ca-certificates: Update to 20230311

ca-certificates (20230311) unstable; urgency=medium

  [ Đoàn Trần Công Danh ]
  * ca-certificates: compat with non-GNU mktemp (closes: #1000847)

  [ Ilya Lipnitskiy ]
  * certdata2pem.py: use UTC time when checking cert validity

  [ Julien Cristau ]
  * Update Mozilla certificate authority bundle to version 2.60
    The following certificate authorities were added (+):
    + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
    + "Certainly Root E1"
    + "Certainly Root R1"
    + "D-TRUST BR Root CA 1 2020"
    + "D-TRUST EV Root CA 1 2020"
    + "DigiCert TLS ECC P384 Root G5"
    + "DigiCert TLS RSA4096 Root G5"
    + "E-Tugra Global Root CA ECC v3"
    + "E-Tugra Global Root CA RSA v3"
    + "HARICA TLS ECC Root CA 2021"
    + "HARICA TLS RSA Root CA 2021"
    + "HiPKI Root CA - G1"
    + "ISRG Root X2"
    + "Security Communication ECC RootCA1"
    + "Security Communication RootCA3"
    + "Telia Root CA v2"
    + "TunTrust Root CA"
    + "vTrus ECC Root CA"
    + "vTrus Root CA"
    The following certificate authorities were removed (-):
    - "Cybertrust Global Root" (expired)
    - "EC-ACC"
    - "GlobalSign Root CA - R2" (expired)
    - "Hellenic Academic and Research Institutions RootCA 2011"
    - "Network Solutions Certificate Authority"
    - "Staat der Nederlanden EV Root CA" (expired)
  * Drop trailing space from debconf template causing misformatting
    (closes: #980821)

  [ Wataru Ashihara ]
  * Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)

 -- Julien Cristau <jcristau@debian.org>  Sat, 11 Mar 2023 09:47:05 +0100

Author: suominen

security/ca-certificates/Makefile

@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.10 2022/10/19 13:56:32 nia Exp $
+# $NetBSD: Makefile,v 1.11 2023/05/21 16:33:50 kim Exp $
 
-PKGNAME=	ca-certificates-20211016
-PKGREVISION=	4
+PKGNAME=	ca-certificates-20230311
 DISTNAME=	${PKGNAME_NOREV:C/-([^-]*)$/_\1/}
 CATEGORIES=	security
 MASTER_SITES=	http://deb.debian.org/debian/pool/main/c/ca-certificates/
@@ -18,7 +17,7 @@ PYTHON_VERSIONS_INCOMPATIBLE=	27
 
 USE_TOOLS=	echo:run find:run ln:run openssl:run rm:run sed:run sort:run wc:run
 
-WRKSRC=		${WRKDIR}/${PKGNAME_NOREV}
+WRKSRC=		${WRKDIR}/${PKGBASE}
 DATADIR=	${PREFIX}/share/${PKGBASE}
 DOCDIR=		${PREFIX}/share/doc/${PKGBASE}
 EGDIR=		${PREFIX}/share/examples/${PKGBASE}
@@ -61,14 +60,11 @@ CONF_FILES=		${EGDIR}/ca-certificates.conf \
 			${PKG_SYSCONFDIR}/ca-certificates-dir.conf
 
 pre-build:
-	@${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/ca-certificates-dir.conf \
+	${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/ca-certificates-dir.conf \
 	    ${FILESDIR}/README.pkgsrc ${WRKSRC}/
-	@${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
+	${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
 	    >> ${WRKSRC}/ca-certificates.conf
 
