Update for stretch

Update Mozilla certificate authority bundle to version 2.28

debian/NEWS

@@ -1,3 +1,76 @@
+ca-certificates (20141019+deb8u2) stable; urgency=medium
+
+  Update Mozilla certificate authority bundle to version 2.9.
+    The following certificate authorities were added (+):
+    + "Certplus Root CA G1"
+    + "Certplus Root CA G2"
+    + "Certum Trusted Network CA 2"
+    + "Hellenic Academic and Research Institutions ECC RootCA 2015"
+    + "Hellenic Academic and Research Institutions RootCA 2015"
+    + "ISRG Root X1"
+    + "OpenTrust Root CA G1"
+    + "OpenTrust Root CA G2"
+    + "OpenTrust Root CA G3"
+    + "SZAFIR ROOT CA2"
+    The following certificate authorities were removed (-):
+    - "CA Disig"
+    - "NetLock Business (Class B) Root"
+    - "NetLock Express (Class C) Root"
+    - "NetLock Notary (Class A) Root"
+    - "NetLock Qualified (Class QA) Root"
+    - "Sonera Class 1 Root CA"
+    - "Staat der Nederlanden Root CA"
+    - "Verisign Class 1 Public Primary Certification Authority - G2"
+    - "Verisign Class 3 Public Primary Certification Authority"
+    - "Verisign Class 3 Public Primary Certification Authority - G2"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Fri, 18 Nov 2016 09:09:47 -0600
+
+ca-certificates (20141019+deb8u1) stable; urgency=medium
+
+  Update Mozilla certificate authority bundle to version 2.6.
+    The following certificate authorities were added (+):
+    + "CA WoSign ECC Root"
+    + "Certification Authority of WoSign G2"
+    + "Certinomis - Root CA"
+    + "CFCA EV ROOT"
+    + "COMODO RSA Certification Authority"
+    + "Entrust Root Certification Authority - EC1"
+    + "Entrust Root Certification Authority - G2"
+    + "GlobalSign ECC Root CA - R4"
+    + "GlobalSign ECC Root CA - R5"
+    + "IdenTrust Commercial Root CA 1"
+    + "IdenTrust Public Sector Root CA 1"
+    + "OISTE WISeKey Global Root GB CA"
+    + "S-TRUST Universal Root CA"
+    + "Staat der Nederlanden EV Root CA"
+    + "Staat der Nederlanden Root CA - G3"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+    + "USERTrust ECC Certification Authority"
+    + "USERTrust RSA Certification Authority"
+    The following certificate authorities were removed (-):
+    - "A-Trust-nQual-03"
+    - "America Online Root Certification Authority 1"
+    - "America Online Root Certification Authority 2"
+    - "Buypass Class 3 CA 1"
+    - "ComSign Secured CA"
+    - "Digital Signature Trust Co. Global CA 1"
+    - "Digital Signature Trust Co. Global CA 3"
+    - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    - "GTE CyberTrust Global Root"
+    - "SG TRUST SERVICES RACINE"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "Thawte Premium Server CA"
+    - "Thawte Server CA"
+    - "TURKTRUST Certificate Services Provider Root 1"
+    - "TURKTRUST Certificate Services Provider Root 2"
+    - "UTN DATACorp SGC Root CA"
+    - "Verisign Class 4 Public Primary Certification Authority - G3"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 14 Dec 2015 20:46:50 -0600
+
 ca-certificates (20140927) unstable; urgency=medium
 
   Update Mozilla Certificate Authority bundle to version 2.1.

