1
diff --git a/debian/ca-certificates-java.postinst b/debian/ca-certificates-java.postinst
2
index 94c6c03..f53c4ee 100644
3
--- a/debian/ca-certificates-java.postinst
4
+++ b/debian/ca-certificates-java.postinst
5
@@ -18,30 +18,6 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
6
18
ETCCERTSDIR=/etc/ssl/certs
18
ETCCERTSDIR=/etc/ssl/certs
7
19
CACERTS=$ETCCERTSDIR/java/cacerts
19
CACERTS=$ETCCERTSDIR/java/cacerts
8
20
20
9
21
setup_path()
10
22
{
11
23
	for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do
12
24
		for jvm in \
13
25
			java-${version}-openjdk-${arch} \
14
26
			java-${version}-openjdk \
15
27
			oracle-java${version}-jre-${arch} \
16
28
			oracle-java${version}-server-jre-${arch} \
17
29
			oracle-java${version}-jdk-${arch}
18
30
		do
19
31
			if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
20
32
				export JAVA_HOME=/usr/lib/jvm/$jvm
21
33
				PATH=$JAVA_HOME/bin:$PATH
22
34
				break 2
23
35
			fi
24
36
		done
25
37
	done
26
38
27
39
	if ! which java >/dev/null; then
28
40
		echo "No JRE found. Skipping Java certificates setup."
29
41
		exit 0
30
42
	fi
31
43
}
32
44
33
45
check_proc()
21
check_proc()
34
46
{
22
{
35
47
    if ! mountpoint -q /proc; then
23
    if ! mountpoint -q /proc; then
36
@@ -90,7 +66,10 @@ update_cacerts()
37
90
		exit 0
66
		exit 0
38
91
	fi
67
	fi
39
92
68
41
93
	setup_path
69
	if ! which java >/dev/null; then
42
70
		echo "No JRE found. Skipping Java certificates setup."
43
71
		exit 0
44
72
	fi
45
94
73
46
95
	if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
74
	if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
47
96
		convert_pkcs12_keystore_to_jks
75
		convert_pkcs12_keystore_to_jks
48
@@ -103,7 +82,17 @@ update_cacerts()
49
103
82
50
104
		if [ -f "$CACERTS" ]; then
83
		if [ -f "$CACERTS" ]; then
51
105
			check_proc
84
			check_proc
53
106
			cacerts_aliases=$(keytool -cacerts -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
85
54
86
			# Java 8 does not have -cacerts option
55
87
			if java -version 2>&1 | grep "1.8" > /dev/null ;
56
88
			then
57
89
				castore="-keystore ${CACERTS}"
58
90
			else
59
91
				castore="-cacerts"
60
92
			fi
61
93
62
94
			cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
63
95
64
107
			etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
96
			etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
65
108
			for alias in $cacerts_aliases ; do
97
			for alias in $cacerts_aliases ; do
66
109
				case " $etc_ssl_certs_aliases " in
98
				case " $etc_ssl_certs_aliases " in
67
@@ -177,5 +166,9 @@ if [ "$1" = "triggered" ]; then
68
177
			;;
166
			;;
69
178
	esac
167
	esac
70
179
168
71
169
	if [ ! -f $CACERTS ]; then
72
170
		touch /var/lib/ca-certificates-java/fresh
73
171
	fi
74
172
75
180
	update_cacerts
173
	update_cacerts
76
181
fi
174
fi
77
diff --git a/debian/ca-certificates-java.triggers b/debian/ca-certificates-java.triggers
78
index bde4336..e97bbf5 100644
79
--- a/debian/ca-certificates-java.triggers
80
+++ b/debian/ca-certificates-java.triggers
81
@@ -1,3 +1,2 @@
85
1
interest update-ca-certificates-java
1
interest-await update-ca-certificates-java
86
2
interest update-ca-certificates-java-fresh
2
interest-await update-ca-certificates-java-fresh
84
3
interest /usr/lib/jvm
87
diff --git a/debian/changelog b/debian/changelog
88
index c316775..b92bc31 100644
89
--- a/debian/changelog
90
+++ b/debian/changelog
91
@@ -1,3 +1,21 @@
92
1
ca-certificates-java (20230103ubuntu1) lunar; urgency=medium
93
2
94
3
  * Resolve circular JRE dependency (LP: #2003750, LP: #1999103, LP: #2004061)
95
4
    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
96
5
      stage.
97
6
    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
98
7
      not found. Certificates are refreshed only in response to the trigger
99
8
      activated by OpenJDK packages.
100
9
    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
101
10
      Java 8.
102
11
    - debian/control: remove JRE dependency.
103
12
    - debian/control: add Breaks condition.
104
13
    - debian/tests: add smoke tests.
105
14
    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
106
15
      explicitly declare triggers as -await.
107
16
108
17
 -- Vladimir Petko <vladimir.petko@canonical.com>  Wed, 01 Mar 2023 13:31:58 +1300
109
18
110
1
ca-certificates-java (20230103) unstable; urgency=medium
19
ca-certificates-java (20230103) unstable; urgency=medium
111
2
20
112
3
  * Promote again the JRE recommendation to a dependency. Otherwise
21
  * Promote again the JRE recommendation to a dependency. Otherwise
113
diff --git a/debian/control b/debian/control
114
index 87cfc5f..5545acd 100644
115
--- a/debian/control
116
+++ b/debian/control
117
@@ -1,7 +1,8 @@
118
1
Source: ca-certificates-java
1
Source: ca-certificates-java
119
2
Section: java
2
Section: java
120
3
Priority: optional
3
Priority: optional
122
4
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
4
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
123
5
XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
124
5
Uploaders: Matthias Klose <doko@ubuntu.com>,
6
Uploaders: Matthias Klose <doko@ubuntu.com>,
125
6
           James Page <james.page@ubuntu.com>
7
           James Page <james.page@ubuntu.com>
126
7
Build-Depends:
8
Build-Depends:
127
@@ -20,7 +21,13 @@ Multi-Arch: foreign
128
20
Depends:
21
Depends:
129
21
 ca-certificates (>= 20210120),
22
 ca-certificates (>= 20210120),
130
22
 ${misc:Depends},
23
 ${misc:Depends},
132
23
 default-jre-headless (>= 2:1.8) | java8-runtime-headless,
24
Breaks: openjdk-8-jre-headless  (<<8u362-ga-0ubuntu2~),
133
25
        openjdk-11-jre-headless (<<11.0.18+10-0ubuntu3~),
134
26
        openjdk-17-jre-headless (<<17.0.6+10-1ubuntu1~),
135
27
        openjdk-18-jre-headless (<<18.0.2+9-2ubuntu1~),
136
28
        openjdk-19-jre-headless (<<19.0.2+7-0ubuntu4~),
137
29
        openjdk-20-jre-headless (<<20~26ea-1ubuntu1~),
138
30
        openjdk-21-jre-headless (<<21~7ea-1ubuntu1~)
139
24
Description: Common CA certificates (JKS keystore)
31
Description: Common CA certificates (JKS keystore)
140
25
 This package uses the hooks of the ca-certificates package to update the
32
 This package uses the hooks of the ca-certificates package to update the
141
26
 cacerts JKS keystore used for many java runtimes.
33
 cacerts JKS keystore used for many java runtimes.
142
diff --git a/debian/tests/can-convert-keystore b/debian/tests/can-convert-keystore
143
27
new file mode 100644
34
new file mode 100644
144
index 0000000..041189b
145
--- /dev/null
146
+++ b/debian/tests/can-convert-keystore
147
@@ -0,0 +1,24 @@
148
1
#!/bin/bash
149
2
set -e
150
3
# GIVEN a PKCS12 Java keystore
151
4
ETCCERTSDIR=/etc/ssl/certs
152
5
CACERTS=$ETCCERTSDIR/java/cacerts
153
6
rm $CACERTS
154
7
keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null
155
8
apt-get remove -y ca-certificates-java
156
9
157
10
mkdir -p /etc/ssl/certs/java/
158
11
mkdir -p /var/lib/ca-certificates-java/
159
12
mv test.store $CACERTS
160
13
# WHEN ca-certificates-java is requested to convert the keystore
161
14
touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
162
15
163
16
# THEN conversion is successful
164
17
output=`mktemp`
165
18
apt-get install -y openjdk-8-jre-headless | tee ${output}
166
19
167
20
if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]];
168
21
then
169
22
    echo "Certificates were not imported !!!"
170
23
    exit 255
171
24
fi
172
diff --git a/debian/tests/can-install-jre b/debian/tests/can-install-jre
173
0
new file mode 100644
25
new file mode 100644
174
index 0000000..fd27d6e
175
--- /dev/null
176
+++ b/debian/tests/can-install-jre
177
@@ -0,0 +1,26 @@
178
1
#!/bin/bash
179
2
set -e
180
3
versions=$(apt-cache search jre-headless | awk '{print $1}')
181
4
for version in ${versions}
182
5
do
183
6
# WHEN openjdk-jre-headless package is installed from scratch
184
7
185
8
    # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean
186
9
    # builds. Ignore it in certificate tests
187
10
    if [[ ${version} == "openjdk-18-jre-headless" ]];
188
11
    then
189
12
        continue
190
13
    fi
191
14
    output=`mktemp`
192
15
    echo "installing ${version}"
193
16
    apt-get install -y ${version} | tee ${output}
194
17
# THEN installation is successfull
195
18
# AND certificates are updated
196
19
    if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
197
20
        echo "Certificates were not imported !!!"
198
21
        exit 255
199
22
    fi
200
23
    rm $output
201
24
    # purge in order to remove keytstore
202
25
    apt-get purge -y ca-certificates-java ${version}
203
26
done
204
0
\ No newline at end of file
27
\ No newline at end of file
205
diff --git a/debian/tests/can-install-libreoffice b/debian/tests/can-install-libreoffice
206
1
new file mode 100755
28
new file mode 100755
207
index 0000000..b1d9937
208
--- /dev/null
209
+++ b/debian/tests/can-install-libreoffice
210
@@ -0,0 +1,4 @@
211
1
#!/bin/bash
212
2
set -e
213
3
214
4
apt-get install -y libreoffice
215
0
\ No newline at end of file
5
\ No newline at end of file
216
diff --git a/debian/tests/can-install-multiple-jdks b/debian/tests/can-install-multiple-jdks
217
1
new file mode 100755
6
new file mode 100755
218
index 0000000..614a9f6
219
--- /dev/null
220
+++ b/debian/tests/can-install-multiple-jdks
221
@@ -0,0 +1,13 @@
222
1
#!/bin/bash
223
2
set -e
224
3
225
4
output=`mktemp`
226
5
# WHEN multiple JDKs are installed
227
6
apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output}
228
7
229
8
# THEN installation is successful
230
9
if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
231
10
    echo "Certificates were not imported !!!"
232
11
    exit 255
233
12
fi
234
13
rm $output
235
diff --git a/debian/tests/control b/debian/tests/control
236
0
new file mode 100644
14
new file mode 100644
237
index 0000000..17f2dac
238
--- /dev/null
239
+++ b/debian/tests/control
240
@@ -0,0 +1,9 @@
241
1
Tests: can-convert-keystore
242
2
Depends: default-jre-headless
243
3
Restrictions: needs-root
244
4
245
5
Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice
246
6
# No depends, this is a test for a clean install
247
7
Depends:
248
8
Restrictions: needs-root
249
9
Reviewer	Date Requested	Status
Steve Langasek (community)	2023-03-01	Approve on 2023-03-02
git-ubuntu import	2023-03-01	Pending
Review via email: mp+438150@code.launchpad.net