Fix broken %post script

Update to CKBI 2.41 from NSS 3.53.0
Removing: # Certificate "AddTrust Low-Value Services Root" # Certificate "AddTrust External Root" # Certificate "Staat der Nederlanden Root CA - G2"
2020-06-16 15:39:14 -07:00 · 2020-06-10 15:44:55 -07:00 · 2020-01-30 13:29:56 +01:00 · 2020-01-23 17:06:22 +01:00 · 2020-01-23 09:59:42 +01:00
4 changed files with 616 additions and 1269 deletions
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -35,10 +35,10 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)

-Version: 2019.2.32
+Version: 2020.2.41
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 3%{?dist}
+Release: 1.1%{?dist}
 License: Public Domain

 URL: https://fedoraproject.org/wiki/CA-Certificates
@ -71,10 +71,10 @@ Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.23.10
-Requires(post): p11-kit-trust >= 0.23.10
-Requires: p11-kit >= 0.23.10
-Requires: p11-kit-trust >= 0.23.10
+Requires(post): p11-kit >= 0.23.19
+Requires(post): p11-kit-trust >= 0.23.19
+Requires: p11-kit >= 0.23.19
+Requires: p11-kit-trust >= 0.23.19

 BuildRequires: perl-interpreter
 BuildRequires: python3
@ -301,14 +301,30 @@ if [ $1 -gt 1 ] ; then
  fi
 fi

-
 %post
 #if [ $1 -gt 1 ] ; then
 #  # when upgrading or downgrading
 #fi
+# if ln is available, go ahead and run the ca-legacy and update
+# scripts. If not, wait until %posttrans.
+if [ -x %{_bindir}/ln ]; then
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
+fi

+%posttrans
+# When coreutils is installing with ca-certificates
+# we need to wait until coreutils install to
+# run our update since update requires ln to complete.
+# There is a circular dependency here where
+# ca-certificates depends on coreutils
+# coreutils depends on openssl
+# openssl depends on ca-certificates
+# so we run the scripts here too, in case we couldn't run them in
+# post. If we *could* run them in post this is an unnecessary
+# duplication, but it shouldn't hurt anything
+%{_bindir}/ca-legacy install
+%{_bindir}/update-ca-trust

 %files
 %dir %{_sysconfdir}/ssl
@ -369,6 +385,30 @@ fi


 %changelog
+*Tue Jun 16 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-1.1
+- Fix %post script
+
+*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-1.0
+- Update to CKBI 2.41 from NSS 3.53.0
+-    Removing:
+-     # Certificate "AddTrust Low-Value Services Root"
+-     # Certificate "AddTrust External Root"
+-     # Certificate "Staat der Nederlanden Root CA - G2"
+
+* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-1.1
+- Update versioned dependency on p11-kit
+
+*Thu Jan 23 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-1.0
+- Update to CKBI 2.40 from NSS 3.48
+-    Removing:
+-     # Certificate "UTN USERFirst Email Root CA"
+-     # Certificate "Certplus Class 2 Primary CA"
+-     # Certificate "Deutsche Telekom Root CA 2"
+-     # Certificate "Swisscom Root CA 2"
+-     # Certificate "Certinomis - Root CA"
+-    Adding:
+-     # Certificate "Entrust Root Certification Authority - G4"
+
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

--- a/certdata.txt
+++ b/certdata.txt
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -177,6 +177,11 @@ openssl_trust = {
  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }

+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
        key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
            f.write("nss-mozilla-ca-policy: true\n")
            f.write("modifiable: false\n");

+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
            f.write("-----BEGIN CERTIFICATE-----\n")
            temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
            temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
--- a/nssckbi.h
+++ b/nssckbi.h
@ -46,8 +46,8 @@
 * It's recommend to switch back to 0 after having reached version 98/99.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 26
-#define NSS_BUILTINS_LIBRARY_VERSION "2.26"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 41
+#define NSS_BUILTINS_LIBRARY_VERSION "2.41"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
Author	SHA1	Message	Date
Bob Relyea	b8c2166e0b	Fix broken %post script	2020-06-16 15:39:14 -07:00
Bob Relyea	9ea1710bc1	Update to CKBI 2.41 from NSS 3.53.0 Removing: # Certificate "AddTrust Low-Value Services Root" # Certificate "AddTrust External Root" # Certificate "Staat der Nederlanden Root CA - G2"	2020-06-10 15:44:55 -07:00
Daiki Ueno	89c3a425aa	Update versioned dependency on p11-kit	2020-01-30 13:29:56 +01:00
Daiki Ueno	f721635817	Update to CKBI 2.40 from NSS 3.48	2020-01-23 17:06:22 +01:00
Daiki Ueno	5594b690bb	certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER This allows to follow upcoming changes in certdata.txt: https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 Signed-off-by: Daiki Ueno <dueno@redhat.com>	2020-01-23 09:59:42 +01:00