robbat2 15/06/06 04:53:27 Modified: ChangeLog Added: dnssec-root-20150403.ebuild Log: Bump, some of the certificate bundles used in src_test have changed; also document where the magic dates came from, and why they are hardcoded. Allow mirroring, improve readability. (Portage version: 2.2.20/cvs/Linux x86_64, unsigned Manifest commit)
Revision Changes Path 1.20 net-dns/dnssec-root/ChangeLog file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/dnssec-root/ChangeLog?rev=1.20&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/dnssec-root/ChangeLog?rev=1.20&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/dnssec-root/ChangeLog?r1=1.19&r2=1.20 Index: ChangeLog =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-dns/dnssec-root/ChangeLog,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- ChangeLog 15 May 2015 11:57:03 -0000 1.19 +++ ChangeLog 6 Jun 2015 04:53:27 -0000 1.20 @@ -1,6 +1,14 @@ # ChangeLog for net-dns/dnssec-root # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-dns/dnssec-root/ChangeLog,v 1.19 2015/05/15 11:57:03 pacho Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-dns/dnssec-root/ChangeLog,v 1.20 2015/06/06 04:53:27 robbat2 Exp $ + +*dnssec-root-20150403 (06 Jun 2015) + + 06 Jun 2015; Robin H. Johnson <[email protected]> + +dnssec-root-20150403.ebuild: + Bump, some of the certificate bundles used in src_test have changed; also + document where the magic dates came from, and why they are hardcoded. Allow + mirroring, improve readability. 15 May 2015; Pacho Ramos <[email protected]> dnssec-root-20110630.ebuild: ppc/ppc64 stable, bug #532000 1.1 net-dns/dnssec-root/dnssec-root-20150403.ebuild file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/dnssec-root/dnssec-root-20150403.ebuild?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/dnssec-root/dnssec-root-20150403.ebuild?rev=1.1&content-type=text/plain Index: dnssec-root-20150403.ebuild =================================================================== # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/net-dns/dnssec-root/dnssec-root-20150403.ebuild,v 1.1 2015/06/06 04:53:27 robbat2 Exp ${DATE_ISSUE2}.ebuild,v 1.16 2015/05/15 11:57:03 pacho Exp $ EAPI=5 DESCRIPTION="The DNSSEC root key(s)" HOMEPAGE="https://www.iana.org/dnssec/"; DATE_ISSUE1=20100715 # Original root-anchor creation date DATE_ISSUE2=20110715 # ICANN PGP key updated DATE_ISSUE3=20150504 # Subordinate CAs updated ICANN_PGP_FINGERPRINT='2FBB91BCAAEE0ABE1F8031C7D1AFBCE00F6C91D2' # The naming of the files really needs some improvement upstream: # root-anchors.p7s despite it's name, is mostly the the same data as # icannbundle.pem SRC_URI="http://data.iana.org/root-anchors/root-anchors.xml -> root-anchors-${DATE_ISSUE1}.xml http://data.iana.org/root-anchors/Kjqmt7v.csr -> Kjqmt7v-${DATE_ISSUE1}.csr test? ( http://data.iana.org/root-anchors/Kjqmt7v.crt -> Kjqmt7v-${DATE_ISSUE3}.crt http://data.iana.org/root-anchors/root-anchors.p7s -> root-anchors-${DATE_ISSUE3}.p7s http://data.iana.org/root-anchors/root-anchors.asc -> root-anchors-${DATE_ISSUE1}.asc http://data.iana.org/root-anchors/icannbundle.pem -> icannbundle-${DATE_ISSUE3}.pem http://data.iana.org/root-anchors/icann.pgp -> icann-${DATE_ISSUE2}.pgp )" LICENSE="public-domain" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x64-macos" IUSE="test" RDEPEND="" DEPEND="dev-libs/libxslt test? ( app-crypt/gnupg dev-libs/openssl )" S="${WORKDIR}" # xsl and checking as per: # http://permalink.gmane.org/gmane.network.dns.unbound.user/1039 src_unpack() { return } src_prepare() { return } src_compile() { xsltproc \ -o root-anchors-${DATE_ISSUE1}.txt \ "${FILESDIR}"/anchors2ds.xsl \ "${DISTDIR}"/root-anchors-${DATE_ISSUE1}.xml \ || die 'xsl translation failed' } src_test() { # This is a terrible catch-22 of security, since we get the ICANN key from the # same site! We verify the fingerprint ourselves in case gpg --import "${DISTDIR}"/icann-${DATE_ISSUE2}.pgp || die 'ICANN key import failed' gpg --fingerprint --with-colon --list-keys \ | grep '^fpr:' | fgrep ":$ICANN_PGP_FINGERPRINT:" \ || die "ICANN key fingerprint mismatch!" #gpg --import \ # "${FILESDIR}"/dnssec_at_iana.org_1024D_0F6C91D2-20120522.asc || die gpg --verify \ "${DISTDIR}"/root-anchors-${DATE_ISSUE1}.asc \ "${DISTDIR}"/root-anchors-${DATE_ISSUE1}.xml || die "GPG verify failed" openssl smime -verify \ -content "${DISTDIR}"/root-anchors-${DATE_ISSUE1}.xml \ -in "${DISTDIR}"/root-anchors-${DATE_ISSUE3}.p7s -inform der \ -CAfile "${DISTDIR}"/icannbundle-${DATE_ISSUE3}.pem || die "OpenSSL smime verify failed" } src_install() { insinto /etc/dnssec newins root-anchors-${DATE_ISSUE1}.txt root-anchors.txt newins "${DISTDIR}"/root-anchors-${DATE_ISSUE1}.xml root-anchors.xml # What actually uses the DER-format certificate request out of the box? # Wouldn't icannbundle.pem or Kjqmt7v.crt (converted to PEM format) be more # useful? newins "${DISTDIR}"/Kjqmt7v-${DATE_ISSUE1}.csr Kjqmt7v.csr }
