[Git][java-team/ca-certificates-java][buster] 4 commits: Add changelog entry
Bastien Roucariès (@rouca)
gitlab at salsa.debian.org
Fri Feb 27 22:00:22 GMT 2026
Bastien Roucariès pushed to branch buster at Debian Java Maintainers / ca-certificates-java
Commits:
3a3d56af by Bastien Roucariès at 2026-02-27T22:59:06+01:00
Add changelog entry
- - - - -
76e2ba2c by Bastien Roucariès at 2026-02-27T22:59:28+01:00
Harden conversion from pkcs12 to jks
- - - - -
c555f59e by Bastien Roucariès at 2026-02-27T22:59:30+01:00
Fix some nitpick reported by arnaudr
co-author: Arnaud Rebillout <arnaudr at debian.org>
- - - - -
35bf361c by Arnaud Rebillout at 2026-02-27T22:59:32+01:00
Fix the bogus comparison for the keystore magic
The `\x` is a bashism, it's not supported in eg. sh or dash:
$ sh -c "echo -en '\xfe\xed\xfe\xed'"
-en \xfe\xed\xfe\xed
So it looks like this comparison never worked, ever?
Fix it by comparing the hexadecimal output instead.
- - - - -
2 changed files:
- debian/ca-certificates-java.postinst
- debian/changelog
Changes:
=====================================
debian/ca-certificates-java.postinst
=====================================
@@ -26,9 +26,68 @@ check_proc()
fi
}
+check_cacerts_store_format()
+{
+ local file="$1"
+ local pass="$2"
+ local output=
+ local type=
+ local status=
+
+ output=$(keytool -list -keystore "$file" -storepass "$pass" 2>&1)
+ status=$?
+ if [ $status -ne 0 ] ; then
+ echo "ERROR: keytool probing '$file' failed (exit code $status)" >&2
+ echo "$output" | head >&2
+ return $status
+ fi
+
+ local type
+ type=$(
+ printf "%s\n" "$output" |
+ tr '[:upper:]' '[:lower:]' |
+ sed -n '
+ /^[[:space:]]*keystore[[:space:]]*type[[:space:]]*:/ {
+ s/^[[:space:]]*keystore[[:space:]]*type[[:space:]]*:[[:space:]]*//;
+ s/^[[:space:]]*//;
+ s/[[:space:]]*$//;
+ p
+ }
+ '
+ )
+
+ if [ -z "$type" ]; then
+ echo "ERROR: keytool probing '$file' failed to find keystore type" >&2
+ return 1
+ fi
+
+ echo "$type"
+ return 0
+}
+
convert_pkcs12_keystore_to_jks()
{
+ local type
+
check_proc
+ if ! type=$(check_cacerts_store_format /etc/ssl/certs/java/cacerts "$storepass"); then
+ exit $?
+ fi
+
+ case "$type" in
+ jks)
+ # here we race
+ return 0
+ ;;
+ pkcs12)
+ # continue
+ ;;
+ *)
+ echo "failed to convert PKCS12 keystore to JKS, unknown /etc/ssl/certs/java/cacerts format '$type'" >&2
+ exit 1
+ ;;
+ esac
+
if ! keytool -importkeystore \
-srckeystore /etc/ssl/certs/java/cacerts \
-destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
@@ -146,7 +205,7 @@ if [ "$1" = "configure" ]; then
if dpkg --compare-versions "$2" lt-nl "20180516"; then
if [ -e /etc/ssl/certs/java/cacerts ] && \
- [ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+ [ "$(head -c4 /etc/ssl/certs/java/cacerts | od -A n -t x1 | tr -d ' ')" != "feedfeed" ]; then
touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
fi
fi
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+ca-certificates-java (20230710~deb12u1~deb11u1~deb10u2) unstable; urgency=medium
+
+ * Non-maintainer upload by ELTS team.
+ * Harden conversion of PKCS12 to JKS for easing upgrade from stretch security
+
+ -- Bastien Roucariès <rouca at debian.org> Fri, 27 Feb 2026 22:58:36 +0100
+
ca-certificates-java (20230710~deb12u1~deb11u1~deb10u1) buster-security; urgency=medium
* Non-maintainer upload by ELTS team.
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/dbb7fb503f49c90ec0fa79cd9fceea6a1635f40b...35bf361cab9f5a1c0d9e9d6596df1501646a9197
--
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/dbb7fb503f49c90ec0fa79cd9fceea6a1635f40b...35bf361cab9f5a1c0d9e9d6596df1501646a9197
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260227/32cb8feb/attachment.htm>
More information about the pkg-java-commits
mailing list