git-for-windows · dscho · Oct 11, 2021 · Oct 8, 2021 · Oct 9, 2021
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -0,0 +1,141 @@
+name: build-and-deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      package:
+        description: 'The package to build'
+        required: true
+      architecture:
+        description: 'The CPU architecture package to build'
+        default: i686
+        required: false
+      build_only:
+        description: 'Skip deployment (if non-empty)'
+        required: false
+
+env:
+  PACKAGE_TO_BUILD: "${{github.event.inputs.package}}"
+  GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback"
+  HOME: "${{github.workspace}}\\home"
+
+jobs:
+  build-and-deploy:
+    runs-on: windows-latest
+    environment: build-pacman-packages
+    steps:
+      - name: Configure build
+        shell: bash
+        run:
+          USER_NAME="${{github.actor}}" &&
+          USER_EMAIL="${{github.actor}}@users.noreply.github.com" &&
+          mkdir "$HOME" &&
+          git config --global user.name "$USER_NAME" &&
+          git config --global user.email "$USER_EMAIL" &&
+          echo "PACKAGER=$USER_NAME <$USER_EMAIL>" >>$GITHUB_ENV
+      - name: Download Git for Windows SDK
+        uses: git-for-windows/setup-git-for-windows-sdk@v1
+        with:
+          flavor: full
+          architecture: ${{github.event.inputs.architecture}}
+          msys: true
+      - name: Clone MSYS2-packages
+        shell: bash
+        env:
+          REF: "${{github.ref}}"
+        run: |
+          mkdir -p /usr/src &&
+          git clone --depth 1 --single-branch -b "${REF#refs/heads/}" https://github.com/${{github.repository}} /usr/src/MSYS2-packages
+      - name: Clone build-extra
+        shell: bash
+        run: git clone --depth 1 --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra
+      - name: Run rebaseall
+        if: github.event.inputs.architecture == 'i686' && !contains('msys2-runtime gnupg', env.PACKAGE_TO_BUILD)
+        shell: powershell
+        run: |
+          cd C:\git-sdk-32-full-sdk
+          if (!$?) { exit(1); }
+
+          $env:PATH += ";$(Get-Location)"
+          usr\bin\sh.exe -lc "find /usr/lib/perl5/*_perl -name \*.dll >perl-dlls.txt"
+          type perl-dlls.txt
+          usr\bin\dash /usr/bin/rebaseall -p -T perl-dlls.txt
+
+          # Work around for:
+          # - address space needed by 'Cwd.dll' is already occupied
+          # - address space needed by 'Dumper.dll' is already occupied
+          # etc
+          usr\bin\bash -lc "/usr/bin/rebase -b 0x61500000 /usr/lib/perl5/core_perl/auto/*/{*,*/*}.dll"
+      - name: pacman -Syyu
+        shell: bash
+        run: pacman -Syyu --noconfirm
+      - name: Get GPG keys (if necessary)
+        shell: bash
+        run: |
+          cd "/usr/src/MSYS2-packages/${{github.event.inputs.package}}" &&
+          . PKGBUILD &&
+          for key in "${validpgpkeys[@]}"
+          do
+            gpg $GPG_OPTIONS --recv-keys --batch --yes --keyserver "$key" &&
+            echo "$key:6:" | gpg $GPG_OPTIONS --import-ownertrust ||
+            exit 1
+          done
+      - name: Prepare home directory for GPG signing
+        if: env.GPGKEY != ''
+        shell: bash
+        run: |
+          echo '${{secrets.PRIVGPGKEY}}' | tr % '\n' | gpg $GPG_OPTIONS --import &&
+          mkdir -p home &&
+          git config --global gpg.program "/usr/src/build-extra/gnupg-with-gpgkey.sh" &&
+          info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" &&
+          git config --global user.name "${info% <*}" &&
+          git config --global user.email "<${info#*<}"
+          echo "PACKAGER=$info" >>$GITHUB_ENV
+        env:
+          GPGKEY: ${{secrets.GPGKEY}}
+      - name: Prepare home directory for code-signing
+        if: env.CODESIGN_P12 != '' && env.CODESIGN_PASS != ''
+        env:
+          CODESIGN_P12: ${{secrets.CODESIGN_P12}}
+          CODESIGN_PASS: ${{secrets.CODESIGN_PASS}}
+        shell: bash
+        run: |
+          mkdir -p home/.sig &&
+          echo "$CODESIGN_P12" | tr % '\n' | base64 -d >home/.sig/codesign.p12 &&
+          echo "$CODESIGN_PASS" >home/.sig/codesign.pass
+          git config --global alias.signtool '!sh "/usr/src/build-extra/signtool.sh"'
+      - name: Build ${{github.event.inputs.package}}
+        env:
+          GPGKEY: ${{secrets.GPGKEY}}
+        shell: bash
+        run: |
+          # Let `cv2pdb` find the DLLs
+          PATH="$PATH:/c/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin" &&
+
+          dir="$(cygpath -au artifacts)" &&
+          mkdir -p "$dir" &&
+          cd "/usr/src/MSYS2-packages/${{github.event.inputs.package}}" &&
+          MAKEFLAGS=-j6 PKGEXT='.pkg.tar.xz' makepkg -s --noconfirm &&
+          ls -la &&
+          cp *.pkg.tar* "$dir/"
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v1
+        with:
+          name: artifacts
+          path: artifacts
+      - name: Prepare home directory for deploying to the Pacman repository
+        if: github.event.inputs.build_only != '' && env.AZURE_BLOBS_TOKEN != ''
+        env:
+          AZURE_BLOBS_TOKEN: ${{secrets.AZURE_BLOBS_TOKEN}}
+        shell: bash
+        run: echo "$AZURE_BLOBS_TOKEN" >"$HOME"/.azure-blobs-token
+      - name: Deploy Pacman packages
+        shell: bash
+        env:
+          GPGKEY: ${{secrets.GPGKEY}}
+          PACMANDRYRUN: ${{github.event.inputs.build_only}}
+        run: /usr/src/build-extra/pacman-helper.sh quick_add artifacts/*
+      - name: Clean up temporary files
+        if: always()
+        shell: bash
+        run: rm -rf home
diff --git a/ca-certificates/PKGBUILD b/ca-certificates/PKGBUILD
@@ -1,40 +1,41 @@
 # Maintainer: Alexey Pavlov <[email protected]>
 
 pkgname=ca-certificates
-pkgver=20170717
-pkgrel=2
+pkgver=20210119
+pkgrel=3
 pkgdesc='Common CA certificates'
 arch=('any')
 url='https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/'
 license=('MPL' 'GPL')
 source=("http://ftp.debian.org/debian/pool/main/c/${pkgname}/${pkgname}_${pkgver}.tar.xz"
-        'StartSSL.sca.server1.crt'::'https://www.startssl.com/certs/sca.server1.crt'
         'certdata2pem.py'
         'update-ca-trust'
-        'update-ca-trust.8')
+        'update-ca-trust.8'
+        'blacklist-dst-root-ca-x3.patch')
 depends=('bash' 'openssl' 'findutils' 'coreutils' 'sed' 'p11-kit')
-makedepends=('asciidoc' 'python2' 'libxslt' 'sed' 'grep')
+makedepends=('asciidoc' 'python3' 'libxslt' 'sed' 'grep')
 install='ca-certificates.install'
-sha256sums=('e487639b641fa75445174734dd6e9d600373e3248b3d86a7e3c6d0f6977decd2'
-            'c5b24a798bd87e2fb710ccac374f56991d6939b80de3fe1a5a15211f1f9fca43'
-            '4e96bd7424062d365b75247dfc4b3b6510f09ca5161c0f7c3ce76b10edf633aa'
-            '0f3e97846494ad41330352bb6b2fa0f8d264bf16d8d02f04b759ca8c26b3e092'
-            'a73c6430e734178b9aa4d303709470383bc2b1cfbeb0d44fe34615df812f479d')
+sha256sums=('daa3afae563711c30a0586ddae4336e8e3974c2b627faaca404c4e0141b64665'
+            '9508738b61cc89bfc1f42580b1091a650f0acbf5c1b49edc2aa4e0313276ea0d'
+            'f411cb774da977d3bf6647f53030cb0d584fea09591cec8b6fcc3065f7652c98'
+            'a73c6430e734178b9aa4d303709470383bc2b1cfbeb0d44fe34615df812f479d'
+            'ded49e7b1a79f61ac02531b308a0a8cf96ca7476e669af5c29ec6e9d19b25e23')
 
 prepare() {
-
-  sed "s|/usr/bin/python|/usr/bin/python2|g" -i certdata2pem.py
-  cp certdata2pem.py ${srcdir}/${pkgname}/mozilla/certdata2pem.py
-  cd ${srcdir}/${pkgname}
+  mv "${srcdir}/work" "${srcdir}/${pkgname}-${pkgver}"
+  sed "s|/usr/bin/python|/usr/bin/python3|g" -i certdata2pem.py
+  cp certdata2pem.py ${srcdir}/${pkgname}-${pkgver}/mozilla/certdata2pem.py
+  cd ${srcdir}/${pkgname}-${pkgver}
   cp ${srcdir}/update-ca-trust sbin/
   cp ${srcdir}/update-ca-trust.8 sbin/
+  patch -p1 -i ${srcdir}/blacklist-dst-root-ca-x3.patch
 }
 
 build() {
-  cd ${srcdir}/${pkgname}/mozilla
+  cd ${srcdir}/${pkgname}-${pkgver}/mozilla
   mkdir -p legacy-{default,disable}
 
-  /usr/bin/python2 ./certdata2pem.py
+  PYTHONUTF8=1 PYTHONIOENCODING=utf-8 /usr/bin/python3 ./certdata2pem.py
 
   (
     cat <<EOF
@@ -50,9 +51,9 @@ build() {
 EOF
     cat nssckbi.h | grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
     echo '#';
-  ) > ${srcdir}/${pkgname}/ca-bundle.trust.crt
+  ) > ${srcdir}/${pkgname}-${pkgver}/ca-bundle.trust.crt
 
-  touch ${srcdir}/${pkgname}/ca-bundle.legacy.default.crt
+  touch ${srcdir}/${pkgname}-${pkgver}/ca-bundle.legacy.default.crt
   local NUM_LEGACY_DEFAULT=`find ./legacy-default -type f | wc -l`
   if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
      for f in ./legacy-default/*.crt; do 
@@ -67,12 +68,12 @@ EOF
        fi
        if [ -n "$targs" ]; then
           echo "legacy default flags $targs for $f" >> info.trust
-          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ${srcdir}/${pkgname}/ca-bundle.legacy.default.crt
+          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.legacy.default.crt
        fi
      done
   fi
 
-  touch ${srcdir}/${pkgname}/ca-bundle.legacy.disable.crt
+  touch ${srcdir}/${pkgname}-${pkgver}/ca-bundle.legacy.disable.crt
   NUM_LEGACY_DISABLE=`find ./legacy-disable -type f | wc -l`
   if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
      for f in ./legacy-disable/*.crt; do 
@@ -87,22 +88,15 @@ EOF
        fi
        if [ -n "$targs" ]; then
           echo "legacy disable flags $targs for $f" >> info.trust
-          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ${srcdir}/${pkgname}/ca-bundle.legacy.disable.crt
+          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.legacy.disable.crt
        fi
      done
   fi
 
-  # Add custom certificate
-  echo '# alias="StartCom Class 1 Primary Intermediate Server CA"' > ${srcdir}/${pkgname}/mozilla/StartSSL.sca.server1.crt
-  echo '# trust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION CKA_TRUST_SERVER_AUTH' >> ${srcdir}/${pkgname}/mozilla/StartSSL.sca.server1.crt
-  echo '# distrust=' >> ${srcdir}/${pkgname}/mozilla/StartSSL.sca.server1.crt
-  echo '# openssl-trust=codeSigning emailProtection serverAuth' >> ${srcdir}/${pkgname}/mozilla/StartSSL.sca.server1.crt
-  cat ${srcdir}/StartSSL.sca.server1.crt >> ${srcdir}/${pkgname}/mozilla/StartSSL.sca.server1.crt
-
   local P11FILES=`find . -name \*.tmp-p11-kit | wc -l`
   if [ $P11FILES -ne 0 ]; then
     for p in ./*.tmp-p11-kit; do 
-      cat "$p" >> ${srcdir}/${pkgname}/ca-bundle.trust.crt
+      cat "$p" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.trust.crt
     done
   fi
 
@@ -111,7 +105,7 @@ EOF
 
 
 package() {
-  cd ${srcdir}/${pkgname}
+  cd ${srcdir}/${pkgname}-${pkgver}
 
   mkdir -p ${pkgdir}/usr/{bin,lib,share}
   mkdir -p ${pkgdir}/etc

diff --git a/ca-certificates/blacklist-dst-root-ca-x3.patch b/ca-certificates/blacklist-dst-root-ca-x3.patch
@@ -0,0 +1,7 @@
+--- a/mozilla/blacklist.txt       2021-01-19 11:11:04.000000000 +0100
++++ b/mozilla/blacklist.txt       2021-10-02 11:14:46.449980400 +0200
+@@ -7,3 +7,4 @@
+ "MITM subCA 2 issued by Trustwave"
+ "TURKTRUST Mis-issued Intermediate CA 1"
+ "TURKTRUST Mis-issued Intermediate CA 2"
++"DST Root CA X3"