-post-extract:
-	${MV} ${WRKDIR}/work ${WRKSRC}
-
 post-install:
 	${INSTALL_MAN} \
 	    ${WRKSRC}/sbin/update-ca-certificates.8 \

security/ca-certificates/PLIST

@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2022/06/12 07:05:30 kim Exp $
+@comment $NetBSD: PLIST,v 1.6 2023/05/21 16:33:50 kim Exp $
 man/man8/update-ca-certificates.8
 sbin/update-ca-certificates
 share/ca-certificates/mozilla/ACCVRAIZ1.crt
@@ -16,6 +16,7 @@ share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
 share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
 share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
 share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
+share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068_2.crt
 share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
 share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
 share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
@@ -24,14 +25,17 @@ share/ca-certificates/mozilla/CFCA_EV_ROOT.crt
 share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
 share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
+share/ca-certificates/mozilla/Certainly_Root_E1.crt
+share/ca-certificates/mozilla/Certainly_Root_R1.crt
 share/ca-certificates/mozilla/Certigna.crt
 share/ca-certificates/mozilla/Certigna_Root_CA.crt
 share/ca-certificates/mozilla/Certum_EC-384_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
 share/ca-certificates/mozilla/Certum_Trusted_Root_CA.crt
 share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
-share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
+share/ca-certificates/mozilla/D-TRUST_BR_Root_CA_1_2020.crt
+share/ca-certificates/mozilla/D-TRUST_EV_Root_CA_1_2020.crt
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
@@ -41,9 +45,12 @@ share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
 share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
 share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
 share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
+share/ca-certificates/mozilla/DigiCert_TLS_ECC_P384_Root_G5.crt
+share/ca-certificates/mozilla/DigiCert_TLS_RSA4096_Root_G5.crt
 share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt
 share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt
-share/ca-certificates/mozilla/EC-ACC.crt
+share/ca-certificates/mozilla/E-Tugra_Global_Root_CA_ECC_v3.crt
+share/ca-certificates/mozilla/E-Tugra_Global_Root_CA_RSA_v3.crt
 share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
@@ -58,19 +65,21 @@ share/ca-certificates/mozilla/GTS_Root_R4.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
 share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
-share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
 share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
 share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt
 share/ca-certificates/mozilla/GlobalSign_Root_E46.crt
 share/ca-certificates/mozilla/GlobalSign_Root_R46.crt
 share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
 share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
+share/ca-certificates/mozilla/HARICA_TLS_ECC_Root_CA_2021.crt
+share/ca-certificates/mozilla/HARICA_TLS_RSA_Root_CA_2021.crt
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
-share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
+share/ca-certificates/mozilla/HiPKI_Root_CA_-_G1.crt
 share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
 share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt
 share/ca-certificates/mozilla/ISRG_Root_X1.crt
+share/ca-certificates/mozilla/ISRG_Root_X2.crt
 share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
 share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
 share/ca-certificates/mozilla/Izenpe.com.crt
@@ -79,7 +88,6 @@ share/ca-certificates/mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt
 share/ca-certificates/mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt
 share/ca-certificates/mozilla/NAVER_Global_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
-share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt
 share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
 share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt
 share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt
@@ -95,9 +103,10 @@ share/ca-certificates/mozilla/SZAFIR_ROOT_CA2.crt
 share/ca-certificates/mozilla/SecureSign_RootCA11.crt
 share/ca-certificates/mozilla/SecureTrust_CA.crt
 share/ca-certificates/mozilla/Secure_Global_CA.crt
+share/ca-certificates/mozilla/Security_Communication_ECC_RootCA1.crt
 share/ca-certificates/mozilla/Security_Communication_RootCA2.crt
+share/ca-certificates/mozilla/Security_Communication_RootCA3.crt
 share/ca-certificates/mozilla/Security_Communication_Root_CA.crt
-share/ca-certificates/mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
 share/ca-certificates/mozilla/Starfield_Class_2_CA.crt
 share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
 share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
@@ -109,12 +118,14 @@ share/ca-certificates/mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
 share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
 share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt
+share/ca-certificates/mozilla/Telia_Root_CA_v2.crt
 share/ca-certificates/mozilla/TrustCor_ECA-1.crt
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
 share/ca-certificates/mozilla/Trustwave_Global_Certification_Authority.crt
 share/ca-certificates/mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt
 share/ca-certificates/mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt
+share/ca-certificates/mozilla/TunTrust_Root_CA.crt
 share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
 share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
 share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
@@ -128,8 +139,10 @@ share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt
 share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt
 share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt
 share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt
+share/ca-certificates/mozilla/vTrus_ECC_Root_CA.crt
+share/ca-certificates/mozilla/vTrus_Root_CA.crt
 share/doc/ca-certificates/README.pkgsrc
 share/doc/ca-certificates/README.source
 share/doc/ca-certificates/changelog
-share/examples/ca-certificates/ca-certificates.conf
 share/examples/ca-certificates/ca-certificates-dir.conf
+share/examples/ca-certificates/ca-certificates.conf

