Merge pull request #1285 from marineam/certs

ca-certificates updates

sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest

@@ -1 +1 @@
-DIST nss-3.16.tar.gz 6378110 SHA256 2bb4faa200962caacf0454f1e870e74aa9a543809e5c440f7978bcce58e0bfe8 SHA512 e3dcde8213f7f131fe2f714ff2f45c6d7b9b2167e51dbf0e1a750cc4f83d9fa35e69408850de6600f55fbc9e26b29dc344548cb64849d6e3252476eadd7ee57f WHIRLPOOL d30b53ec36cacff9756b43780d904e32760cd5d0b75f1888b6fb80e0a87ce828f4e6189de63880ddce90bdf5d90123ff7e9fdf600f4df02ce59702898f08c11e
+DIST nss-3.19.1.tar.gz 6953537 SHA256 b7be709551ec13206d8e3e8c065b894fa981c11573115e9478fa051029c52fff SHA512 8938fff8d819f5a223f99b3ee55734b624609dd87d9035c3bb4ca22db707da709f43d6e56610860ff99e4d2271405ad0efb762ba3f6d9e6cd586415e31412107 WHIRLPOOL d5ba4abaa29c28c19f18314427c581b1356ab4edaeb818433000dd63281340de7db5cf98700c80d781cb26e6989b222113e927eb2e890592ae8691fe8dcb4eb9

sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.19.1.ebuild

@@ -26,40 +26,62 @@ RDEPEND="dev-libs/openssl
 DEPEND="${RDEPEND}
 	${PYTHON_DEPS}"
 
-sym_to_usr() {
-	local l="/etc/ssl/certs/${1##*/}"
-	local p="../../../usr/share/${PN}/${1}"
-	echo "L	${l}	-	-	-	-	${p}"
+pkg_setup() {
+	python-any-r1_pkg_setup
+
+	# Deal with the case where older ca-certificates installed a
+	# dir here, but newer one installs symlinks.  Portage will
+	# barf when you try to transition file types.
+	# This trick is stolen from sys-libs/timezone-data
+	if cd "${EROOT}"/usr/share/${PN} 2>/dev/null ; then
+		# In case of a failed upgrade, clean up the symlinks #506570
+		if [ -L .gentoo-upgrade ] ; then
+			rm -rf mozilla .gentoo-upgrade
+		fi
+		if [ -d mozilla ] ; then
+			rm -rf .gentoo-upgrade #487192
+			mv mozilla .gentoo-upgrade || die
+			ln -s .gentoo-upgrade mozilla || die
+		fi
+	fi
+}
+
+gen_hash_links() {
+	local certfile certhash
+	for certfile in "$@"; do
+		certhash=$(openssl x509 -hash -noout -in "${certfile}") || die
+		# This assumes the hashes have no collisions
+		ln -s "${certfile}" "${certhash}.0" || die
+	done
 }
 
 gen_tmpfiles() {
 	local certfile
 	echo "d	/etc/ssl		-	-	-	-	-"
 	echo "d	/etc/ssl/certs	-	-	-	-	-"
-	sym_to_usr ca-certificates.crt
 	for certfile in "$@"; do
-		sym_to_usr "${certfile}"
-	done
-	for certfile in "$@"; do
-		local certhash=$(openssl x509 -hash -noout -in "${certfile}")
-		# This assumes the hashes have no collisions
-		local l="/etc/ssl/certs/${certhash}.0"
-		local p="${certfile##*/}"
+		local l="/etc/ssl/certs/${certfile}"
+		local p="../../../usr/share/${PN}/${certfile}"
 		echo "L	${l}	-	-	-	-	${p}"
 	done
 }
 
 src_compile() {
 	local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt"
-	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die
-	cat mozilla/*.pem > ca-certificates.crt || die
-	gen_tmpfiles mozilla/*.pem > ${PN}.conf || die
+	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die
+
+	cd certs || die
+	gen_hash_links *.pem
+	cat *.pem > ca-certificates.crt || die
+	gen_tmpfiles * > "${S}/${PN}.conf" || die
 }
 
 src_install() {
 	insinto /usr/share/${PN}
-	doins ca-certificates.crt
-	doins -r mozilla
+	doins certs/*
+
+	# for compatibility with older directory structure
+	dosym . /usr/share/${PN}/mozilla
 
 	dosbin "${FILESDIR}/update-ca-certificates"
 	systemd_dounit "${FILESDIR}/clean-ca-certificates.service"
@@ -72,3 +94,7 @@ src_install() {
 	dodir /etc/ssl/certs
 	systemd-tmpfiles --root="${D}" --create
 }
+
+pkg_postinst() {
+	rm -rf "${EROOT}"/usr/share/${PN}/.gentoo-upgrade
+}