Merge pull request #269 from eduardosm/timeless-mk-ca-bundle - live-bootstrap - Mirror of <https://github.com/fosslinux/live-bootstrap>

commit: 514190c4c257e1aaeebdc7e1439fda17a37fc14b
parent c0ea746ae534be8b07b32c353b59346c6beb1026
Author: Andrius Štikonas <andrius@stikonas.eu>
Date:   Sun, 19 Mar 2023 00:18:29 +0000

Merge pull request #269 from eduardosm/timeless-mk-ca-bundle

Patch mk-ca-bundle to make ca-certificates reproducible regardless of current date
Diffstat:
M sysa/SHA256SUMS.pkgs 4 ++--
A sysa/curl-7.83.0/patches/timeless-mk-ca-bundle.patch 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D sysc/ca-certificates-3.86/sources 1 -
R sysc/ca-certificates-3.86/ca-certificates-3.86.sh -> sysc/ca-certificates-3.88.1/ca-certificates-3.88.1.sh 0 
A sysc/ca-certificates-3.88.1/sources 1 +
M sysc/run2.sh 2 +-

6 files changed, 60 insertions(+), 4 deletions(-)
diff --git a/sysa/SHA256SUMS.pkgs b/sysa/SHA256SUMS.pkgs
@@ -31,11 +31,11 @@ b2e45aec68221e6874ea8aa7d5b6a0aab7879a3dbee493536e034b246a884b05  bison-3.4.1_0.
 6a6111b1e8ca906406482053cf0af8c9dea46dc55e4bac9662c8fe47f94221cb  bison-3.4.1_2.tar.bz2
 e38ed21c4b4fa514e9a64d2b84bad72f3d242568183b6b84a6a2d0e8c49d0af2  bison-3.4.2_0.tar.bz2
 c6369fcf4ba1fae200a4a67f110563a11d6c51fa8ca80792dbc4630e3dba6f4d  bzip2-1.0.8_0.tar.bz2
-47ae56c19754ecab991aaa7ec5f68f294c6ddcad4e73253935fbaf10df42ee9b  ca-certificates-3.86_0.tar.bz2
+c511d571d24675a141258e0e198c5ed1bcfd4889ddd736ff8e25c0d97b44e2cf  ca-certificates-3.88.1_0.tar.bz2
 0d02d37d02d6def11b5f12eab5d97f47dc1e4abd53627deb2d99994e1ab9c6a8  coreutils-5.0_0.tar.bz2
 27d0d3e84794f080f01c7c22547a308d1d781d8ce85d5b3f682c379f17bbeb47  coreutils-6.10_0.tar.bz2
 e41aba2caa7514704731d3b7a49f63ff8ffb2d22a64f14afdbaadbd0b24073f0  coreutils-8.32_0.tar.bz2
-b72e6a7b2ec147e2892322b1f0dcefc20f00f6ce0b5e1cee8d75192598fc67ce  curl-7.83.0_0.tar.bz2
+ea4b7a5bc7b152731d2d17f355725f8b683341803e89044a78be73a140fe64db  curl-7.83.0_0.tar.bz2
 c16709184a6ec2312746242379065f71fcbd7165749c9d58a9b0846f4bfc5dc0  curl-7.83.0_1.tar.bz2
 0b832d3efef962c10b61559052373267e9c85bbff37572b736a6996823e2d5b2  dhcpcd-9.4.1_0.tar.bz2
 f1a17f3d1c65140a6d3043ecb710e5fffe9c019cb3d2eaa982be03706876e534  diffutils-2.7_0.tar.bz2
diff --git a/sysa/curl-7.83.0/patches/timeless-mk-ca-bundle.patch b/sysa/curl-7.83.0/patches/timeless-mk-ca-bundle.patch
@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: 2023 Eduardo Sánchez Muñoz <eduardosm-dev@e64.io>
+#
+# SPDX-License-Identifier: curl
+
+Disables checking current date in mk-ca-bundle script, so it produces
+reproducible bundles.
+
+diff -ru scripts/mk-ca-bundle.pl scripts/mk-ca-bundle.pl
+--- scripts/mk-ca-bundle.pl
++++ scripts/mk-ca-bundle.pl
+@@ -497,19 +497,7 @@
+     if($main_block) {
+       push @precert, $_ if not /^#$/;
+       if(/^# Not Valid After : (.*)/) {
+-        my $stamp = $1;
+-        use Time::Piece;
+-        # Not Valid After : Thu Sep 30 14:01:15 2021
+-        my $t = Time::Piece->strptime($stamp, "%a %b %d %H:%M:%S %Y");
+-        my $delta = ($t->epoch - time()); # negative means no longer valid
+-        if($delta < 0) {
+-          $skipnum++;
+-          report "Skipping: $main_block_name is not valid anymore" if ($opt_v);
+-          $valid = 0;
+-        }
+-        else {
+-          $valid = 1;
+-        }
++        $valid = 1;
+       }
+     }
+     next;
+@@ -571,24 +559,6 @@
+         if($timestamp[12] ne "Z") {
+           report "distrust date stamp is not using UTC";
+         }
+-        # Example date: 200617000000Z
+-        # Means 2020-06-17 00:00:00 UTC
+-        my $distrustat =
+-          timegm($timestamp[10] . $timestamp[11], # second
+-                 $timestamp[8] . $timestamp[9],   # minute
+-                 $timestamp[6] . $timestamp[7],   # hour
+-                 $timestamp[4] . $timestamp[5],   # day
+-                 ($timestamp[2] . $timestamp[3]) - 1, # month
+-                 "20" . $timestamp[0] . $timestamp[1]); # year
+-        if(time >= $distrustat) {
+-          # not trusted anymore
+-          $skipnum++;
+-          report "Skipping: $main_block_name is not trusted anymore" if ($opt_v);
+-          $valid = 0;
+-        }
+-        else {
+-          # still trusted
+-        }
+       }
+       next;
+     }
diff --git a/sysc/ca-certificates-3.86/sources b/sysc/ca-certificates-3.86/sources
@@ -1 +0,0 @@
-http://ftp.mozilla.org/pub/security/nss/releases/NSS_3_86_RTM/src/nss-3.86.tar.gz 3f385fc686476bbba811035fa6821b542475d55747b18c20c221d4d66573b975
diff --git a/sysc/ca-certificates-3.86/ca-certificates-3.86.sh b/sysc/ca-certificates-3.88.1/ca-certificates-3.88.1.sh
diff --git a/sysc/ca-certificates-3.88.1/sources b/sysc/ca-certificates-3.88.1/sources
@@ -0,0 +1 @@
+http://ftp.mozilla.org/pub/security/nss/releases/NSS_3_88_1_RTM/src/nss-3.88.1.tar.gz 27d243edf87d1cf1bb9c861f03d387e0e9230ce5017f4308c941f558b54b3496
diff --git a/sysc/run2.sh b/sysc/run2.sh
@@ -56,7 +56,7 @@ build libarchive-3.5.2
 
 build openssl-1.1.1l
 
-build ca-certificates-3.86
+build ca-certificates-3.88.1
 
 build curl-7.83.0

M	sysa/SHA256SUMS.pkgs	4	++--
A	sysa/curl-7.83.0/patches/timeless-mk-ca-bundle.patch	56	++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D	sysc/ca-certificates-3.86/sources	1	-
R	sysc/ca-certificates-3.86/ca-certificates-3.86.sh -> sysc/ca-certificates-3.88.1/ca-certificates-3.88.1.sh	0
A	sysc/ca-certificates-3.88.1/sources	1	+
M	sysc/run2.sh	2	+-