Skip to content

[3.17] main/ca-certificates: backport changes from upstream source

Dermot Bradley requested to merge dbradley/aports:ca-certificates-3-17-backport into 3.17-stable

Backport of changes made in ca-certificates-20230106 upstream source package and to Alpine packaging:

Modify c_rehash to ignore the /etc/ssl/certs/certs/ca-certificates.crt file when created hash softlinks in the /etc/ssl/certs/ directory. There are 3 reasons for this: (1) normally whenever "update-ca-certificates" is run (whether by a script/trigger or by an end-user) a warning will appear:

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

which is annoying but not problematic, however (2) in some circumstances such as where that file only contains a single certificate, i.e. where you disable all the system certificates and only use your own "local" CA file, then c_rehash may wrongly create a softlink to the ca-certificates.crt file rather than to the correct CA file if c_rehash finds the ca-certificates.crt file first in the /etc/ssl/certs/ directory.

In the "single CA cert" situation if however c_rehash finds the correct (single CA) file first then (3) when it does find the ca-certificates.crt file it will generate the following warning:

WARNING: Skipping duplicate certificate in file ca-certificates.crt

The changes in this MR prevent all 3 scenarios from occurring.

Remove the blacklist.txt file - this has not been updated since it was added to the repo 5+ years ago. Also this file is not used for any purpose - it was previously used/read by the certdata2pem.py Python script but that was replaced by by the mk-ca-bundle.pl Perl script which makes no use of blacklist.txt.

Correct update-ca-certificates manpage - this was copied from Debian, however the Alpine program does NOT support any cli options, so remove these from the manpage.

Packaging changes:

Remove "Do not edit" comment from generated /etc/ca-certificates.conf file as this makes no sense - one of the purposes of the update-ca-certificates tool is to check for entries in the ca-certificates.conf file prefixed by "!" in order to not add them to the CA store (both bundle file and unpacked /etc/ssl/certs/ directory) and in order to use this functionality obviously the ca-certificates.conf file must be edited.

Remove specified update-ca-certificates option from the ca-certificates trigger file - update-ca-certificates does not support any options at all.

Merge request reports