20240203 (patches unapplied)

Imported using git-ubuntu import.

debian/ca-certificates.install

@@ -0,0 +1,2 @@
+usr/sbin/
+usr/share/ca-certificates/

debian/ca-certificates.manpages

@@ -0,0 +1 @@
+sbin/update-ca-certificates.8

debian/changelog

@@ -1,3 +1,41 @@
+ca-certificates (20240203) unstable; urgency=medium
+
+  [ Jeffrey Walton ]
+  * update-ca-certificates man page updates
+  * fix shellcheck warnings (closes: #1058658, #981663)
+
+  [ Gioele Barabucci ]
+  * Use standard dh sequence (closes: #1050112)
+
+  [ Julien Cristau ]
+  * Update Mozilla certificate authority bundle to version 2.64
+    The following certificate authorities were added (+):
+    + Atos TrustedRoot Root CA ECC TLS 2021
+    + Atos TrustedRoot Root CA RSA TLS 2021
+    + BJCA Global Root CA1
+    + BJCA Global Root CA2
+    + CommScope Public Trust ECC Root-01
+    + CommScope Public Trust ECC Root-02
+    + CommScope Public Trust RSA Root-01
+    + CommScope Public Trust RSA Root-02
+    + Sectigo Public Server Authentication Root E46
+    + Sectigo Public Server Authentication Root R46
+    + SSL.com TLS ECC Root CA 2022
+    + SSL.com TLS RSA Root CA 2022
+    + TrustAsia Global Root CA G3
+    + TrustAsia Global Root CA G4
+    The following certificate authorities were removed (-):
+    - Autoridad de Certificacion Firmaprofesional CIF A62634068
+    - E-Tugra Certification Authority (closes: #1032916)
+    - E-Tugra Global Root CA ECC v3
+    - E-Tugra Global Root CA RSA v3
+    - Hongkong Post Root CA 1
+    - TrustCor ECA-1
+    - TrustCor RootCert CA-1
+    - TrustCor RootCert CA-2 (closes: #1023945)
+
+ -- Julien Cristau <jcristau@debian.org>  Sun, 04 Feb 2024 10:41:43 +0100
+
 ca-certificates (20230311) unstable; urgency=medium
 
   [ Đoàn Trần Công Danh ]

debian/clean

@@ -0,0 +1 @@
+debian/config.initial_certs

debian/control

@@ -4,7 +4,8 @@ Priority: optional
 Maintainer: Julien Cristau <jcristau@debian.org>
 Build-Depends: debhelper-compat (= 13), po-debconf
 Build-Depends-Indep: python3, openssl, python3-cryptography
-Standards-Version: 4.5.0.2
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 

debian/rules

@@ -5,83 +5,21 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
-configure: configure-stamp
-configure-stamp:
-	dh_testdir
-	# Add here commands to configure the package.
-	touch configure-stamp
-
-build: build-arch build-indep
-
-build-arch: build-stamp
-
-build-indep: build-stamp
-
-build-stamp: configure-stamp
-	dh_testdir
-
-	# Add here commands to compile the package.
-	$(MAKE)
-	touch build-stamp
-
-clean:
-	dh_testdir
-	dh_testroot
-	rm -f build-stamp configure-stamp debian/config
-	# Add here commands to clean up after the build process.
-	[ ! -f Makefile ] || $(MAKE) clean
+%:
+	dh $@
 
+execute_before_dh_clean:
 	debconf-updatepo
 
-	dh_clean
-
-install: build
-	dh_testdir
-	dh_testroot
-	dh_prep
-	dh_installdirs
-	# Add here commands to install the package into debian/ca-certificates.
+execute_before_dh_install:
 	$(MAKE) install DESTDIR=$(CURDIR)/debian/ca-certificates
-	(cd $(CURDIR)/debian/ca-certificates/usr/share/ca-certificates; \
-	 crts=""; \
-	 for crt in $$(find . -type f -name '*.crt' -print | LC_ALL=C sort); \
-	 do \
-	   crt=$$(echo $$crt | sed -e 's/\.\///'); \
-	   if test "$$crts" = ""; then \
-	     crts="$$crt"; \
-	   else \
-	     crts="$$crts, $$crt"; \
-	   fi; \
-	 done; \
-	 cd $(CURDIR)/debian; \
-	 sed -e "s|#INITIAL_CERTS#|$$crts|" \
-		config.in > config)
 	# udeb handling
 	install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
 	(cd mozilla; \
 	 $(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs")
 	openssl rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
 
-# Build architecture-independent files here.
-binary-indep: build install
-	dh_testdir
-	dh_testroot
-	dh_link
-	dh_installdebconf -n
-	dh_installdocs
-	dh_installexamples
-	dh_installman sbin/update-ca-certificates.8
-	dh_installchangelogs
-	dh_compress -X examples
-	dh_fixperms
-	dh_installdeb
-	dh_gencontrol
-	dh_md5sums
-	dh_builddeb
-
-# Build architecture-dependent files here.
-binary-arch: build install
-# We have nothing to do by default.
-
-binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install configure
+override_dh_installdebconf:
+	find $(CURDIR)/debian/ca-certificates/usr/share/ca-certificates -type f -name '*.crt' -printf '%P\n' | \
+	 LC_ALL=C sort | sed -e '$$! s/$$/, /' | tr -d '\n' > debian/config.initial_certs
+	dh_installdebconf -n -DINITIAL_CERTS=@debian/config.initial_certs

mozilla/Makefile

@@ -9,6 +9,7 @@ clean:
 	-rm -f *.crt
 
 install:
+	install -d $(CERTSDIR)
 	for p in *.crt; do \
 	 install -m 644 $$p $(CERTSDIR)/$$p ; \
 	done

mozilla/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
-#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 64
+#define NSS_BUILTINS_LIBRARY_VERSION "2.64"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/update-ca-certificates

@@ -114,13 +114,13 @@ remove() {
 cd "$ETCCERTSDIR"
 if [ "$fresh" = 1 ]; then
   echo "Clearing symlinks in $ETCCERTSDIR..."
-  find . -type l -print | while read symlink
+  find . -type l -print | while read -r symlink
   do
     case $(readlink "$symlink") in
-      $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
+      $CERTSDIR*|$LOCALCERTSDIR*) rm -f "$symlink";;
     esac
   done
-  find . -type l -print | while read symlink
+  find . -type l -print | while read -r symlink
   do
     test -f "$symlink" || rm -f "$symlink"
   done
@@ -131,7 +131,7 @@ echo "Updating certificates in $ETCCERTSDIR..."
 
 # Add default certificate authorities if requested
 if [ "$default" = 1 ]; then
-  find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
+  find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read -r crt
   do
     add "$crt"
   done
@@ -139,12 +139,12 @@ fi
 
 # Handle certificates that should be removed.  This is an explicit act
 # by prefixing lines in the configuration files with exclamation marks (!).
-sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
+sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read -r crt
 do
   remove "$CERTSDIR/$crt"
 done
 
-sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read -r crt
 do
   if ! test -f "$CERTSDIR/$crt"
   then
@@ -158,7 +158,7 @@ done
 # administrator.
 if [ -d "$LOCALCERTSDIR" ]
 then
-  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
+  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read -r crt
   do
     add "$crt"
   done
@@ -172,7 +172,7 @@ then
   # only run if set of files has changed
   # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash`
   # from exiting with an error. See #895482, #895473.
-  find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
+  find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read -r orphan
   do
     rm -f "$orphan"
     if [ "$verbose" = 1 ]; then
@@ -204,7 +204,7 @@ then
   echo "Running hooks in $HOOKSDIR..."
   VERBOSE_ARG=
   [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
-  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
+  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook
   do
     ( cat "$ADDED"
       cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."

sbin/update-ca-certificates.8

@@ -25,19 +25,27 @@ This manual page documents briefly the
 .B update-ca-certificates
 command.
 .PP
-\fBupdate-ca-certificates\fP is a program that updates the directory
-/etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt,
-a concatenated single-file list of certificates.
+\fBupdate-ca-certificates\fP is a program that manages the collection of
+TLS certificates for the local machine and generates ca-certificates.crt.
+ca-certificates.crt is a single-file of concatenated certificates.
+The collection of individual certificates is stored at /etc/ssl/certs.
 .PP
-It reads the file /etc/ca-certificates.conf. Each line gives a pathname of
-a CA certificate under /usr/share/ca-certificates that should be trusted.
-Lines that begin with "#" are comment lines and thus ignored.
+The program reads the configuration file /etc/ca-certificates.conf. Each line
+gives a pathname of a CA certificate under /usr/share/ca-certificates that
+should be trusted. Lines that begin with "#" are comment lines and thus ignored.
 Lines that begin with "!" are deselected, causing the deactivation of the CA
-certificate in question. Certificates must have a .crt extension in order to
-be included by update-ca-certificates.
+certificate in question.
 .PP
-Furthermore all certificates with a .crt extension found below
-/usr/local/share/ca-certificates are also included as implicitly trusted.
+Certificates must be in PEM format and have a .crt extension in order to be
+included by update-ca-certificates. Furthermore, all certificates with a .crt
+extension found below /usr/local/share/ca-certificates are also included and
+implicitly trusted.
+.PP
+To add one or more certificates to the machine, copy the certificates in PEM
+format with the *.crt extension to /usr/local/share/ca-certificates. There
+should be one certificate per file, and not multiple certificates in a single
+file. Then run update-ca-certificates to merge the new certificates into the
+existing machine store at /etc/ssl/certs.
 .PP
 Before terminating, \fBupdate-ca-certificates\fP invokes
 \fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with
@@ -54,20 +62,37 @@ Be verbose. Output \fBopenssl rehash\fP.
 .TP
 .B \-f, \-\-fresh
 Fresh updates.  Remove symlinks in /etc/ssl/certs directory.
+.TP
+.B \-\-certsconf
+Change the configuration file. By default, the file
+/etc/ca-certificates.conf is used.
+.TP
+.B \-\-certsdir
+Change the certificate directory. By default, the directory
+/usr/share/ca-certificates is used.
+.TP
+.B \-\-localcertsdir
+Change the local certificate directory. By default, the directory
+/usr/local/share/ca-certificates is used.
+.TP
+.B \-\-etccertsdir
+Change the /etc certificate directory. By default, the directory
+/etc/ssl/certs is used.
+.TP
 .SH FILES
 .TP
 .I /etc/ca-certificates.conf
 A configuration file.
 .TP
 .I /etc/ssl/certs/ca-certificates.crt
-A single-file version of CA certificates.  This holds
-all CA certificates that you activated in /etc/ca-certificates.conf.
+A single-file version of CA certificates. This holds all CA certificates
+that were activated in /etc/ca-certificates.conf.
 .TP
 .I /usr/share/ca-certificates
-Directory of CA certificates.
+Directory of CA certificates provided by the distribution.
 .TP
 .I /usr/local/share/ca-certificates
-Directory of local CA certificates (with .crt extension).
+Directory of local CA certificates, with .crt extension, provided by the user.
 .SH SEE ALSO
 .BR openssl (1)
 .SH AUTHOR