[Git][java-team/ca-certificates-java][master] [ Vladimir Petko ]
Matthias Klose (@doko)
gitlab at salsa.debian.org
Wed Jul 5 14:26:25 BST 2023
Matthias Klose pushed to branch master at Debian Java Maintainers / ca-certificates-java
Commits:
ff182104 by Matthias Klose at 2023-07-05T15:26:08+02:00
[ Vladimir Petko ]
* Resolve circular JRE dependency:
- debian/ca-certificates-java.postinst: remove setup_path from "configure"
stage.
- debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
not found. Certificates are refreshed only in response to the trigger
activated by OpenJDK packages.
- debian/ca-certificates-java.postinst: fix cacert enumeration command for
Java 8.
- debian/control: remove JRE dependency.
- debian/control: add Breaks condition.
- debian/tests: add smoke tests.
- debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
explicitly declare triggers as -await.
[ Matthias Klose ]
* Adjust the breaks for Debian versions.
- - - - -
9 changed files:
- debian/ca-certificates-java.postinst
- debian/ca-certificates-java.triggers
- debian/changelog
- debian/control
- + debian/tests/can-convert-keystore
- + debian/tests/can-install-jre
- + debian/tests/can-install-libreoffice
- + debian/tests/can-install-multiple-jdks
- + debian/tests/control
Changes:
=====================================
debian/ca-certificates-java.postinst
=====================================
@@ -18,37 +18,6 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
ETCCERTSDIR=/etc/ssl/certs
CACERTS=$ETCCERTSDIR/java/cacerts
-setup_path()
-{
- for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do
- for jvm in \
- java-${version}-openjdk-${arch} \
- java-${version}-openjdk \
- oracle-java${version}-jre-${arch} \
- oracle-java${version}-server-jre-${arch} \
- oracle-java${version}-jdk-${arch}
- do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- # copy java.security to allow import to function
- security_conf=/etc/java-${version}-openjdk/security
- if [ -f ${security_conf}/java.security.dpkg-new ] \
- && [ ! -f ${security_conf}/java.security ]; then
- cp ${security_conf}/java.security.dpkg-new \
- ${security_conf}/java.security
- fi
- break 2
- fi
- done
- done
-
- if ! which java >/dev/null; then
- echo "No JRE found. Skipping Java certificates setup."
- exit 0
- fi
-}
-
check_proc()
{
if ! mountpoint -q /proc; then
@@ -97,7 +66,10 @@ update_cacerts()
exit 0
fi
- setup_path
+ if ! which java >/dev/null; then
+ echo "No JRE found. Skipping Java certificates setup."
+ exit 0
+ fi
if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
convert_pkcs12_keystore_to_jks
@@ -110,7 +82,17 @@ update_cacerts()
if [ -f "$CACERTS" ]; then
check_proc
- cacerts_aliases=$(keytool -cacerts -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
+ # Java 8 does not have -cacerts option
+ if java -version 2>&1 | grep "1.8" > /dev/null ;
+ then
+ castore="-keystore ${CACERTS}"
+ else
+ castore="-cacerts"
+ fi
+
+ cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
for alias in $cacerts_aliases ; do
case " $etc_ssl_certs_aliases " in
@@ -184,5 +166,9 @@ if [ "$1" = "triggered" ]; then
;;
esac
+ if [ ! -f $CACERTS ]; then
+ touch /var/lib/ca-certificates-java/fresh
+ fi
+
update_cacerts
fi
=====================================
debian/ca-certificates-java.triggers
=====================================
@@ -1,3 +1,2 @@
-interest update-ca-certificates-java
-interest update-ca-certificates-java-fresh
-interest /usr/lib/jvm
+interest-await update-ca-certificates-java
+interest-await update-ca-certificates-java-fresh
=====================================
debian/changelog
=====================================
@@ -1,3 +1,25 @@
+ca-certificates-java (20230705) UNRELEASED; urgency=medium
+
+ [ Vladimir Petko ]
+ * Resolve circular JRE dependency:
+ - debian/ca-certificates-java.postinst: remove setup_path from "configure"
+ stage.
+ - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
+ not found. Certificates are refreshed only in response to the trigger
+ activated by OpenJDK packages.
+ - debian/ca-certificates-java.postinst: fix cacert enumeration command for
+ Java 8.
+ - debian/control: remove JRE dependency.
+ - debian/control: add Breaks condition.
+ - debian/tests: add smoke tests.
+ - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
+ explicitly declare triggers as -await.
+
+ [ Matthias Klose ]
+ * Adjust the breaks for Debian versions.
+
+ -- Matthias Klose <doko at debian.org> Wed, 05 Jul 2023 14:56:40 +0200
+
ca-certificates-java (20230620) unstable; urgency=medium
[ Matthias Klose ]
=====================================
debian/control
=====================================
@@ -20,7 +20,13 @@ Multi-Arch: foreign
Depends:
ca-certificates (>= 20210120),
${misc:Depends},
- default-jre-headless (>= 2:1.8) | java8-runtime-headless,
+Breaks: openjdk-8-jre-headless (<< 8u382~b04-2~),
+ openjdk-11-jre-headless (<< 11.0.19+7~1~),
+ openjdk-17-jre-headless (<< 17.0.8~6-3~),
+ openjdk-18-jre-headless (<< 18.0.2+9-2ubuntu1~),
+ openjdk-19-jre-headless (<< 19.0.2+7-0ubuntu4~),
+ openjdk-20-jre-headless (<< 20.0.1+9~1~),
+ openjdk-21-jre-headless (<< 21~9ea-1~)
Description: Common CA certificates (JKS keystore)
This package uses the hooks of the ca-certificates package to update the
cacerts JKS keystore used for many java runtimes.
=====================================
debian/tests/can-convert-keystore
=====================================
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# GIVEN a PKCS12 Java keystore
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+rm $CACERTS
+keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null
+apt-get remove -y ca-certificates-java
+
+mkdir -p /etc/ssl/certs/java/
+mkdir -p /var/lib/ca-certificates-java/
+mv test.store $CACERTS
+# WHEN ca-certificates-java is requested to convert the keystore
+touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+
+# THEN conversion is successful
+output=`mktemp`
+apt-get install -y openjdk-8-jre-headless | tee ${output}
+
+if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]];
+then
+ echo "Certificates were not imported !!!"
+ exit 255
+fi
=====================================
debian/tests/can-install-jre
=====================================
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+versions=$(apt-cache search jre-headless | awk '{print $1}')
+for version in ${versions}
+do
+# WHEN openjdk-jre-headless package is installed from scratch
+
+ # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean
+ # builds. Ignore it in certificate tests
+ if [[ ${version} == "openjdk-18-jre-headless" ]];
+ then
+ continue
+ fi
+ output=`mktemp`
+ echo "installing ${version}"
+ apt-get install -y ${version} | tee ${output}
+# THEN installation is successfull
+# AND certificates are updated
+ if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+ echo "Certificates were not imported !!!"
+ exit 255
+ fi
+ rm $output
+ # purge in order to remove keytstore
+ apt-get purge -y ca-certificates-java ${version}
+done
=====================================
debian/tests/can-install-libreoffice
=====================================
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+apt-get install -y libreoffice
=====================================
debian/tests/can-install-multiple-jdks
=====================================
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+output=`mktemp`
+# WHEN multiple JDKs are installed
+apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output}
+
+# THEN installation is successful
+if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+ echo "Certificates were not imported !!!"
+ exit 255
+fi
+rm $output
=====================================
debian/tests/control
=====================================
@@ -0,0 +1,9 @@
+Tests: can-convert-keystore
+Depends: bash, default-jre-headless
+Restrictions: needs-root
+
+Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice
+# No depends, this is a test for a clean install
+Depends: bash
+Restrictions: needs-root
+
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6
--
View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/commit/ff1821043d4cd3fc8e4d5a49bed9304135a479e6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230705/b707f0ba/attachment.htm>
More information about the pkg-java-commits
mailing list