debian/changelog

@@ -1,3 +1,191 @@
+ca-certificates (20141019+deb8u5) jessie; urgency=medium
+
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.28.
+    The following certificate authorities were added (+):
+    + "GlobalSign Root CA - R6"
+    + "OISTE WISeKey Global Root GC CA"
+    The following certificate authorities were removed (-):
+    - "Certplus Root CA G1"
+    - "Certplus Root CA G2"
+    - "OpenTrust Root CA G1"
+    - "OpenTrust Root CA G2"
+    - "OpenTrust Root CA G3"
+    - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    - "Visa eCommerce Root"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 10 Jan 2019 19:31:31 -0600
+
+ca-certificates (20141019+deb8u4) jessie-security; urgency=high
+
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.22.
+    Closes: #858064, #867461
+    This update removes StartCom and WoSign certificates. Closes: #858539
+    The following certificate authorities were added (+):
+    + "AC RAIZ FNMT-RCM"
+    + "Amazon Root CA 1"
+    + "Amazon Root CA 2"
+    + "Amazon Root CA 3"
+    + "Amazon Root CA 4"
+    + "D-TRUST Root CA 3 2013"
+    + "GDCA TrustAUTH R5 ROOT"
+    + "LuxTrust Global Root 2"
+    + "SSL.com EV Root Certification Authority ECC"
+    + "SSL.com EV Root Certification Authority RSA R2"
+    + "SSL.com Root Certification Authority ECC"
+    + "SSL.com Root Certification Authority RSA"
+    + "Symantec Class 1 Public Primary Certification Authority - G4"
+    + "Symantec Class 1 Public Primary Certification Authority - G6"
+    + "Symantec Class 2 Public Primary Certification Authority - G4"
+    + "Symantec Class 2 Public Primary Certification Authority - G6"
+    + "TrustCor ECA-1"
+    + "TrustCor RootCert CA-1"
+    + "TrustCor RootCert CA-2"
+    + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
+    The following certificate authorities were removed (-):
+    - "ACEDICOM Root"
+    - "AddTrust Public Services Root"
+    - "AddTrust Qualified Certificates Root"
+    - "ApplicationCA - Japanese Government"
+    - "Buypass Class 2 CA 1"
+    - "CA Disig Root R1"
+    - "CA WoSign ECC Root"
+    - "CNNIC ROOT"
+    - "Certification Authority of WoSign G2"
+    - "Certinomis - Autorité Racine"
+    - "China Internet Network Information Center EV Certificates Root"
+    - "Comodo Secure Services root"
+    - "Comodo Trusted Services root"
+    - "DST ACES CA X6"
+    - "EBG Elektronik Sertifika Hizmet Saglayicisi"
+    - "Equifax Secure CA"
+    - "Equifax Secure eBusiness CA 1"
+    - "Equifax Secure Global eBusiness CA"
+    - "GeoTrust Global CA 2"
+    - "IGC/A"
+    - "Juur-SK"
+    - "Microsec e-Szigno Root CA"
+    - "PSCProcert"
+    - "Root CA Generalitat Valenciana"
+    - "RSA Security 2048 v3"
+    - "S-TRUST Authentication and Encryption Root CA 2005 PN"
+    - "Security Communication EV RootCA1"
+    - "StartCom Certification Authority"
+    - "StartCom Certification Authority G2"
+    - "Swisscom Root CA 1"
+    - "Swisscom Root EV CA 2"
+    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+    - "TURKTRUST Certificate Services Provider Root 2007"
+    - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+    - "UTN USERFirst Hardware Root CA"
+    - "Verisign Class 1 Public Primary Certification Authority"
+    - "Verisign Class 2 Public Primary Certification Authority - G2"
+    - "Verisign Class 3 Public Primary Certification Authority"
+    - "WellsSecure Public Root Certificate Authority"
+    - "WoSign"
+    - "WoSign China"
+  * debian/control:
+    Remove Christian Perrier from uploaders at his request. Closes: #894070
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 10 Jun 2018 20:03:36 -0500
+
+ca-certificates (20141019+deb8u3) jessie; urgency=medium
+
+  [ Michael Shuler ]
+  * sbin/update-ca-certificates:
+    Update local certificates directory when calling --fresh. Closes: #783615
+
+  [ Andreas Beckmann ]
+  * Backport another commit to make running update-certificates without hooks
+    actually work (instead of showing a usage message). Closes: #825730
+
+ -- Andreas Beckmann <anbe@debian.org>  Sat, 29 Apr 2017 01:19:23 +0200
+
+ca-certificates (20141019+deb8u2) stable; urgency=medium
+
+  [ Michael Shuler ]
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.9.
+    Thanks for the initial 2.7 patch, Jonathan Wiltshire. Closes: #828845
+    The following certificate authorities were added (+):
+    + "Certplus Root CA G1"
+    + "Certplus Root CA G2"
+    + "Certum Trusted Network CA 2"
+    + "Hellenic Academic and Research Institutions ECC RootCA 2015"
+    + "Hellenic Academic and Research Institutions RootCA 2015"
+    + "ISRG Root X1"
+    + "OpenTrust Root CA G1"
+    + "OpenTrust Root CA G2"
+    + "OpenTrust Root CA G3"
+    + "SZAFIR ROOT CA2"
+    The following certificate authorities were removed (-):
+    - "CA Disig"
+    - "NetLock Business (Class B) Root"
+    - "NetLock Express (Class C) Root"
+    - "NetLock Notary (Class A) Root"
+    - "NetLock Qualified (Class QA) Root"
+    - "Sonera Class 1 Root CA"
+    - "Staat der Nederlanden Root CA"
+    - "Verisign Class 1 Public Primary Certification Authority - G2"
+    - "Verisign Class 3 Public Primary Certification Authority"
+    - "Verisign Class 3 Public Primary Certification Authority - G2"
+
+  [ Andreas Beckmann ]
+  * debian/postinst:
+    Run update-certificates without hooks to initially populate
+    /etc/ssl/certs.  (The hooks are deferred to the noawait trigger.)
+    Closes: #825730
+
+ -- Michael Shuler <michael@pbandjelly.org>  Fri, 18 Nov 2016 09:09:47 -0600
+
+ca-certificates (20141019+deb8u1) stable; urgency=medium
+
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.6.
+    Closes: #806239
+    The following certificate authorities were added (+):
+    + "CA WoSign ECC Root"
+    + "Certification Authority of WoSign G2"
+    + "Certinomis - Root CA"
+    + "CFCA EV ROOT"
+    + "COMODO RSA Certification Authority"
+    + "Entrust Root Certification Authority - EC1"
+    + "Entrust Root Certification Authority - G2"
+    + "GlobalSign ECC Root CA - R4"
+    + "GlobalSign ECC Root CA - R5"
+    + "IdenTrust Commercial Root CA 1"
+    + "IdenTrust Public Sector Root CA 1"
+    + "OISTE WISeKey Global Root GB CA"
+    + "S-TRUST Universal Root CA"
+    + "Staat der Nederlanden EV Root CA"
+    + "Staat der Nederlanden Root CA - G3"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+    + "USERTrust ECC Certification Authority"
+    + "USERTrust RSA Certification Authority"
+    The following certificate authorities were removed (-):
+    - "A-Trust-nQual-03"
+    - "America Online Root Certification Authority 1"
+    - "America Online Root Certification Authority 2"
+    - "Buypass Class 3 CA 1"
+    - "ComSign Secured CA"
+    - "Digital Signature Trust Co. Global CA 1"
+    - "Digital Signature Trust Co. Global CA 3"
+    - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    - "GTE CyberTrust Global Root"
+    - "SG TRUST SERVICES RACINE"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "Thawte Premium Server CA"
+    - "Thawte Server CA"
+    - "TURKTRUST Certificate Services Provider Root 1"
+    - "TURKTRUST Certificate Services Provider Root 2"
+    - "UTN DATACorp SGC Root CA"
+    - "Verisign Class 4 Public Primary Certification Authority - G3"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 14 Dec 2015 20:46:50 -0600
+
 ca-certificates (20141019) unstable; urgency=medium
 
   * debian/copyright:

debian/control

@@ -4,7 +4,6 @@ Priority: optional
 Maintainer: Michael Shuler <michael@pbandjelly.org>
 Uploaders: Raphael Geissert <geissert@debian.org>,
            Thijs Kinkhorst <thijs@debian.org>,
-           Christian Perrier <bubulle@debian.org>
 Build-Depends: debhelper (>= 8), po-debconf
 Build-Depends-Indep: python
 Standards-Version: 3.9.6

debian/gbp.conf

@@ -0,0 +1,2 @@
+[buildpackage]
+debian-branch = debian-jessie

debian/postinst

@@ -136,13 +136,16 @@ EOF
 	        -e 's/^[[:space:]]*1[[:space:]]*/!/' \
 	    >> /etc/ca-certificates.conf
 	fi
+	# update /etc/ssl/certs without running the hooks
 	# fix bogus symlink to ca-certificates.crt on upgrades; see
 	# Debian #643667; drop after wheezy
 	if dpkg --compare-versions "$2" lt-nl 20111025; then
-	    dpkg-trigger --no-await update-ca-certificates-fresh
+	    update-ca-certificates --hooksdir "" --fresh
 	else
-	    dpkg-trigger --no-await update-ca-certificates
+	    update-ca-certificates --hooksdir ""
 	fi
+	# deferred update of /etc/ssl/certs including running the hooks
+	dpkg-trigger --no-await update-ca-certificates
     ;;
 
     triggered)

mozilla/nssckbi.h

@@ -18,41 +18,42 @@
 #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
 #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
 
-/* These version numbers detail the changes 
+/* These version numbers detail the changes
  * to the list of trusted certificates.
  *
  * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
- * for each NSS minor release AND whenever we change the list of
- * trusted certificates.  10 minor versions are allocated for each
- * NSS 3.x branch as follows, allowing us to change the list of
- * trusted certificates up to 9 times on each branch.
- *   - NSS 3.5 branch:  3-9
- *   - NSS 3.6 branch:  10-19
- *   - NSS 3.7 branch:  20-29
- *   - NSS 3.8 branch:  30-39
- *   - NSS 3.9 branch:  40-49
- *   - NSS 3.10 branch: 50-59
- *   - NSS 3.11 branch: 60-69
- *     ...
- *   - NSS 3.12 branch: 70-89
- *   - NSS 3.13 branch: 90-99
- *   - NSS 3.14 branch: 100-109
- *     ...
- *   - NSS 3.29 branch: 250-255
+ * whenever we change the list of trusted certificates.
+ *
+ * Please use the following rules when increasing the version number:
+ *
+ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
+ *   must always be an EVEN number (e.g. 16, 18, 20 etc.)
+ *
+ * - whenever possible, if older branches require a modification to the
+ *   list, these changes should be made on the main line of development (trunk),
+ *   and the older branches should update to the most recent list.
+ *
+ * - ODD minor version numbers are reserved to indicate a snapshot that has
+ *   deviated from the main line of development, e.g. if it was necessary
+ *   to modify the list on a stable branch.
+ *   Once the version has been changed to an odd number (e.g. 2.13) on a branch,
+ *   it should remain unchanged on that branch, even if further changes are
+ *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
+ * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION "2.1"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 28
+#define NSS_BUILTINS_LIBRARY_VERSION "2.28"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
-/* These version numbers detail the semantic changes to ckbi itself 
+/* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0

sbin/update-ca-certificates

@@ -23,6 +23,13 @@
 
 verbose=0
 fresh=0
+CERTSCONF=/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=/etc/ssl/certs
+HOOKSDIR=/etc/ca-certificates/update.d
+
 while [ $# -gt 0 ];
 do
   case $1 in
@@ -30,6 +37,24 @@ do
       verbose=1;;
     --fresh|-f)
       fresh=1;;
+    --certsconf)
+      shift
+      CERTSCONF="$1";;
+    --certsdir)
+      shift
+      CERTSDIR="$1";;
+    --localcertsdir)
+      shift
+      LOCALCERTSDIR="$1";;
+    --certbundle)
+      shift
+      CERTBUNDLE="$1";;
+    --etccertsdir)
+      shift
+      ETCCERTSDIR="$1";;
+    --hooksdir)
+      shift
+      HOOKSDIR="$1";;
     --help|-h|*)
       echo "$0: [--verbose] [--fresh]"
       exit;;
@@ -37,11 +62,10 @@ do
   shift
 done
 
-CERTSCONF=/etc/ca-certificates.conf
-CERTSDIR=/usr/share/ca-certificates
-LOCALCERTSDIR=/usr/local/share/ca-certificates
-CERTBUNDLE=ca-certificates.crt
-ETCCERTSDIR=/etc/ssl/certs
+if [ ! -s "$CERTSCONF" ]
+then
+  fresh=1
+fi
 
 cleanup() {
   rm -f "$TEMPBUNDLE"
@@ -89,7 +113,7 @@ if [ "$fresh" = 1 ]; then
   find . -type l -print | while read symlink
   do
     case $(readlink $symlink) in
-      $CERTSDIR*) rm -f $symlink;;
+      $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
     esac
   done
   find . -type l -print | while read symlink
@@ -151,7 +175,9 @@ mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
 
 echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
 
-HOOKSDIR=/etc/ca-certificates/update.d
+if [ -d "$HOOKSDIR" ]
+then
+
 echo -n "Running hooks in $HOOKSDIR...."
 VERBOSE_ARG=
 [ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
@@ -162,5 +188,7 @@ do
 done
 echo "done."
 
+fi
+
 # vim:set et sw=2: