[pkg-java] r13564 - in trunk: . ca-certificates-java ca-certificates-java/debian ca-certificates-java/debian/source

Torsten Werner twerner at alioth.debian.org
Sun Apr 24 22:06:35 UTC 2011


Author: twerner
Date: 2011-04-24 22:06:29 +0000 (Sun, 24 Apr 2011)
New Revision: 13564

Added:
   trunk/ca-certificates-java/
   trunk/ca-certificates-java/debian/
   trunk/ca-certificates-java/debian/README.Debian
   trunk/ca-certificates-java/debian/changelog
   trunk/ca-certificates-java/debian/compat
   trunk/ca-certificates-java/debian/control
   trunk/ca-certificates-java/debian/copyright
   trunk/ca-certificates-java/debian/default
   trunk/ca-certificates-java/debian/jks-keystore.hook
   trunk/ca-certificates-java/debian/postinst
   trunk/ca-certificates-java/debian/postrm
   trunk/ca-certificates-java/debian/rules
   trunk/ca-certificates-java/debian/source/
   trunk/ca-certificates-java/debian/source/format
Log:
[svn-inject] Installing original source of ca-certificates-java (20100412)

Added: trunk/ca-certificates-java/debian/README.Debian
===================================================================
--- trunk/ca-certificates-java/debian/README.Debian	                        (rev 0)
+++ trunk/ca-certificates-java/debian/README.Debian	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,15 @@
+ca-certificates-java for Debian
+-------------------------------
+
+This package uses the hooks of the ca-certificates package to update the
+JKS keystore used for many java runtimes. The alias used to store the
+certificate is the basename without the trailing '.crt', with all uppercase
+letters translated to lowercase letters, and all repeated non alphanumeric
+characters replaced and squeezed by a single `_'.
+
+Could be part of ca-certificates, if openjdk is in main.
+
+ca-certificates-java doesn't automagically handle local certificates,
+although these are not overwritten on updates.
+
+ -- Matthias Klose <doko at ubuntu.com>  Mon, 02 Jun 2008 14:52:46 +0000

Added: trunk/ca-certificates-java/debian/changelog
===================================================================
--- trunk/ca-certificates-java/debian/changelog	                        (rev 0)
+++ trunk/ca-certificates-java/debian/changelog	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,105 @@
+ca-certificates-java (20100412) unstable; urgency=low
+
+  * Upload to unstable.
+
+ -- Matthias Klose <doko at ubuntu.com>  Mon, 12 Apr 2010 03:15:47 +0200
+
+ca-certificates-java (20100406ubuntu1) lucid; urgency=low
+
+  * Make the installation and import of certificates more robust,
+    if the NSS based security provider is disabled or not built.
+
+ -- Matthias Klose <doko at ubuntu.com>  Sun, 11 Apr 2010 20:54:43 +0200
+
+ca-certificates-java (20100406) unstable; urgency=low
+
+  * Explicitely fail the installation, if /proc is not mounted.
+    Currently required by the java tools, changed in OpenJDK7.
+    Closes: #576453. LP: #556044.
+  * Print name of JVM in case of errors.
+  * Set priority to optional, set section to java. Closes: #566855.
+  * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853.
+
+ -- Matthias Klose <doko at debian.org>  Tue, 06 Apr 2010 21:41:39 +0200
+
+ca-certificates-java (20091021) unstable; urgency=low
+
+  * Clarify output for keytool errors (although it shouldnn't be
+    necessary anymore). Closes: #540490.
+
+ -- Matthias Klose <doko at ubuntu.com>  Wed, 21 Oct 2009 22:00:53 +0200
+
+ca-certificates-java (20090928) karmic; urgency=low
+
+  * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with
+    ca-certificates 20090814.
+
+ -- Matthias Klose <doko at ubuntu.com>  Mon, 28 Sep 2009 16:47:09 +0200
+
+ca-certificates-java (20090629) unstable; urgency=low
+
+  * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out
+    SHA384withECDSA certificates since keytool won't support them.
+    LP: #392104, closes: #534520.
+  * Fix typo in hook. Closes: #534533.
+  * Use java6-runtime-headless as alternative dependency. Closes: #512293.
+
+ -- Matthias Klose <doko at ubuntu.com>  Mon, 29 Jun 2009 11:27:59 +0200
+
+ca-certificates-java (20081028) unstable; urgency=low
+
+  * Ignore LANG and LC_ALL setting when running keytool. LP: #289934.
+
+ -- Matthias Klose <doko at debian.org>  Tue, 28 Oct 2008 07:20:16 +0100
+
+ca-certificates-java (20081027) unstable; urgency=medium
+
+  * Merge from Ubuntu:
+    - Don't try to import certificates, which are listed in
+      /etc/ca-certificates.conf, but not available on the system.
+      Just warn about those. LP: #289091.
+    - Need to run keytool, when the jre is unpacked, but not yet configured.
+      Create a temporary jvm.cfg for the time in that postinst and the
+      jks-keystore.hook are run, and remove it afterwards. LP: #289199.
+
+ -- Matthias Klose <doko at debian.org>  Mon, 27 Oct 2008 13:58:14 +0100
+
+ca-certificates-java (20081024) unstable; urgency=low
+
+  * Install /etc/default/cacerts with mode 600.
+
+ -- Matthias Klose <doko at debian.org>  Fri, 24 Oct 2008 15:10:48 +0200
+
+ca-certificates-java (20081022) unstable; urgency=low
+
+  * debian/jks-keystore.hook:
+    - Don't stop after first error during the update. LP: #244412.
+      Closes: #489748.
+    - Call keytool with -noprompt.
+  * On initial install, add locally added certificates. LP: #244410.
+    Closes: #489748.
+  * Install /etc/default/cacerts to set options:
+    - storepass, holding the password for the keystore.
+    - updates, to enable/disable updates of the keystore.
+  * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587.
+
+ -- Matthias Klose <doko at ubuntu.com>  Wed, 22 Oct 2008 20:51:24 +0200
+
+ca-certificates-java (20080712) unstable; urgency=low
+
+  * Upload to main.
+
+ -- Matthias Klose <doko at ubuntu.com>  Sat, 12 Jul 2008 12:19:00 +0200
+
+ca-certificates-java (20080711) unstable; urgency=low
+
+  * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408.
+
+ -- Matthias Klose <doko at ubuntu.com>  Fri, 11 Jul 2008 20:38:04 +0200
+
+ca-certificates-java (20080514) unstable; urgency=low
+
+  * Initial release.
+
+ -- Matthias Klose <doko at ubuntu.com>  Mon, 02 Jun 2008 14:52:46 +0000
+

Added: trunk/ca-certificates-java/debian/compat
===================================================================
--- trunk/ca-certificates-java/debian/compat	                        (rev 0)
+++ trunk/ca-certificates-java/debian/compat	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1 @@
+6

Added: trunk/ca-certificates-java/debian/control
===================================================================
--- trunk/ca-certificates-java/debian/control	                        (rev 0)
+++ trunk/ca-certificates-java/debian/control	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,15 @@
+Source: ca-certificates-java
+Section: java
+Priority: optional
+Maintainer: OpenJDK Team <openjdk at lists.launchpad.net>
+Uploaders: Matthias Klose <doko at ubuntu.com>
+Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
+Standards-Version: 3.8.4
+
+Package: ca-certificates-java
+Architecture: all
+Depends: ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends}
+Recommends: libnss3-1d
+Description: Common CA certificates (JKS keystore)
+ This package uses the hooks of the ca-certificates package to update the
+ cacerts JKS keystore used for many java runtimes.

Added: trunk/ca-certificates-java/debian/copyright
===================================================================
--- trunk/ca-certificates-java/debian/copyright	                        (rev 0)
+++ trunk/ca-certificates-java/debian/copyright	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,15 @@
+This package was debianized by Matthias Klose <doko at ubuntu.com>
+on Mon, 02 Jun 2008 14:52:46 +0000.
+
+Upstream Author: 
+
+    Matthias Klose <doko at ubuntu.com>
+
+Copyright: 
+
+    <Copyright (C) 2008 Canonical Ltd>
+
+License:
+
+The Debian package is (C) 2008, Canonical Ltd and
+is licensed under the GPL, see `/usr/share/common-licenses/GPL'.

Added: trunk/ca-certificates-java/debian/default
===================================================================
--- trunk/ca-certificates-java/debian/default	                        (rev 0)
+++ trunk/ca-certificates-java/debian/default	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,10 @@
+# defaults for ca-certificates-java
+
+# The password which is used to protect the integrity of the keystore.
+# storepass must be at least 6 characters long. It must be provided to
+# all commands that access the keystore contents.
+# Only change this if adding private certificates.
+#storepass=''
+
+# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts
+cacerts_updates=yes

Added: trunk/ca-certificates-java/debian/jks-keystore.hook
===================================================================
--- trunk/ca-certificates-java/debian/jks-keystore.hook	                        (rev 0)
+++ trunk/ca-certificates-java/debian/jks-keystore.hook	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,112 @@
+#! /bin/sh
+
+set -e
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+    . /etc/default/cacerts
+fi
+
+KEYSTORE=/etc/ssl/certs/java/cacerts
+
+echo ""
+if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
+    echo "updates of cacerts keystore disabled."
+    exit 0
+fi
+
+if ! mountpoint -q /proc; then
+    echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+    exit 1
+fi
+
+for jvm in java-6-openjdk java-6-sun java-6-cacao; do
+    if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
+	break
+    fi
+done
+export JAVA_HOME=/usr/lib/jvm/$jvm
+PATH=$JAVA_HOME/bin:$PATH
+
+temp_jvm_cfg=
+if [ ! -f /etc/$jvm/jvm.cfg ]; then
+    # the jre is not yet configured, but jvm.cfg is needed to run it
+    temp_jvm_cfg=/etc/$jvm/jvm.cfg
+    mkdir -p /etc/$jvm
+    printf -- "-server KNOWN\n" > $temp_jvm_cfg
+fi
+
+# read lines of the form: [+-]/etc/ssl/certs/*.pem
+
+echo "updating keystore $KEYSTORE..."
+
+errors=0
+log=$(tempfile)
+while read line; do
+    pem=${line#[+-]*}
+    alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
+    alias=${alias%*_}
+    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
+	-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
+	&& exists=yes || exists=no
+    case "$line" in
+    +*)
+	if [ "$exists" = yes ]; then
+	    echo "  already exists: ${line#+*}"
+	else
+	  if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
+		-alias "$alias" -file "$pem" > $log 2>&1
+	  then
+	      echo "  added: ${line#+*}"
+	  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
+	        -providerClass sun.security.pkcs11.SunPKCS11 \
+	        -providerArg '${java.home}/lib/security/nss.cfg' \
+		-alias "$alias" -file "$pem" > $log 2>&1
+	  then
+	      echo "  added: ${line#+*} (using NSS provider)"
+	  elif grep -q 'Signature not available' $log; then
+	      echo "  ignored import, signature not available: ${line#+*}"
+	      cat $log
+	  else
+	      echo >&2 "  error adding ${line#+*}"
+	      errors=$(expr $errors + 1)
+	  fi;
+	fi
+	;;
+    -*)
+	if [ "$exists" = yes ]; then
+	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+		-noprompt -storepass "$storepass" \
+		-alias "$alias"
+	    then
+		echo "  removed ${line#-*}"
+	    elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+		-noprompt -storepass "$storepass" \
+	        -providerClass sun.security.pkcs11.SunPKCS11 \
+	        -providerArg '${java.home}/lib/security/nss.cfg' \
+		-alias "$alias"
+	    then
+		echo "  removed ${line#-*} (using NSS provider)"
+	    else
+		echo >&2 "  error removing ${line#+*}"
+		errors=$(expr $errors + 1)
+	    fi
+	else
+	    echo "  does not exist: ${line#-*}"
+	fi
+	;;
+    *)
+	echo >&2 "  $0: Unknown line $line"
+    esac
+done
+rm -f $log
+
+[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+
+if [ $errors -gt 0 ]; then
+    echo >&2 "failed (VM used: $jvm)."
+    exit 1
+fi
+echo "done."

Added: trunk/ca-certificates-java/debian/postinst
===================================================================
--- trunk/ca-certificates-java/debian/postinst	                        (rev 0)
+++ trunk/ca-certificates-java/debian/postinst	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,133 @@
+#!/bin/bash
+
+set -e
+
+KEYSTORE=/etc/ssl/certs/java/cacerts
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+    . /etc/default/cacerts
+fi
+
+setup_path()
+{
+    for jvm in java-6-openjdk java-6-sun; do
+	if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
+	    break
+	fi
+    done
+    export JAVA_HOME=/usr/lib/jvm/$jvm
+    PATH=$JAVA_HOME/bin:$PATH
+}
+
+first_install()
+{
+    cacertdir=/usr/share/ca-certificates
+    log=$(tempfile)
+
+    # aliases of pregenerated files
+    pregenerated=$(tempfile)
+    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
+	| awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
+	| sort > $pregenerated
+
+    grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \
+    errors=0
+    while read line; do
+	pem=${line#!*}
+	alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
+	alias=${alias%*_}
+	case "$line" in
+	    !*)
+	        # remove untrusted certificate
+		if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+		    -storepass "$storepass" -alias "$alias" >/dev/null
+		then
+		    echo "  removed untrusted certificate $pem"
+		else
+		    # not (anymore) in keystore
+		    :
+		fi;;
+	    *)
+	        # add certificate not yet in keystore
+		if [ ! -f "$cacertdir/$pem" ]; then
+		    echo >&2 "warning: /etc/ca-certificates.conf lists $pem,"
+		    echo >&2 "warning:   but $cacertdir/$pem does not exist."
+		    continue
+		fi
+		if ! grep -q "^${alias}$" $pregenerated; then
+		  if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+			-noprompt -storepass "$storepass" \
+			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
+		  then
+		      echo "  added certificate $pem"
+		  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+		        -providerClass sun.security.pkcs11.SunPKCS11 \
+		        -providerArg '${java.home}/lib/security/nss.cfg' \
+			-noprompt -storepass "$storepass" \
+			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
+		  then
+		      echo "  added certificate $pem (using NSS provider)"
+		  elif grep -q 'Signature not available' $log; then
+		      echo "  ignored import, signature not available: ${line#+*}"
+		      sed -e 's/^/   -> /' $log
+		  else
+		      echo >&2 "  error adding ${line#+*}"
+		      errors=$(expr $errors + 1)
+		  fi
+		fi
+	esac
+    done
+    rm -f $log
+    rm -f $pregenerated
+    if [ $errors -gt 0 ]; then
+	echo >&2 "failed (VM used: $jvm)."
+	[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+	exit 1
+    fi
+    echo "done."
+    )
+}
+
+case "$1" in
+    configure)
+        if [ -z "$2" ]; then
+	    setup_path
+
+	    if ! mountpoint -q /proc; then
+		echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+		exit 1
+	    fi
+
+	    if [ ! -f /etc/$jvm/jvm.cfg ]; then
+		# the jre is not yet configured, but jvm.cfg is needed to run it
+		temp_jvm_cfg=/etc/$jvm/jvm.cfg
+		mkdir -p /etc/$jvm
+		printf -- "-server KNOWN\n" > $temp_jvm_cfg
+	    fi
+
+	    # on first install, remove certs untrusted by the
+	    # user/admininstrator, add locally added certs
+	    echo "creating $KEYSTORE..."
+	    cp /usr/share/ca-certificates-java/cacerts $KEYSTORE
+	    first_install
+
+	    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+	fi
+	chmod 600 /etc/default/cacerts || true
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/ca-certificates-java/debian/postrm
===================================================================
--- trunk/ca-certificates-java/debian/postrm	                        (rev 0)
+++ trunk/ca-certificates-java/debian/postrm	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+    purge)
+	rm -f /etc/ca-certificates/update.d/jks-keystore
+	rm -rf /etc/ssl/certs/java
+	rmdir /etc/ssl/certs 2>/dev/null || true
+	;;
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    	;;
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+	;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/ca-certificates-java/debian/rules
===================================================================
--- trunk/ca-certificates-java/debian/rules	                        (rev 0)
+++ trunk/ca-certificates-java/debian/rules	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1,85 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+d = debian/ca-certificates-java
+
+build: build-stamp
+build-stamp:
+	dh_testdir
+	rm -rf build
+	mkdir -p build
+	set -e; \
+	yes | \
+	for crt in $$(find /usr/share/ca-certificates -name '*.crt' -printf '%P '); do \
+	  alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \
+	  alias=$${alias%*_}; \
+	  echo "IMPORT: $$crt, alias=$$alias"; \
+	  if keytool -importcert -trustcacerts -keystore build/cacerts \
+	    -storepass 'changeit' \
+	    -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
+	  then \
+	    cat keytool.log; \
+	  elif keytool -importcert -trustcacerts -keystore build/cacerts \
+	    -providerClass sun.security.pkcs11.SunPKCS11 \
+	    -providerArg '$${java.home}/lib/security/nss.cfg' \
+	    -storepass 'changeit' \
+	    -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
+	  then \
+	    cat keytool.log; \
+	  elif grep -q 'Signature not available' keytool.log; then \
+	    echo "IGNORED IMPORT: $$crt, alias=$$alias"; \
+	    cat keytool.log; \
+	  else \
+	    cat keytool.log; \
+	    false; \
+	  fi; \
+	done
+	touch $@
+
+clean:
+	dh_testdir
+	dh_testroot
+	rm -f build-stamp
+	rm -rf build
+	rm -f keytool.log
+	dh_clean 
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k 
+	dh_installdirs \
+		usr/share/ca-certificates-java \
+		etc/default \
+		etc/ssl/certs/java \
+		etc/ca-certificates/update.d \
+
+	install -m755 debian/jks-keystore.hook \
+		$(d)/etc/ca-certificates/update.d/jks-keystore
+	install -m644 build/cacerts \
+		$(d)/usr/share/ca-certificates-java/
+	install -m600 debian/default \
+		$(d)/etc/default/cacerts
+
+# Build architecture-independent files here.
+binary-indep: build install
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs 
+	dh_installdocs
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install


Property changes on: trunk/ca-certificates-java/debian/rules
___________________________________________________________________
Added: svn:executable
   + 

Added: trunk/ca-certificates-java/debian/source/format
===================================================================
--- trunk/ca-certificates-java/debian/source/format	                        (rev 0)
+++ trunk/ca-certificates-java/debian/source/format	2011-04-24 22:06:29 UTC (rev 13564)
@@ -0,0 +1 @@
+3.0 (native)




More information about the pkg-java-commits mailing list