openwrt

ExternalVendorCode/openwrt

Fork 0

mirror of https://github.com/openwrt/openwrt.git synced 2024-12-19 05:38:00 +00:00

Commit Graph

Author	SHA1	Message	Date
Tianling Shen	7c83b6ac86	ca-certificates: Update to version 20230311 Update the ca-certificates and ca-bundle package from version 20211016 to version 20230311. Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches. Debian change-log entry [1]: \|[...] \|[ Đoàn Trần Công Danh ] \|* ca-certificates: compat with non-GNU mktemp (closes: #1000847) \| \|[ Ilya Lipnitskiy ] \|* certdata2pem.py: use UTC time when checking cert validity \| \|[ Julien Cristau ] \|* Update Mozilla certificate authority bundle to version 2.60 \| The following certificate authorities were added (+): \| + "Autoridad de Certificacion Firmaprofesional CIF A62634068" \| + "Certainly Root E1" \| + "Certainly Root R1" \| + "D-TRUST BR Root CA 1 2020" \| + "D-TRUST EV Root CA 1 2020" \| + "DigiCert TLS ECC P384 Root G5" \| + "DigiCert TLS RSA4096 Root G5" \| + "E-Tugra Global Root CA ECC v3" \| + "E-Tugra Global Root CA RSA v3" \| + "HARICA TLS ECC Root CA 2021" \| + "HARICA TLS RSA Root CA 2021" \| + "HiPKI Root CA - G1" \| + "ISRG Root X2" \| + "Security Communication ECC RootCA1" \| + "Security Communication RootCA3" \| + "Telia Root CA v2" \| + "TunTrust Root CA" \| + "vTrus ECC Root CA" \| + "vTrus Root CA" \| The following certificate authorities were removed (-): \| - "Cybertrust Global Root" (expired) \| - "EC-ACC" \| - "GlobalSign Root CA - R2" (expired) \| - "Hellenic Academic and Research Institutions RootCA 2011" \| - "Network Solutions Certificate Authority" \| - "Staat der Nederlanden EV Root CA" (expired) \|* Drop trailing space from debconf template causing misformatting \| (closes: #980821) \| \|[ Wataru Ashihara ] \|* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244) \|[...] [1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>	2023-05-27 22:51:18 +02:00
Christian Lamparter	25bc66eb40	ca-certificates: fix python3-cryptography woes in certdata2pem.py This patch is a revert of the upstream patch to Debian's ca-certificate commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.") The reason is, that this change broke builds with the popular Ubuntu 20.04 LTS (focal) releases which are shipping with an older version of the python3-cryptography package that is not compatible. \|Traceback (most recent call last): \| File "certdata2pem.py", line 125, in <module> \| cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) \|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend' \|make[5]: *** [Makefile:6: all] Error 1 ...or if the python3-cryptography was missing all together: \|Traceback (most recent call last): \| File "/certdata2pem.py", line 31, in <module> \| from cryptography import x509 \|ModuleNotFoundError: No module named 'cryptography' More concerns were raised by Jo-Philipp Wich: "We don't want the build to depend on the local system time anyway. Right now it seems to be just a warning but I could imagine that eventually certs are simply omitted of found to be expired at build time which would break reproducibility." Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697> Reported-by: Chen Minqiang <ptpt52@gmail.com> Reported-by: Shane Synan <digitalcircuit36939@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>	2021-12-01 17:52:35 +01:00

Author

SHA1

Message

Date

Tianling Shen

7c83b6ac86

ca-certificates: Update to version 20230311

Update the ca-certificates and ca-bundle package from version 20211016 to
version 20230311.

Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches.

Debian change-log entry [1]:
|[...]
|[ Đoàn Trần Công Danh ]
|* ca-certificates: compat with non-GNU mktemp (closes: #1000847)
|
|[ Ilya Lipnitskiy ]
|* certdata2pem.py: use UTC time when checking cert validity
|
|[ Julien Cristau ]
|* Update Mozilla certificate authority bundle to version 2.60
|   The following certificate authorities were added (+):
|   + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|   + "Certainly Root E1"
|   + "Certainly Root R1"
|   + "D-TRUST BR Root CA 1 2020"
|   + "D-TRUST EV Root CA 1 2020"
|   + "DigiCert TLS ECC P384 Root G5"
|   + "DigiCert TLS RSA4096 Root G5"
|   + "E-Tugra Global Root CA ECC v3"
|   + "E-Tugra Global Root CA RSA v3"
|   + "HARICA TLS ECC Root CA 2021"
|   + "HARICA TLS RSA Root CA 2021"
|   + "HiPKI Root CA - G1"
|   + "ISRG Root X2"
|   + "Security Communication ECC RootCA1"
|   + "Security Communication RootCA3"
|   + "Telia Root CA v2"
|   + "TunTrust Root CA"
|   + "vTrus ECC Root CA"
|   + "vTrus Root CA"
|  The following certificate authorities were removed (-):
|  - "Cybertrust Global Root" (expired)
|  - "EC-ACC"
|  - "GlobalSign Root CA - R2" (expired)
|  - "Hellenic Academic and Research Institutions RootCA 2011"
|  - "Network Solutions Certificate Authority"
|  - "Staat der Nederlanden EV Root CA" (expired)
|* Drop trailing space from debconf template causing misformatting
|  (closes: #980821)
|
|[ Wataru Ashihara ]
|* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
|[...]

[1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

2023-05-27 22:51:18 +02:00

Christian Lamparter

25bc66eb40

ca-certificates: fix python3-cryptography woes in certdata2pem.py

This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.

|Traceback (most recent call last):
|  File "certdata2pem.py", line 125, in <module>
|    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1

...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
|  File "/certdata2pem.py", line 31, in <module>
|    from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'

More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."

Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>

2021-12-01 17:52:35 +01:00

2 Commits