security/ca-certificates/distinfo

@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.8 2022/07/17 02:58:32 tnn Exp $
+$NetBSD: distinfo,v 1.9 2023/05/21 16:33:50 kim Exp $
 
-BLAKE2s (ca-certificates_20211016.tar.xz) = ee1b82472068aef176dbc9dab2099848e299dbcc92ac309ba5a906a98414731d
-SHA512 (ca-certificates_20211016.tar.xz) = bedf072c8aa1b05b249ea272f5cecfe16bdcd762c02c712323f12ac7a278e8814453f5f3caad86a2581e451788b292ed3a76a6a81620926459bb890133cffde1
-Size (ca-certificates_20211016.tar.xz) = 239608 bytes
-SHA1 (patch-mozilla_certdata2pem.py) = e0752892bf93113bb4a6414f1bef98261a5b832a
-SHA1 (patch-sbin_update-ca-certificates) = e57e4c0ec2be335f6d901c865a7b0a33405fd7f2
+BLAKE2s (ca-certificates_20230311.tar.xz) = 41fb59d81073ce3a758c2fd38f4af420d54b32d367a616198d98a1cad1ec7549
+SHA512 (ca-certificates_20230311.tar.xz) = 00571bdc87897813fd7dbe024f3a186cfc9f0d4f55e92545a90888c9e5282f99cb8d75b5932c034731b911bf27a9b38fd7d062dd511eb1152acf8b2811490fa7
+Size (ca-certificates_20230311.tar.xz) = 257772 bytes
+SHA1 (patch-sbin_update-ca-certificates) = 036c25d5e048451917685e62dfddb81004453146

security/ca-certificates/patches/patch-mozilla_certdata2pem.py

@@ -1,7 +1,10 @@
-$NetBSD: patch-sbin_update-ca-certificates,v 1.2 2022/06/12 07:05:30 kim Exp $
+$NetBSD: patch-sbin_update-ca-certificates,v 1.3 2023/05/21 16:33:50 kim Exp $
 
---- sbin/update-ca-certificates.orig	2021-10-16 16:09:43.000000000 +0000
-+++ sbin/update-ca-certificates	2022-06-12 16:09:43.000000000 +0000
+Add a configuration file for enabling CA certificate management in
+a system directory (such as /etc/openssl on NetBSD).
+
+--- sbin/update-ca-certificates.orig	2021-12-15 18:51:05.000000000 +0000
++++ sbin/update-ca-certificates	2023-05-21 15:58:00.334161148 +0000
 @@ -28,9 +28,23 @@
  CERTSDIR=/usr/share/ca-certificates
  LOCALCERTSDIR=/usr/local/share/ca-certificates
@@ -46,7 +49,7 @@ $NetBSD: patch-sbin_update-ca-certificates,v 1.2 2022/06/12 07:05:30 kim Exp $
 +  cat <<-EOF
 +	Please set ETCCERTSDIR to an absolute path in
 +	  $ETCCERTSDIRCONF
-+	and then run it again.
++	and then run update-ca-certificates again.
 +	EOF
 +  exit 1
 +  ;;
@@ -55,14 +58,3 @@ $NetBSD: patch-sbin_update-ca-certificates,v 1.2 2022/06/12 07:05:30 kim Exp $
  if [ ! -s "$CERTSCONF" ]
  then
    fresh=1
-@@ -81,8 +116,8 @@
- # Helper files.  (Some of them are not simple arrays because we spawn
- # subshells later on.)
- TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
--ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
--REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
-+ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-+REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
- 
- # Adds a certificate to the list of trusted ones.  This includes a symlink
- # in /etc/ssl/certs to the certificate file and its inclusion into the