From nobody Sun Oct 08 04:37:45 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S38Xp0PWMz4wSGQ; Sun, 8 Oct 2023 04:37:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S38Xn6zfmz4Nv6; Sun, 8 Oct 2023 04:37:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696739866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SVK3G8hfKy0MHrD5CLkBsl2W5IwN+sTT3SDMJhKcS+c=; b=tKhGhA13T/i/aLQ1fHN/pifQ2aaDq5z/ntJ1HAYQsJzYgCvXeilSBaCx92HY4zGFGrBitL ALgB8DOQD/nnJs0WXB06IEpvRym6aYnB8GGgmwb88IjiKzkyhshSZDnX11EEzwSRdDIIJF OdmUKWpCGc+1aVe5r4ZsoYnlKBza4p+5PGl+4P/BCa2KpuedGVQ0WqQHdF5BhkqD3UMplm KaVNsHQBS/N3EzYwFqf0FFXWRgc3gbuJPncqt6eEPxQJQph6FKuVoV/ZwBtFiy0Wnn9EKt /Ar8guZY9bPruKcByH+1Za88aDkiSrgmzx64RizssJgCmmb3aAtDP4JCQ69ubw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696739866; a=rsa-sha256; cv=none; b=STcNhqtLJTNDCFtinwaT4x4/srgBpKrJ3sWTxNBeVMBXNfGSEI32uyLPir9OJfjIRD4Mg7 lQv/3GPCXc8nTdKQH+EbeZ0eA/ObeqSi8tdcP3SeNI1Vqbg17b7gUUVuwbxJRCiVikICIN QU50TSycMGp90Vm3xeZsTJIaylZHpHsbmJAlgfyLS+LVEgLD/lpEfebgE2hEFOvHIJYurR ZbpDSuMQYSLDDSOkzA8amKfmnyAbl8PYDvslEFB7dkQlGNFNEJbbpJgWdLpsHDc/Bsimmr /P4YpzTMFPJDAQE6LYVI7n4kdvWG/vDUXK9IIe0dqIRXynxOAluqC9wDH9yP0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696739866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SVK3G8hfKy0MHrD5CLkBsl2W5IwN+sTT3SDMJhKcS+c=; b=TOJIn27M+fRvGMdAaNzzaLDNT5wcvNc1yi1Zpr/w7XIhbXr9B9Bax3QrPcWuKRZtDukTH0 WFdDRuRLvdpS1dLEWdbc7b8ZPe+LPoThKey6/xC5Bj7JYEfC+QkqyTK5iRjNLNnhXL0mKx FOnI3Jf/js1L34npKK1U9fcG0MXDSwNND9SrT1r8HZ0z913OoRS5IjAjROwT9bbiO33tAe o4SrWNlS6CV5mPE1sXHzgpNMd0yM9iYkc/Fl8WQKeGwI/wxVs0O2t+08gfDGsnRMc05FRl UObeVNhaVkIvDYaetmaCBRFMCjoj82i3z2hRK18mHtQqawvm+npQ2EdAa+ylPA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S38Xn620nzyqk; Sun, 8 Oct 2023 04:37:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3984bjb8004813; Sun, 8 Oct 2023 04:37:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3984bjQB004810; Sun, 8 Oct 2023 04:37:45 GMT (envelope-from git) Date: Sun, 8 Oct 2023 04:37:45 GMT Message-Id: <202310080437.3984bjQB004810@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 52e0c40367d3 - main - security/ca_root_nss: Restore the ETC_SYMLINK. List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 52e0c40367d3ebd09ab7169e025c37fbf70b8dee Auto-Submitted: auto-generated The branch main has been updated by des: URL: https://cgit.FreeBSD.org/ports/commit/?id=52e0c40367d3ebd09ab7169e025c37fbf70b8dee commit 52e0c40367d3ebd09ab7169e025c37fbf70b8dee Author: Dag-Erling Smørgrav AuthorDate: 2023-10-08 04:36:54 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2023-10-08 04:36:54 +0000 security/ca_root_nss: Restore the ETC_SYMLINK. It turns out that some ports have an undisclosed dependency on the symlink and cannot be trivially changed to use the system trust store instead. Amend the package message to make it clear that software which relies on this symlink is not following recommended practice. I will look into getting certctl(8) to provide cert.pem instead, but it may take a while until we can rely on this being in place on all supported releases. This partly reverts commit 483e74f44b82. PR: 274322 MFH: 2023Q4 Reviewed by: fluffy Differential Revision: https://reviews.freebsd.org/D42120 --- security/ca_root_nss/Makefile | 12 +++++++++++- security/ca_root_nss/files/pkg-message.in | 15 +++++++++++++-- security/ca_root_nss/pkg-plist | 3 +++ 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile index 3abe00856c78..91741dc352ef 100644 --- a/security/ca_root_nss/Makefile +++ b/security/ca_root_nss/Makefile @@ -1,6 +1,6 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} @@ -17,8 +17,14 @@ USE_PERL5= build NO_ARCH= yes WRKSRC_SUBDIR= nss +OPTIONS_DEFINE= ETCSYMLINK +OPTIONS_DEFAULT= ETCSYMLINK + OPTIONS_SUB= yes +ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem +ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* + CERTDIR?= share/certs PLIST_SUB+= CERTDIR=${CERTDIR} @@ -43,4 +49,8 @@ do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/openssl ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample +do-install-ETCSYMLINK-on: + ${MKDIR} ${STAGEDIR}/etc/ssl + ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem + .include diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in index a28b233e6599..b272b6030486 100644 --- a/security/ca_root_nss/files/pkg-message.in +++ b/security/ca_root_nss/files/pkg-message.in @@ -5,8 +5,19 @@ FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. -Assessment and verification of trust is the complete responsibility of the -system administrator. +Assessment and verification of trust is the complete responsibility of +the system administrator. + +This package installs symlinks to support root certificate discovery +for software that either uses other cryptographic libraries than +OpenSSL, or use OpenSSL but do not follow recommended practice. + +If you prefer to do this manually, replace the following symlinks with +either an empty file or your site-local certificate bundle. + + * /etc/ssl/cert.pem + * %%PREFIX%%/etc/ssl/cert.pem + * %%PREFIX%%/openssl/cert.pem EOM } ] diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist index ef04e1ffd140..81d723328b37 100644 --- a/security/ca_root_nss/pkg-plist +++ b/security/ca_root_nss/pkg-plist @@ -1,4 +1,7 @@ %%CERTDIR%%/ca-root-nss.crt +@sample etc/ssl/cert.pem.sample +@sample openssl/cert.pem.sample +%%ETCSYMLINK%%/etc/ssl/cert.pem @postexec certctl rehash @postunexec certctl rehash @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt