head 1.3; access; symbols netbsd-11-0-RC3:1.3 netbsd-11-0-RC2:1.3 netbsd-11-0-RC1:1.3 perseant-exfatfs-base-20250801:1.3 netbsd-11:1.3.0.6 netbsd-11-base:1.3 netbsd-10-1-RELEASE:1.3.2.2 perseant-exfatfs-base-20240630:1.3 perseant-exfatfs:1.3.0.4 perseant-exfatfs-base:1.3 netbsd-10-0-RELEASE:1.3.2.2 netbsd-10-0-RC6:1.3.2.2 netbsd-10-0-RC5:1.3.2.2 netbsd-10-0-RC4:1.3.2.2 netbsd-10-0-RC3:1.3.2.2 netbsd-10-0-RC2:1.3.2.2 netbsd-10-0-RC1:1.3.2.2 netbsd-10:1.3.0.2; locks; strict; comment @# @; 1.3 date 2023.09.03.18.31.01; author riastradh; state Exp; branches 1.3.2.1; next 1.2; commitid MrjdLxkVVlri2mDE; 1.2 date 2023.08.28.23.57.25; author riastradh; state Exp; branches; next 1.1; commitid i8nUychUjxIf2CCE; 1.1 date 2023.08.26.05.27.15; author riastradh; state Exp; branches; next ; commitid 3DdQpQm7IK3mXfCE; 1.3.2.1 date 2023.09.03.18.31.01; author martin; state dead; branches; next 1.3.2.2; commitid 2TUS7rO7f7zuGtDE; 1.3.2.2 date 2023.09.04.17.33.27; author martin; state Exp; branches; next ; commitid 2TUS7rO7f7zuGtDE; desc @@ 1.3 log @certctl(8): Install certs.conf in /usr/share/examples too. This way postinstall(8) can refer to the default one when you've done an upgrade without etcupdate or similar to pull in new config files from etc.tgz. Not great -- we should do this systematically for all config files in /etc, but this one-off hack is less risky for 10. @ text @# $NetBSD: Makefile,v 1.2 2023/08/28 23:57:25 riastradh Exp $ # MAN= certctl.8 SCRIPTS= certctl.sh # XXX This is a hack to install certs.conf both in /etc/openssl (in the # etc set) and in /usr/share/examples/certctl (in the base set). # Really, all files in /etc should have /usr/share/examples versions; # once you arrange the build to do that, you can get rid of this hack. etc-certs.conf base-certs.conf: certs.conf cat ${.ALLSRC} >${.TARGET}.tmp ${MV} -f ${.TARGET}.tmp ${.TARGET} CONFIGFILES+= etc-certs.conf FILESBUILD_etc-certs.conf= yes FILESDIR_etc-certs.conf= /etc/openssl FILESNAME_etc-certs.conf= certs.conf FILESMODE_etc-certs.conf= 644 FILES+= base-certs.conf FILESBUILD_base-certs.conf= yes FILESDIR_base-certs.conf= /usr/share/examples/certctl FILESNAME_base-certs.conf= certs.conf .include @ 1.3.2.1 log @file Makefile was added on branch netbsd-10 on 2023-09-04 17:33:27 +0000 @ text @d1 26 @ 1.3.2.2 log @Pull up following revision(s) (requested by riastradh in ticket #343): external/mpl/mozilla-certdata/dist/certdata.txt: revision 1.1.1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G3.pem: revision 1.1 distrib/sets/lists/man/mi: revision 1.1764 external/mpl/mozilla-certdata/share/certs/ACCVRAIZ1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem: revision 1.1 tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_E45.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_ECC.pem: revision 1.1 tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1 tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Izenpe.com.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_2.pem: revision 1.1 tests/usr.sbin/certctl/certs4/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Global_Chambersign_Root_-_2008.pem: revision 1.1 distrib/sets/lists/etc/mi: revision 1.272 external/mpl/mozilla-certdata/share/certs/ISRG_Root_X1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TunTrust_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_BR_Root_CA_1_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_RSA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_EC-384_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/IdenTrust_Public_Sector_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_EC1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SZAFIR_ROOT_CA2.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.1 external/mpl/mozilla-certdata/share/certs/UCA_Global_G2_Root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_Client_ECC_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/COMODO_ECC_Certification_Authority.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.2 tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.3 external/mpl/mozilla-certdata/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_RSA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R2.pem: revision 1.1 usr.sbin/certctl/certctl.sh: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.4 external/mpl/mozilla-certdata/share/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SwissSign_Silver_CA_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Starfield_Class_2_CA.pem: revision 1.1 usr.sbin/certctl/certctl.sh: revision 1.2 tests/usr.sbin/certctl/t_certctl.sh: revision 1.5 usr.sbin/certctl/certctl.sh: revision 1.3 tests/usr.sbin/certctl/t_certctl.sh: revision 1.6 usr.sbin/certctl/certctl.sh: revision 1.4 tests/usr.sbin/certctl/t_certctl.sh: revision 1.7 external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.8 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Hongkong_Post_Root_CA_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ANF_Secure_Server_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Chambers_of_Commerce_Root_-_2008.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Go_Daddy_Class_2_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/USERTrust_RSA_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certdata.awk: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_TLS_ECC_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_G2_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_ECA-1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_ECC_Root_CA_2022.pem: revision 1.1 usr.sbin/Makefile: revision 1.292 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/CA_Disig_Root_R2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_C1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Trusted_Root_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_G2_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/vTrus_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-2.pem: revision 1.1 etc/mtree/special: revision 1.176 external/mpl/mozilla-certdata/share/certs/USERTrust_ECC_Certification_Authority.pem: revision 1.1 etc/mtree/special: revision 1.177 etc/mtree/special: revision 1.178 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium_ECC.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/vTrus_ECC_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_ECC_P384_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/NAVER_Global_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/server.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/SecureTrust_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/code.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_RSA_Root_CA_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_RSA4096_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G2.pem: revision 1.1 tests/usr.sbin/certctl/certs1/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_RSA4096_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Client_ECC_Root_CA_2022.pem: revision 1.1 share/man/man7/hier.7: revision 1.141 external/mpl/mozilla-certdata/share/certs/Certigna.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/certSIGN_Root_CA_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certigna_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Telia_Root_CA_v2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Buypass_Class_2_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_C3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Client_RSA_Root_CA_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HiPKI_Root_CA_-_G1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Starfield_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SwissSign_Gold_CA_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GB_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Networking.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1 tests/usr.sbin/certctl/Makefile.inc: revision 1.1 external/mpl/mozilla-certdata/share/certs/COMODO_RSA_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA_2.pem: revision 1.1 tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GC_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Commercial.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Buypass_Class_3_Root_CA.pem: revision 1.1 distrib/sets/lists/tests/mi: revision 1.1292 external/mpl/mozilla-certdata/share/certs/UCA_Extended_Validation_Root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2.pem: revision 1.1 external/mpl/mozilla-certdata/share/email.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_2011.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_EV_Root_CA_1_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ePKI_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_ECDSA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R4.pem: revision 1.1 tests/usr.sbin/certctl/certs2/Makefile: revision 1.1 tests/usr.sbin/Makefile: revision 1.8 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_Certification_Authority.pem: revision 1.1 tests/usr.sbin/certctl/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/IdenTrust_Commercial_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_ECC_P384_Root_G5.pem: revision 1.1 tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.2 external/mpl/mozilla-certdata/share/certs/Microsec_e-Szigno_Root_CA_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_Client_RSA_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GDCA_TrustAUTH_R5_ROOT.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_3.pem: revision 1.1 tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ISRG_Root_X2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_CA_3_2013.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem: revision 1.1 etc/mtree/NetBSD.dist.base: revision 1.252 external/mpl/mozilla-certdata/share/certs/CFCA_EV_ROOT.pem: revision 1.1 etc/mtree/NetBSD.dist.base: revision 1.253 external/mpl/mozilla-certdata/share/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_G1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1 usr.sbin/certctl/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_ECC_RootCA1.pem: revision 1.1 usr.sbin/certctl/Makefile: revision 1.2 usr.sbin/certctl/Makefile: revision 1.3 external/mpl/mozilla-certdata/share/certs/GTS_Root_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/e-Szigno_Root_CA_2017.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/certSIGN_ROOT_CA.pem: revision 1.1 doc/3RDPARTY: revision 1.1949 external/mpl/mozilla-certdata/share/certs/Certainly_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TeliaSonera_Root_CA_v1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_TLS_RSA_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/NetLock_Arany_Class_Gold.pem: revision 1.1 usr.sbin/postinstall/postinstall.in: revision 1.53 usr.sbin/postinstall/postinstall.in: revision 1.54 tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1 etc/Makefile: revision 1.467 usr.sbin/postinstall/postinstall.in: revision 1.55 tests/usr.sbin/certctl/certs3/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/GLOBALTRUST_2020.pem: revision 1.1 etc/mtree/NetBSD.dist.tests: revision 1.200 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_1_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Actalis_Authentication_Root_CA.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1326 distrib/sets/lists/base/mi: revision 1.1327 external/mpl/mozilla-certdata/share/certs/SecureSign_RootCA11.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1328 external/mpl/mozilla-certdata/share/certs/Comodo_AAA_Services_root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2_G3.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1329 external/mpl/mozilla-certdata/share/certs/COMODO_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_High_Assurance_EV_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_R45.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Secure_Global_CA.pem: revision 1.1 usr.sbin/certctl/certctl.8: revision 1.1 external/mpl/mozilla-certdata/share/certs/XRamp_Global_CA_Root.pem: revision 1.1 external/mpl/Makefile: revision 1.5 usr.sbin/certctl/certctl.8: revision 1.2 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Baltimore_CyberTrust_Root.pem: revision 1.1 usr.sbin/certctl/certs.conf: revision 1.1 external/mpl/mozilla-certdata/share/certs/LAWtrust_Root_CA2_4096.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certainly_Root_E1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem: revision 1.1 certctl(8): New tool for managing OpenSSL CA certificates. Same command-line syntax as FreeBSD, clearer semantics about which parts are config and which parts are cache. mozilla-certdata: Record in doc/3RDPARTY. mozilla-certdata: Makefile infrastructure. mozilla-certdata: regen (actually, just `gen', this first time) mozilla-certdata: Connect it up to the build. postinstall(8): Add opensslcerts item to regen /etc/openssl/certs. Works only with destdir /, since it relies on running openssl(1), which is not available as a tool or required in the cross-build environment. certctl(8): Add xfail test for missing certs.conf. Command should fail, i.e., exit with nonzero status, but it exits with zero instead. certctl(8): Exit nonzero on missing certs.conf. certctl(8): Test prepopulated /etc/openssl/certs. This is the scenario when you have previously populated /etc/openssl/certs manually, or with a package like mozilla-rootcerts or mozilla-rootcerts-openssl, and you update to a version of NetBSD with certctl(8). In this case, certctl(8) should avoid destroying your work. While here, also test some related but less likely edge cases: - nonexistent - symlink - regular file certctl(8): Avoid clobbering prepopulated /etc/openssl/certs. Also avoid clobbering some other edge cases like symlinks or non-directories there. This way, we have the following transitions on system updates: - If /etc/openssl/certs is empty (as in default NetBSD<10 installs): quietly populated on rehash. - If /etc/openssl/certs is nonempty (you've added things to it, e.g. by hand or with mozilla-rootcerts) and has never been managed by certctl(8): left alone on rehash, with an error message to explain what you need to do. - If /etc/openssl/certs has been managed by certctl(8): quietly updated on rehash. Note: This means current installations made since certctl(8) was added will be treated like /etc/openssl/certs is nonempty and has never been managed by certctl(8). To work around this, you can just delete /etc/openssl/certs and rerun `certctl rehash'. postinstall(8): Fail if `certctl rehash' fails. Not using `set -e' here, evidently (maybe we should), so the separate return 0 suppressed the error. distrib/sets/lists: certs.conf belongs in etc, not in base. Oops. certctl(8): Set certs.conf 644 and add it to etc/mtree/special. Now that we have /etc/openssl/certs.conf mentioned here, also list /etc/openssl. hier(7): Document /etc/openssl. certctl(8): Minor man page clarifications. - Specify exactly what /etc/openssl/certs gets populated with. - Change HTTPS to TLS. - Specify the permitted character class in certs.conf. (Maybe more conservative than strictly needed; but let's stay on the safe side.) certctl(8): Fix some bugs with evil pathnames. certctl(8): Fix quoting and whitespace style in evilpath test. No functional change intended. etc/mtree/special: Fix spaces/tabs. No functional change intended. mozilla-certdata: Install relative symlinks. Slightly more compact this way, and you can examine them in a destdir without chrooting. Not terribly important, but a minor convenience. certctl(8): Test more evil pathnames. certctl(8): Install certs.conf in /usr/share/examples too. This way postinstall(8) can refer to the default one when you've done an upgrade without etcupdate or similar to pull in new config files from etc.tgz. Not great -- we should do this systematically for all config files in /etc, but this one-off hack is less risky for 10. postinstall(8): Handle various certs.conf scenarios gracefully. Tested the following scenarios: 1. fresh install empty /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: fail -- needs rehash [x] fix: pass -- quietly rehash successfully (go to 4) 2. fresh upgrade empty /etc/openssl/certs no /etc/openssl/certs.conf - opensslcertsconf [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: pass -- install default /etc/openssl/certs.conf (go to 1) - opensslcertsrehash [x] check: fail -- complain missing /etc/openssl/certs.conf - [x] fix: fail -- complain missing /etc/openssl/certs.conf 3. upgrade from certctl, changes to certs certctl-managed /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: fail -- needs rehash [x] fix: pass -- quietly rehash successfully (go to 4) 4. upgrade from certctl, no changes to certs certctl-managed /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: pass [x] fix: pass -- quietly rehash successfully (go to 4) 5. upgrade from mozilla-rootcerts populated /etc/openssl/certs no /etc/openssl/certs.conf - opensslcertsconf: [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: pass -- install manual /etc/openssl/certs.conf (go to 7) - opensslcertsrehash: [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: fail -- complain missing /etc/openssl/certs.conf 6. upgrade from mozilla-rootcerts with etcupdate naively populated /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf: [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash: [x] check: fail -- complain mismatched certs/ and certs.conf [x] fix: fail -- complain mismatched certs/ and certs.conf 7. upgrade from mozilla-rootcerts with etcupdate manually populated /etc/openssl/certs manual /etc/openssl/certs.conf - opensslcertsconf: [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash: [x] check: pass [x] fix: pass -- skip rehash because manual (go to 7) XXX Someone should draft automatic tests for postinstall. It has a very good track record, but it sure would be nice to automate this testing rather than redo it each time I make a tiny change. @ text @a0 26 # $NetBSD: Makefile,v 1.1 2023/08/26 05:27:15 riastradh Exp $ # MAN= certctl.8 SCRIPTS= certctl.sh # XXX This is a hack to install certs.conf both in /etc/openssl (in the # etc set) and in /usr/share/examples/certctl (in the base set). # Really, all files in /etc should have /usr/share/examples versions; # once you arrange the build to do that, you can get rid of this hack. etc-certs.conf base-certs.conf: certs.conf cat ${.ALLSRC} >${.TARGET}.tmp ${MV} -f ${.TARGET}.tmp ${.TARGET} CONFIGFILES+= etc-certs.conf FILESBUILD_etc-certs.conf= yes FILESDIR_etc-certs.conf= /etc/openssl FILESNAME_etc-certs.conf= certs.conf FILESMODE_etc-certs.conf= 644 FILES+= base-certs.conf FILESBUILD_base-certs.conf= yes FILESDIR_base-certs.conf= /usr/share/examples/certctl FILESNAME_base-certs.conf= certs.conf .include @ 1.2 log @certctl(8): Set certs.conf 644 and add it to etc/mtree/special. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2023/08/26 05:27:15 riastradh Exp $ d7 18 a24 3 FILESDIR= /etc/openssl FILESMODE= 644 CONFIGFILES= certs.conf @ 1.1 log @certctl(8): New tool for managing OpenSSL CA certificates. Same command-line syntax as FreeBSD, clearer semantics about which parts are config and which parts are cache. @ text @d1 1 a1 1 # $NetBSD$ d8 1 @