security/ca_root_nss: Restore the ETC_SYMLINK.

It turns out that some ports have an undisclosed dependency on the symlink and cannot be trivially changed to use the system trust store instead. Amend the package message to make it clear that software which relies on this symlink is not following recommended practice. I will look into getting certctl(8) to provide cert.pem instead, but it may take a while until we can rely on this being in place on all supported releases. This partly reverts commit 483e74f44b. PR: 274322 MFH: 2023Q4 Reviewed by: fluffy Differential Revision: https://reviews.freebsd.org/D42120
2023-10-08 06:36:54 +02:00 · 2023-10-08 06:36:54 +02:00 · 52e0c40367
parent ad1735c56b
commit 52e0c40367
3 changed files with 27 additions and 3 deletions
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@ -17,8 +17,14 @@ USE_PERL5=	build
 NO_ARCH=	yes
 WRKSRC_SUBDIR=	nss

+OPTIONS_DEFINE=		ETCSYMLINK
+OPTIONS_DEFAULT=	ETCSYMLINK
+
 OPTIONS_SUB=		yes

+ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
+ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
+
 CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}

@ -43,4 +49,8 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
 	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample

+do-install-ETCSYMLINK-on:
+	${MKDIR} ${STAGEDIR}/etc/ssl
+	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
+
 .include <bsd.port.mk>
--- a/security/ca_root_nss/files/pkg-message.in
+++ b/security/ca_root_nss/files/pkg-message.in
@ -5,8 +5,19 @@ FreeBSD does not, and can not warrant that the certification authorities
 whose certificates are included in this package have in any way been
 audited for trustworthiness or RFC 3647 compliance.

-Assessment and verification of trust is the complete responsibility of the
-system administrator.
+Assessment and verification of trust is the complete responsibility of
+the system administrator.
+
+This package installs symlinks to support root certificate discovery
+for software that either uses other cryptographic libraries than
+OpenSSL, or use OpenSSL but do not follow recommended practice.
+
+If you prefer to do this manually, replace the following symlinks with
+either an empty file or your site-local certificate bundle.
+
+  * /etc/ssl/cert.pem
+  * %%PREFIX%%/etc/ssl/cert.pem
+  * %%PREFIX%%/openssl/cert.pem
 EOM
 }
 ]
--- a/security/ca_root_nss/pkg-plist
+++ b/security/ca_root_nss/pkg-plist
@ -1,4 +1,7 @@
 %%CERTDIR%%/ca-root-nss.crt
+@sample etc/ssl/cert.pem.sample
+@sample openssl/cert.pem.sample
+%%ETCSYMLINK%%/etc/ssl/cert.pem
@postexec certctl rehash
@postunexec certctl rehash
@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt