@@ -1,4 +1,10 @@
-From bf18b564122e8f976681a2398862fde1eafd84ba Mon Sep 17 00:00:00 2001
+From a4e468a2a0afa80df174831c2f422184820bb0fa Mon Sep 17 00:00:00 2001
+From: Steve Hay <me@stevenhay.com>
+Date: Sat, 18 Mar 2023 17:57:18 +0100
+Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional
+
+Modified for a newer version of the ca-certificates module.
+
From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Date: Thu, 6 Jan 2022 23:15:00 +0100
Subject: [PATCH] mozilla/certdata2pem.py: make cryptography module optional
@@ -15,37 +21,36 @@ the check is skipped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
- mozilla/certdata2pem.py | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
+ mozilla/certdata2pem.py | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index ede23d4..a6261f8 100644
+index 4df86a2..3a6d7dc 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
-@@ -28,9 +28,6 @@ import sys
+@@ -28,8 +28,6 @@ import sys
import textwrap
import io
-from cryptography import x509
-
--
+
objects = []
- # Dirty file parser.
-@@ -122,11 +119,16 @@ for obj in objects:
+@@ -122,11 +120,16 @@ for obj in objects:
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
-- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-- if cert.not_valid_after < datetime.datetime.now():
+- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+- if cert.not_valid_after < datetime.datetime.utcnow():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
- print('!'*74)
+ try:
+ from cryptography import x509
+
-+ cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-+ if cert.not_valid_after < datetime.datetime.now():
++ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
++ if cert.not_valid_after < datetime.datetime.utcnow():
+ print('!'*74)
+ print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+ print('!'*74)
@@ -55,5 +60,5 @@ index ede23d4..a6261f8 100644
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
.replace(' ', '_')\
--
-2.33.1
+2.30.2
deleted file mode 100644
@@ -1,29 +0,0 @@
-From 5e493ca307a031e81528ceddb96f3da40bc062cf Mon Sep 17 00:00:00 2001
-From: Wataru Ashihara <wsh@iij.ad.jp>
-Date: Wed, 2 Nov 2022 12:40:05 -0400
-Subject: [PATCH] mozilla/certdata2pem.py: Fix compat with cryptography > 3.0
-
-In newer cryptography packages, load_der_x509_certificate is enforced to be 'bytes' rather than currently used 'bytearray'. This fixes that.
-
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008244
-Signed-off-by: Justin Wood <jwood@starry.com>
----
- mozilla/certdata2pem.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index a6261f8..c0fa52c 100644
---- a/mozilla/certdata2pem.py
-+++ b/mozilla/certdata2pem.py
-@@ -122,7 +122,7 @@ for obj in objects:
- try:
- from cryptography import x509
-
-- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-+ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
- if cert.not_valid_after < datetime.datetime.now():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
-2.38.1
-
@@ -1,6 +1,4 @@
# hashes from: $(CA_CERTIFICATES_SITE)/ca-certificates_$(CA_CERTIFICATES_VERSION).dsc :
-sha1 bce5a8fac45456dbebf256f3a812c6cd0a853e3e ca-certificates_20211016.tar.xz
-sha256 2ae9b6dc5f40c25d6d7fe55e07b54f12a8967d1955d3b7b2f42ee46266eeef88 ca-certificates_20211016.tar.xz
-
+sha256 83de934afa186e279d1ed08ea0d73f5cf43a6fbfb5f00874b6db3711c64576f3 ca-certificates_20230311.tar.xz
# Locally computed
sha256 e85e1bcad3a915dc7e6f41412bc5bdeba275cadd817896ea0451f2140a93967c debian/copyright
@@ -4,9 +4,10 @@
#
################################################################################
-CA_CERTIFICATES_VERSION = 20211016
+# batocera / version bump
+CA_CERTIFICATES_VERSION = 20230311
CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.xz
-CA_CERTIFICATES_SITE = https://snapshot.debian.org/archive/debian/20211022T144903Z/pool/main/c/ca-certificates
+CA_CERTIFICATES_SITE = https://snapshot.debian.org/archive/debian/20230317T205011Z/pool/main/c/ca-certificates
CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python3
CA_CERTIFICATES_LICENSE = GPL-2.0+ (script), MPL-2.0 (data)
CA_CERTIFICATES_LICENSE_FILES = debian/copyright
The impetus for this change was that wget fails to load pages signed by Let's Encrypt due to missing root certs. This version has the updated and correct certs. 0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch Patch dropped because the fix is incorporated upstream. Signed-off-by: Steve Hay <me@stevenhay.com> --- Changes v1 -> v2 - Removed the extraneous comment in the make file. - Fixed patch header. - Added note to the log as to why the patch was dropped. --- ...2pem.py-make-cryptography-module-opt.patch | 31 +++++++++++-------- ...2pem.py-Fix-compat-with-cryptography.patch | 29 ----------------- package/ca-certificates/ca-certificates.hash | 4 +-- package/ca-certificates/ca-certificates.mk | 5 +-- 4 files changed, 22 insertions(+), 47 deletions(-) delete mode 100644 package/ca-certificates/0002-mozilla-certdata2pem.py-Fix-compat-with-cryptography.patch