Source: ca-certificates Tags: patch,d-i X-Debbugs-Cc: ma...@debian.org, debian-b...@lists.debian.org
In an effort to make HTTPS usable in the installer (e.g. to fetch preseed, authorized_keys files, or packages) ca-certificates needs to add a udeb with the certificates. The result has to be usable by openssl, which requires that c_rehash has been run on the directory. Unfortunately c_rehash is a Perl script that requires the openssl binary to run, so it's not suitable to run in the installer environment. Please find attached a patch that a) adds a ca-certificates-udeb package, b) installs all off Mozilla's certificates into /etc/ssl/certs and c) runs c_rehash on the resulting directory during build. I needed to rename dirs, postinst and postrm. Hence there are two patch files for clarity: one in unified format and one in git diff format. I'd be nice to have this in Stretch. Not having the certificates available blocked inclusion of a HTTPS-capable wget altogether. Kind regards and thanks for considering the patch Philipp Kern
diff -Naur ca-certificates-20161102/debian/ca-certificates.dirs ca-certificates-20161102.udebed/debian/ca-certificates.dirs
--- ca-certificates-20161102/debian/ca-certificates.dirs 1970-01-01 01:00:00.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/ca-certificates.dirs 2016-11-03 03:15:03.000000000 +0100
@@ -0,0 +1,4 @@
+etc/ssl/certs
+usr/sbin
+usr/share/ca-certificates/
+etc/ca-certificates/update.d
diff -Naur ca-certificates-20161102/debian/ca-certificates.postinst ca-certificates-20161102.udebed/debian/ca-certificates.postinst
--- ca-certificates-20161102/debian/ca-certificates.postinst 1970-01-01 01:00:00.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/ca-certificates.postinst 2016-11-03 03:15:03.000000000 +0100
@@ -0,0 +1,187 @@
+#! /bin/sh
+# postinst script for ca-certificates
+#
+# see: dh_installdeb(1)
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+set -e
+
+each_value() {
+ echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//'
+}
+
+memberp() {
+ m="$1"
+ l="$2"
+ each_value "$l" | grep -q "^$m\$"
+}
+
+delca() {
+ m="$1"
+ l="$2"
+ echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//'
+}
+
+case "$1" in
+ configure)
+ if [ ! -e /usr/local/share/ca-certificates ]; then
+ if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
+ chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates
+ fi
+ # Handle upgrades and allow local admin to override:
+ # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
+ elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
+ chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
+ chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates
+ fi
+
+ . /usr/share/debconf/confmodule
+ db_version 2.0
+ db_capb multiselect
+ db_metaget ca-certificates/enable_crts choices
+ CERTS_AVAILABLE="$RET"
+ db_get ca-certificates/enable_crts
+ CERTS_ENABLED="$RET"
+ # XXX unmark seen for next configuration
+ db_fset ca-certificates/new_crts seen false
+ db_stop || true
+ if test -f /etc/ca-certificates.conf; then
+ # XXX: while in subshell?
+ while read line
+ do
+ if echo "$line" | grep -q '^#'; then
+ echo "$line"
+ else
+ case "$line" in
+ !*) ca=$(echo "$line" | sed -e 's/^!//');;
+ *) ca="$line";;
+ esac
+ if memberp "$ca" "$CERTS_ENABLED"; then
+ echo "$ca"
+ # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED")
+ elif memberp "$ca" "$CERTS_AVAILABLE" ||
+ echo "$line" | grep -q '^!'; then
+ echo "!$ca"
+ elif [ -f /usr/share/ca-certificates/"$ca" ] || \
+ [ -f /usr/local/share/ca-certificates/"$ca" ]; then
+ echo "$ca"
+ else
+ echo "!$ca"
+ fi
+ # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE")
+ fi
+ done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new
+ if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then
+ :
+ else
+ each_value "$CERTS_ENABLED" | while read ca
+ do
+ if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then
+ :
+ else
+ echo "$ca" >> /etc/ca-certificates.conf.dpkg-new
+ fi
+ done
+ fi
+ each_value "$CERTS_AVAILABLE" | while read ca
+ do
+ if memberp "$ca" "$CERTS_ENABLED"; then
+ :
+ elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then
+ :
+ else
+ echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new
+ fi
+ done
+ if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then
+ rm -f /etc/ca-certificates.conf.dpkg-new
+ else
+ mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old
+ mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf
+ fi
+ else
+ # new file
+ cat > /etc/ca-certificates.conf <<EOF
+# This file lists certificates that you wish to use or to ignore to be
+# installed in /etc/ssl/certs.
+# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
+#
+# This is autogenerated by dpkg-reconfigure ca-certificates.
+# Certificates should be installed under /usr/share/ca-certificates
+# and files with extension '.crt' is recognized as available certs.
+#
+# line begins with # is comment.
+# line begins with ! is certificate filename to be deselected.
+#
+EOF
+ (echo $CERTS_ENABLED | tr ',' '\n'; \
+ echo $CERTS_AVAILABLE | tr ',' '\n') | \
+ sed -e 's/^[[:space:]]*//' | \
+ sort | uniq -c | \
+ sed -e 's/^[[:space:]]*2[[:space:]]*//' \
+ -e 's/^[[:space:]]*1[[:space:]]*/!/' \
+ >> /etc/ca-certificates.conf
+ fi
+ # update /etc/ssl/certs without running the hooks
+ # fix bogus symlink to ca-certificates.crt on upgrades; see
+ # Debian #643667; drop after wheezy
+ if dpkg --compare-versions "$2" lt-nl 20111025; then
+ update-ca-certificates --hooksdir "" --fresh
+ else
+ update-ca-certificates --hooksdir ""
+ fi
+ # deferred update of /etc/ssl/certs including running the hooks
+ dpkg-trigger --no-await update-ca-certificates
+ ;;
+
+ triggered)
+ for trigger in $2; do
+ case "$trigger" in
+ update-ca-certificates)
+ update-ca-certificates
+ ;;
+ update-ca-certificates-fresh)
+ update-ca-certificates --fresh
+ ;;
+ *)
+ echo "postinst called with unknown trigger \`$2'">&2
+ exit 1
+ ;;
+ esac;
+ done;
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
diff -Naur ca-certificates-20161102/debian/ca-certificates.postrm ca-certificates-20161102.udebed/debian/ca-certificates.postrm
--- ca-certificates-20161102/debian/ca-certificates.postrm 1970-01-01 01:00:00.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/ca-certificates.postrm 2016-11-03 03:15:03.000000000 +0100
@@ -0,0 +1,65 @@
+#! /bin/sh
+# postrm script for ca-certificates
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see /usr/share/doc/packaging-manual/
+
+# Clear the debconf database as early as possible and signal debconf that
+# we are done with it.
+if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
+ . /usr/share/debconf/confmodule
+ db_purge
+ db_stop
+fi
+
+remove_dangling_symlinks() {
+ if ! [ -d /etc/ssl/certs ]
+ then
+ return
+ fi
+ echo -n "Removing dangling symlinks from /etc/ssl/certs... "
+ find /etc/ssl/certs -type l -print | while read h
+ do
+ test -f "$h" || rm -f "$h"
+ done
+ echo "done."
+}
+
+case "$1" in
+ remove)
+ remove_dangling_symlinks
+ rmdir /usr/local/share/ca-certificates 2>/dev/null || true
+ ;;
+
+ purge)
+ rm -f /etc/ssl/certs/ca-certificates.crt
+ remove_dangling_symlinks
+ rm -f /etc/ca-certificates.conf*
+ ;;
+
+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+
diff -Naur ca-certificates-20161102/debian/control ca-certificates-20161102.udebed/debian/control
--- ca-certificates-20161102/debian/control 2016-11-03 03:15:03.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/control 2016-11-23 16:01:17.577584088 +0100
@@ -6,7 +6,7 @@
Thijs Kinkhorst <th...@debian.org>,
Christian Perrier <bubu...@debian.org>
Build-Depends: debhelper (>= 9), po-debconf
-Build-Depends-Indep: python
+Build-Depends-Indep: python, openssl
Standards-Version: 3.9.8
Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
@@ -29,3 +29,15 @@
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.
+
+Package: ca-certificates-udeb
+Package-Type: udeb
+Section: debian-installer
+Architecture: all
+Depends: ${misc:Depends}
+Description: Common CA certificates - udeb
+ Contains the certificate authorities shipped with Mozilla's browser,
+ all enabled by default.
+ .
+ This package is for use in the installer environment only.
+ Do not install on a normal system.
diff -Naur ca-certificates-20161102/debian/dirs ca-certificates-20161102.udebed/debian/dirs
--- ca-certificates-20161102/debian/dirs 2016-11-03 03:15:03.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/dirs 1970-01-01 01:00:00.000000000 +0100
@@ -1,4 +0,0 @@
-etc/ssl/certs
-usr/sbin
-usr/share/ca-certificates/
-etc/ca-certificates/update.d
diff -Naur ca-certificates-20161102/debian/postinst ca-certificates-20161102.udebed/debian/postinst
--- ca-certificates-20161102/debian/postinst 2016-11-03 03:15:03.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/postinst 1970-01-01 01:00:00.000000000 +0100
@@ -1,187 +0,0 @@
-#! /bin/sh
-# postinst script for ca-certificates
-#
-# see: dh_installdeb(1)
-
-# summary of how this script can be called:
-# * <postinst> `configure' <most-recently-configured-version>
-# * <old-postinst> `abort-upgrade' <new version>
-# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
-# <new-version>
-# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
-# <failed-install-package> <version> `removing'
-# <conflicting-package> <version>
-# for details, see /usr/share/doc/packaging-manual/
-#
-# quoting from the policy:
-# Any necessary prompting should almost always be confined to the
-# post-installation script, and should be protected with a conditional
-# so that unnecessary prompting doesn't happen if a package's
-# installation fails and the `postinst' is called with `abort-upgrade',
-# `abort-remove' or `abort-deconfigure'.
-
-set -e
-
-each_value() {
- echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//'
-}
-
-memberp() {
- m="$1"
- l="$2"
- each_value "$l" | grep -q "^$m\$"
-}
-
-delca() {
- m="$1"
- l="$2"
- echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//'
-}
-
-case "$1" in
- configure)
- if [ ! -e /usr/local/share/ca-certificates ]; then
- if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
- chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates
- fi
- # Handle upgrades and allow local admin to override:
- # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
- elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
- chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
- chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates
- fi
-
- . /usr/share/debconf/confmodule
- db_version 2.0
- db_capb multiselect
- db_metaget ca-certificates/enable_crts choices
- CERTS_AVAILABLE="$RET"
- db_get ca-certificates/enable_crts
- CERTS_ENABLED="$RET"
- # XXX unmark seen for next configuration
- db_fset ca-certificates/new_crts seen false
- db_stop || true
- if test -f /etc/ca-certificates.conf; then
- # XXX: while in subshell?
- while read line
- do
- if echo "$line" | grep -q '^#'; then
- echo "$line"
- else
- case "$line" in
- !*) ca=$(echo "$line" | sed -e 's/^!//');;
- *) ca="$line";;
- esac
- if memberp "$ca" "$CERTS_ENABLED"; then
- echo "$ca"
- # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED")
- elif memberp "$ca" "$CERTS_AVAILABLE" ||
- echo "$line" | grep -q '^!'; then
- echo "!$ca"
- elif [ -f /usr/share/ca-certificates/"$ca" ] || \
- [ -f /usr/local/share/ca-certificates/"$ca" ]; then
- echo "$ca"
- else
- echo "!$ca"
- fi
- # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE")
- fi
- done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new
- if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then
- :
- else
- each_value "$CERTS_ENABLED" | while read ca
- do
- if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then
- :
- else
- echo "$ca" >> /etc/ca-certificates.conf.dpkg-new
- fi
- done
- fi
- each_value "$CERTS_AVAILABLE" | while read ca
- do
- if memberp "$ca" "$CERTS_ENABLED"; then
- :
- elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then
- :
- else
- echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new
- fi
- done
- if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then
- rm -f /etc/ca-certificates.conf.dpkg-new
- else
- mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old
- mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf
- fi
- else
- # new file
- cat > /etc/ca-certificates.conf <<EOF
-# This file lists certificates that you wish to use or to ignore to be
-# installed in /etc/ssl/certs.
-# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
-#
-# This is autogenerated by dpkg-reconfigure ca-certificates.
-# Certificates should be installed under /usr/share/ca-certificates
-# and files with extension '.crt' is recognized as available certs.
-#
-# line begins with # is comment.
-# line begins with ! is certificate filename to be deselected.
-#
-EOF
- (echo $CERTS_ENABLED | tr ',' '\n'; \
- echo $CERTS_AVAILABLE | tr ',' '\n') | \
- sed -e 's/^[[:space:]]*//' | \
- sort | uniq -c | \
- sed -e 's/^[[:space:]]*2[[:space:]]*//' \
- -e 's/^[[:space:]]*1[[:space:]]*/!/' \
- >> /etc/ca-certificates.conf
- fi
- # update /etc/ssl/certs without running the hooks
- # fix bogus symlink to ca-certificates.crt on upgrades; see
- # Debian #643667; drop after wheezy
- if dpkg --compare-versions "$2" lt-nl 20111025; then
- update-ca-certificates --hooksdir "" --fresh
- else
- update-ca-certificates --hooksdir ""
- fi
- # deferred update of /etc/ssl/certs including running the hooks
- dpkg-trigger --no-await update-ca-certificates
- ;;
-
- triggered)
- for trigger in $2; do
- case "$trigger" in
- update-ca-certificates)
- update-ca-certificates
- ;;
- update-ca-certificates-fresh)
- update-ca-certificates --fresh
- ;;
- *)
- echo "postinst called with unknown trigger \`$2'">&2
- exit 1
- ;;
- esac;
- done;
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
-
- ;;
-
- *)
- echo "postinst called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
-
-
diff -Naur ca-certificates-20161102/debian/postrm ca-certificates-20161102.udebed/debian/postrm
--- ca-certificates-20161102/debian/postrm 2016-11-03 03:15:03.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/postrm 1970-01-01 01:00:00.000000000 +0100
@@ -1,65 +0,0 @@
-#! /bin/sh
-# postrm script for ca-certificates
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-# * <postrm> `remove'
-# * <postrm> `purge'
-# * <old-postrm> `upgrade' <new-version>
-# * <new-postrm> `failed-upgrade' <old-version>
-# * <new-postrm> `abort-install'
-# * <new-postrm> `abort-install' <old-version>
-# * <new-postrm> `abort-upgrade' <old-version>
-# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
-# for details, see /usr/share/doc/packaging-manual/
-
-# Clear the debconf database as early as possible and signal debconf that
-# we are done with it.
-if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
- . /usr/share/debconf/confmodule
- db_purge
- db_stop
-fi
-
-remove_dangling_symlinks() {
- if ! [ -d /etc/ssl/certs ]
- then
- return
- fi
- echo -n "Removing dangling symlinks from /etc/ssl/certs... "
- find /etc/ssl/certs -type l -print | while read h
- do
- test -f "$h" || rm -f "$h"
- done
- echo "done."
-}
-
-case "$1" in
- remove)
- remove_dangling_symlinks
- rmdir /usr/local/share/ca-certificates 2>/dev/null || true
- ;;
-
- purge)
- rm -f /etc/ssl/certs/ca-certificates.crt
- remove_dangling_symlinks
- rm -f /etc/ca-certificates.conf*
- ;;
-
- upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- ;;
-
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-
diff -Naur ca-certificates-20161102/debian/rules ca-certificates-20161102.udebed/debian/rules
--- ca-certificates-20161102/debian/rules 2016-11-03 03:15:03.000000000 +0100
+++ ca-certificates-20161102.udebed/debian/rules 2016-11-23 16:04:28.969254361 +0100
@@ -56,6 +56,11 @@
cd $(CURDIR)/debian; \
sed -e "s|#INITIAL_CERTS#|$$crts|" \
config.in > config)
+ # udeb handling
+ install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
+ (cd mozilla; \
+ $(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs")
+ c_rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
# Build architecture-independent files here.
binary-indep: build install
diff --git a/debian/dirs b/debian/ca-certificates.dirs
similarity index 100%
rename from debian/dirs
rename to debian/ca-certificates.dirs
diff --git a/debian/postinst b/debian/ca-certificates.postinst
similarity index 100%
rename from debian/postinst
rename to debian/ca-certificates.postinst
diff --git a/debian/postrm b/debian/ca-certificates.postrm
similarity index 100%
rename from debian/postrm
rename to debian/ca-certificates.postrm
diff --git a/debian/control b/debian/control
index 86ad83c..4d0ec1f 100644
--- a/debian/control
+++ b/debian/control
@@ -6,7 +6,7 @@ Uploaders: Raphael Geissert <geiss...@debian.org>,
Thijs Kinkhorst <th...@debian.org>,
Christian Perrier <bubu...@debian.org>
Build-Depends: debhelper (>= 9), po-debconf
-Build-Depends-Indep: python
+Build-Depends-Indep: python, openssl
Standards-Version: 3.9.8
Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
@@ -29,3 +29,15 @@ Description: Common CA certificates
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.
+
+Package: ca-certificates-udeb
+Package-Type: udeb
+Section: debian-installer
+Architecture: all
+Depends: ${misc:Depends}
+Description: Common CA certificates - udeb
+ Contains the certificate authorities shipped with Mozilla's browser,
+ all enabled by default.
+ .
+ This package is for use in the installer environment only.
+ Do not install on a normal system.
diff --git a/debian/rules b/debian/rules
index fd4632b..18a60b8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -56,6 +56,11 @@ install: build
cd $(CURDIR)/debian; \
sed -e "s|#INITIAL_CERTS#|$$crts|" \
config.in > config)
+ # udeb handling
+ install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
+ (cd mozilla; \
+ $(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs")
+ c_rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
# Build architecture-independent files here.
binary-indep: build install
signature.asc
Description: OpenPGP digital signature
