component/ca-certificates: version up 20230311

A similar patches as ca-certificates-sbin-dir was applied upstream as 4f0d3ec7aa4ebc91793245ed66c0e24d7150782b , the rest of our patch was to use mkdir -p instead of mkdir, we keep this part in ca-certificates-mkdir-p.patch This introduces a new patch to not depend on cryptography, which is used only to print a warning on the console when an expired certificate is used.

component/ca-certificates: version up 20230311
A similar patches as ca-certificates-sbin-dir was applied upstream as 4f0d3ec7aa4ebc91793245ed66c0e24d7150782b , the rest of our patch was to use mkdir -p instead of mkdir, we keep this part in ca-certificates-mkdir-p.patch This introduces a new patch to not depend on cryptography, which is used only to print a warning on the console when an expired certificate is used.
5f05b413 · Jérome Perrin · 24f5a96c · 5f05b413 · 5f05b413 · 5f05b413
Commit 5f05b413 authored Oct 02, 2023 by Jérome Perrin
3 changed files
--- a/component/ca-certificates/buildout.cfg
+++ b/component/ca-certificates/buildout.cfg
@@ -12,12 +12,13 @@ parts =
 [ca-certificates]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20210119.tar.xz
-md5sum = c02582bf9ae338e558617291897615eb
+url = https://deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20230311.tar.xz
+md5sum = fc1c3ec0067385f0be8ac7f6e670a0f8
 patch-binary = ${patch:location}/bin/patch
 patches =
  ${:_profile_base_location_}/ca-certificates-any-python.patch#c13b44dfc3157dda13a9a2ff97a9d501
-  ${:_profile_base_location_}/ca-certificates-sbin-dir.patch#0b4e7d82ce768823c01954ee41ef177b
+  ${:_profile_base_location_}/ca-certificates-mkdir-p.patch#02ed8a6d60c39c4b088657888af345ef
+  ${:_profile_base_location_}/ca-certificates-no-cryptography.patch#14ad1308623b0d15420906ae3d9b4867
 patch-options = -p0
 configure-command = true
 make-targets = install DESTDIR=@@LOCATION@@ CERTSDIR=certs SBINDIR=sbin

--- a/component/ca-certificates/ca-certificates-sbin-dir.patch
+++ b/component/ca-certificates/ca-certificates-sbin-dir.patch
@@ -9,19 +9,3 @@
 	  $(MAKE) -C $$dir install CERTSDIR=$(DESTDIR)/$(CERTSDIR)/$$dir; \
 	done
 	for dir in sbin; do \
--- sbin/Makefile.orig	2011-12-11 20:54:02.000000000 +0100
-+++ sbin/Makefile	2012-01-09 17:31:45.207387898 +0100
-@@ -3,9 +3,12 @@
- #
- #
- 
-+SBINDIR=/usr/sbin
-+
- all:
- 
- clean:
- 
- install:
-	install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
-+	mkdir -p $(DESTDIR)/$(SBINDIR)
-+	install -m755 update-ca-certificates $(DESTDIR)/$(SBINDIR)
--- a/component/ca-certificates/ca-certificates-no-cryptography.patch
+++ b/component/ca-certificates/ca-certificates-no-cryptography.patch
+Don't depend on cryptography
+
+Revert https://salsa.debian.org/debian/ca-certificates/-/commit/8033d52259172b4bddc0f8bbcb6f6566b348db72 
+we don't need this here.
+
+--- mozilla/certdata2pem.py	2023-01-14 22:58:27.000000000 +0900
+++ mozilla/certdata2pem.py	2023-10-02 22:13:31.355540545 +0900
+@@ -21,15 +21,12 @@
+ # USA.
+ 
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+ 
+-from cryptography import x509
+-
+ 
+ objects = []
+ 
+@@ -122,12 +119,6 @@
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+ 
+-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+-        if cert.not_valid_after < datetime.datetime.utcnow():
+-            print('!'*74)
+-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-            print('!'*74)
+-
+         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                       .replace(' ', '_')\
+                                       .replace('(', '=')\