Changeset 02e3bbc8

Timestamp:

01/02/2019 05:30:48 AM (5 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 8.4, 9.0, 9.1, bdubbs/svn, kea, ken/inkscape-core-mods, lazarus, lxqt, plabs/python-mods, qt5new, trunk, upgradedb, xry111/intltool, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

e130fead

Parents:

64be6a1

Message:

Update to make-ca-1.2 and adjust p11-kit configuration for new copy-trust-modifications script.
Correct weekly cron job commands for update-pciids.sh and update-usbids.sh, as well as add update-pki.sh.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20905 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• general.ent (modified) (2 diffs)
• general/sysutils/pciutils.xml (modified) (1 diff)
• general/sysutils/usbutils.xml (modified) (1 diff)
• introduction/welcome/changelog.xml (modified) (1 diff)
• packages.ent (modified) (1 diff)
• postlfs/security/make-ca.xml (modified) (2 diffs)
• postlfs/security/p11-kit.xml (modified) (1 diff)

general.ent

@@ -1 +1 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "01">                   <!-- Always 2 digits -->
+<!ENTITY day          "02">                   <!-- Always 2 digits -->
 <!ENTITY month        "01">                   <!-- Always 2 digits -->
 <!ENTITY year         "2019">
@@ -7 +7 @@
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "January 1st, &year;">
+<!ENTITY releasedate  "January 2nd, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->

general/sysutils/pciutils.xml

@@ -163 +163 @@
 /usr/sbin/update-pciids</literal>
 EOF
-chmod 754 /etc/cron.weekly/update-pciids</userinput></screen>
+chmod 754 /etc/cron.weekly/update-pciids.sh</userinput></screen>
 
 <screen role="root" revision="systemd"><userinput>cat &gt; /lib/systemd/system/update-pciids.service &lt;&lt; "EOF" &amp;&amp;

general/sysutils/usbutils.xml

@@ -168 +168 @@
 /usr/bin/wget http://www.linux-usb.org/usb.ids -O /usr/share/hwdata/usb.ids</literal>
 EOF
-chmod 754 /etc/cron.weekly/update-usbids</userinput></screen>
+chmod 754 /etc/cron.weekly/update-usbids.sh</userinput></screen>
 
 <screen role="root" revision="systemd"><userinput>cat &gt; /lib/systemd/system/update-usbids.service &lt;&lt; "EOF" &amp;&amp;

introduction/welcome/changelog.xml

@@ -43 +43 @@
 -->
     <listitem>
+      <para>January 2nd, 2019</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Update to make-ca-1.2 and adjust p11-kit configuration
+          for new copy-trust-modifications script.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Correct weekly cron job commands for update-pciids.sh
+          and update-usbids.sh, as well as add update-pki.sh.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>January 1st, 2019</para>
       <itemizedlist>

packages.ent

@@ -25 +25 @@
 <!ENTITY linux-pam-docs-version       "1.2.0">
 <!ENTITY libpwquality-version         "1.4.0">
-<!ENTITY make-ca-version              "1.1">
+<!ENTITY make-ca-version              "1.2">
 <!ENTITY mitkrb-major-version         "1.16">
 <!ENTITY mitkrb-version               "1.16.2">

postlfs/security/make-ca.xml

@@ -12 +12 @@
   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
   <!ENTITY make-ca-size          "28 KB">
-  <!ENTITY make-ca-md5sum        "417a8ebfb3d6ac4821c1e508a0a3981f">
+  <!ENTITY make-ca-md5sum        "5b68cf77b02d5681f8419b8acfd139c0">
 ]>
 
@@ -174 +174 @@
     either manually, or via a <phrase revision="sysv">cron job.</phrase>
     <phrase revision="systemd">systemd timer. A timer is installed at
-    <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled,
-    will check for updates weekly.</phrase></para>
+    <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
+    enabled, will check for updates weekly. </phrase><phrase revision="sysv">If
+    you've installed <xref linkend="fcron"/> and completed the section on
+    periodic jobs, execute</phrase><phrase revision="systemd">Execute</phrase>
+    the following commands, as the
+    <systemitem class="username">root</systemitem> user, to
+    <phrase revision="sysv">create a weekly cron job:</phrase>
+    <phrase revision="systemd">enable the systemd timer:</phrase>
+    </para>
+
+<screen role="root" revision="sysv"><userinput>cat &gt; /etc/cron.weekly/update-pki.sh &lt;&lt; "EOF" &amp;&amp;
+<literal>#!/bin/bash
+/usr/sbin/make-ca -g</literal>
+EOF
+chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>
+
+<screen role="root" revision="systemd"><userinput>systemctl enable update-pki.timer</userinput></screen>
 
   </sect2>

postlfs/security/p11-kit.xml

@@ -98 +98 @@
 <screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
 cat &gt;&gt; trust/trust-extract-compat.in &lt;&lt; "EOF"
-<literal># LFS uses make-ca to manage certificates
-if [ -f /etc/make-ca.conf ]; then
-    . /etc/make-ca.conf
-else
-    #Use defaults if make-ca.conf does not exist
-    ANCHORDIR="/etc/pki/anchors"
-    ANCHORLIST="/etc/pki/anchors.txt"
-    LOCALDIR="/etc/ssl/local"
-    CERTLIST=""
-fi
-
-# Create a list of certificates not present at previous run
-for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
-    /bin/grep "${ca}" "${ANCHORLIST}" 2>&amp;1>/dev/null || CERTLIST="${CERTLIST} ${ca}"
-done
-
-# Dump to a temporary directory
-TEMPDIR=`mktemp -d`
-/usr/bin/trust extract --filter=certificates --format=openssl-directory --overwrite \
-    "${TEMPDIR}"
-
-# Copy new certificates to LOCALDIR
-for certificate in `echo "${CERTLIST}"` ; do
-    LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
-    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
-    cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
-    unset LABEL LABELNEW
-done
-
-# Clean up
-rm -rf "${TEMPDIR}"
-unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
+<literal># Copy existing anchor modifications to /etc/ssl/local
+/usr/libexec/make-ca/copy-trust-modifications
 
 # Generate a new trust store
-/usr/sbin/make-ca -f</literal>
+/usr/sbin/make-ca -f -g</literal>
 EOF</userinput></screen>