etc/${jvm%-${arch}}/security
-	    if [ -f ${security_conf}/java.security.dpkg-new ] \
-		&& [ ! -f ${security_conf}/java.security ]; then
-			cp -v ${security_conf}/java.security.dpkg-new \
-				${security_conf}/java.security
-	    fi
-            break
-        fi
-    done
-}
-
-check_proc()
-{
-    if ! mountpoint -q /proc; then
-        echo >&2 "the keytool command requires a mounted proc fs (/proc)."
-        exit 1
-    fi
-}
-
-convert_pkcs12_keystore_to_jks()
-{
-    if ! keytool -importkeystore \
-                 -srckeystore /etc/ssl/certs/java/cacerts \
-                 -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
-                 -srcstoretype PKCS12 \
-                 -deststoretype JKS \
-                 -srcstorepass "$storepass" \
-                 -deststorepass "$storepass" \
-                 -noprompt; then
-        echo "failed to convert PKCS12 keystore to JKS" >&2
-        exit 1
-    fi
-
-    # only update if /etc/default/cacerts allows
-    if [ "$cacerts_updates" = "yes" ]; then
-        mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
-        mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
-    fi
-}
-
-first_install()
-{
-    if which dpkg-query >/dev/null; then
-        nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
-        nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
-        nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
-        if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
-            ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
-        fi
-    fi
-
-    # Forcibly remove diginotar cert (LP: #920758)
-    if [ -n "$FIXOLD" ]; then
-        echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \
-        java -Xmx64m -jar $JAR -storepass "$storepass"
-    fi
-
-    find /etc/ssl/certs -name \*.pem | \
-    while read filename; do
-        alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
-        alias=${alias%*_}
-        if [ -n "$FIXOLD" ]; then
-            echo "-${alias}"
-            echo "-${alias}_pem"
-        fi
-        echo "+${filename}"
-    done | \
-    java -Xmx64m -jar $JAR -storepass "$storepass"
-    echo "done."
-}
-
-do_cleanup()
-{
-    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
-    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
-    then
-        rm -f $nssjdk/libnss3.so
-    fi
-}
-
-case "$1" in
-    configure)
-        if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
-            FIXOLD="true"
-            if [ -e /etc/ssl/certs/java/cacerts ]; then
-                cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
-            fi
-        fi
-
-        setup_path
-
-        if dpkg --compare-versions "$2" lt "20180516"; then
-            if [ -e /etc/ssl/certs/java/cacerts \
-                 -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
-                check_proc
-                convert_pkcs12_keystore_to_jks
-            fi
-        fi
-
-        if [ -z "$2" -o -n "$FIXOLD" ]; then
-            check_proc
-            trap do_cleanup EXIT
-            first_install
-        fi
-        chmod 600 /etc/default/cacerts || true
-    ;;
-
-    abort-upgrade|abort-remove|abort-deconfigure)
-    ;;
-
-    *)
-        echo "postinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-#DEBHELPER#
-
-exit 0


=====================================
debian/postrm deleted
=====================================
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-set -e
-
-case "$1" in
-    purge)
-	rm -f /etc/ca-certificates/update.d/jks-keystore
-	rm -rf /etc/ssl/certs/java
-	rmdir /etc/ssl/certs 2>/dev/null || true
-	;;
-    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-    	;;
-    *)
-        echo "postrm called with unknown argument \`$1'" >&2
-        exit 1
-	;;
-esac
-
-#DEBHELPER#
-
-exit 0
-
-


=====================================
debian/rules
=====================================
@@ -1,7 +1,7 @@
 #!/usr/bin/make -f
 
 %:
-	dh $@ --with javahelper
+	dh $@
 
 override_dh_auto_build:
 	mkdir target
@@ -27,12 +27,8 @@ ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
 	      org.debian.security.UpdateCertificatesTest org.debian.security.KeyStoreHandlerTest
 endif
 
-override_dh_auto_install:
-	install -m755 debian/jks-keystore.hook debian/ca-certificates-java/etc/ca-certificates/update.d/jks-keystore
-	install -m600 debian/default           debian/ca-certificates-java/etc/default/cacerts
+override_dh_installinit:
+	dh_installinit --name=cacerts
 
-	dh_install target/ca-certificates-java.jar /usr/share/ca-certificates-java/
-
-override_dh_link:
-	dh_link
-	rm debian/ca-certificates-java/etc/default/ca-certificates-java
+execute_after_dh_fixperms:
+	chmod 0600 debian/ca-certificates-java/etc/default/cacerts


=====================================
debian/salsa-ci.yml
=====================================
@@ -0,0 +1,7 @@
+---
+variables:
+  RELEASE: 'bullseye'
+
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml


=====================================
debian/tests/can-convert-keystore
=====================================
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# GIVEN a PKCS12 Java keystore
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+rm $CACERTS
+keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null
+apt-get remove -y ca-certificates-java
+
+mkdir -p /etc/ssl/certs/java/
+mkdir -p /var/lib/ca-certificates-java/
+mv test.store $CACERTS
+# WHEN ca-certificates-java is requested to convert the keystore
+touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+
+# THEN conversion is successful
+output=`mktemp`
+apt-get install -y openjdk-8-jre-headless | tee ${output}
+
+if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]];
+then
+    echo "Certificates were not imported !!!"
+    exit 255
+fi


=====================================
debian/tests/can-install-jre
=====================================
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+versions=$(apt-cache search jre-headless | awk '{print $1}')
+for version in ${versions}
+do
+# WHEN openjdk-jre-headless package is installed from scratch
+
+    # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean
+    # builds. Ignore it in certificate tests
+    if [[ ${version} == "openjdk-18-jre-headless" ]];
+    then
+        continue
+    fi
+    output=`mktemp`
+    echo "installing ${version}"
+    apt-get install -y ${version} | tee ${output}
+# THEN installation is successfull
+# AND certificates are updated
+    if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+        echo "Certificates were not imported !!!"
+        exit 255
+    fi
+    rm $output
+    # purge in order to remove keytstore
+    apt-get purge -y ca-certificates-java ${version}
+done


=====================================
debian/tests/can-install-libreoffice
=====================================
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+apt-get install -y libreoffice


=====================================
debian/tests/can-install-multiple-jdks
=====================================
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+output=`mktemp`
+# WHEN multiple JDKs are installed
+apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output}
+
+# THEN installation is successful
+if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+    echo "Certificates were not imported !!!"
+    exit 255
+fi
+rm $output


=====================================
debian/tests/control
=====================================
@@ -0,0 +1,9 @@
+Tests: can-convert-keystore
+Depends: apt-utils, bash, default-jre-headless
+Restrictions: needs-root
+
+Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice
+# No depends, this is a test for a clean install
+Depends: apt-utils, bash
+Restrictions: needs-root
+


=====================================
src/main/java/org/debian/security/UpdateCertificates.java
=====================================
@@ -86,6 +86,9 @@ public class UpdateCertificates {
      * or {@link #deleteAlias(String)}.
      */
     protected void parseLine(final String line) throws GeneralSecurityException, IOException, UnknownInputException {
+        if (line.isEmpty()) {
+            return;
+        }
         String path = line.substring(1);
         String filename = path.substring(path.lastIndexOf("/") + 1);
         String alias = "debian:" + filename;
@@ -93,9 +96,6 @@ public class UpdateCertificates {
             keystore.addAlias(alias, path);
         } else if (line.startsWith("-")) {
             keystore.deleteAlias(alias);
-            // Remove old non-prefixed aliases, too. This code should be
-            // removed after the release of Wheezy.
-            keystore.deleteAlias(filename);
         } else {
             throw new UnknownInputException(line);
         }


=====================================
src/test/java/org/debian/security/UpdateCertificatesTest.java
=====================================
@@ -49,6 +49,16 @@ public class UpdateCertificatesTest {
         keystore.delete();
     }
 
+    /**
+     * Try to send an empty command ("") in parseLine
+     */
+    @Test
+    public void testEmptyCommand() throws Exception {
+        UpdateCertificates uc = new UpdateCertificates(ksFilename, ksPassword);
+        uc.parseLine("");
+        uc.finish();
+    }
+
     /**
      * Try to send an invalid command ("x") in parseLine : throw UnknownInput
      */



View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/a945dc8a3e492b905fa05b380737ab74d37ca9ad...d20256bf94a36c352c5776f598008e8f6368c1c5

-- 
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/a945dc8a3e492b905fa05b380737ab74d37ca9ad...d20256bf94a36c352c5776f598008e8f6368c1c5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250801/5d58cd15/attachment.htm>


More information about the pkg-java-commits mailing list