ca-certificates: update to 20170307, include more files under pacman

ca-certificates/PKGBUILD

@@ -1,14 +1,14 @@
 pkgbase=ca-certificates
 pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20170213
-pkgrel=3
+pkgver=20170307
+pkgrel=1
 pkgdesc='Common CA certificates'
 arch=('x86_64')
 url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git'
 license=('GPL2')
 makedepends=('asciidoc' 'p11-kit')
 source=(update-ca-trust update-ca-trust.8.txt)
-sha256sums=('0fc474b2efc32f8319d6a3d10f726030298798d6191b659da7fb6cdc409971e9'
+sha256sums=('857096d0cd82e0cb58622f8e427cec5eaa2d4e3ae32a3bb60c7292ceeabf9668'
             '5b2d3dfaac00027ff169c34ded4b5115a1332c1596c30eb0e41bbfb1a7f959fc')
 
 build() {
@@ -33,8 +33,12 @@ package_ca-certificates-utils() {
 	# Directories used by update-ca-trust (aka "trust extract-compat")
 	install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted}
 
-	# Contrary to Fedora, the /etc/ssl/certs dir is generated
-	ln -srT "${pkgdir}"/etc/ssl/{certs/ca-certificates.crt,cert.pem}
+	# Compatibility link for OpenSSL using /etc/ssl as CAdir
+	# Used in preference to the individual links in /etc/ssl/certs
+	ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
+
+	# Compatiblity link for legacy bundle
+	ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
 }
 
 package_ca-certificates() {

ca-certificates/update-ca-trust

@@ -1,18 +1,31 @@
-#!/bin/sh
-
-#set -vx
+#!/bin/bash
 
 # At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
-# support the syntax "update-ca-trust extract" trigger the generation of output 
+# However, for backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
 # files in $DEST.
 
 DEST=/etc/ca-certificates/extracted
 
-# OpenSSL PEM bundle that includes trust flags
-# (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth /etc/ssl/certs/java/cacerts
+extract() {
+  trust extract --overwrite "$@"
+}
+
+# The directory-format extractors remove all files in the target directory, but not directories or files therein
+extract --format=pem-directory-hash   --filter=ca-anchors --purpose=server-auth  $DEST/cadir
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth  $DEST/tls-ca-bundle.pem
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email        $DEST/email-ca-bundle.pem
+extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
+extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
+
+# We don't want to have to remove everything from the certs directory but neither
+# do we want to leave stale certs around, so symlink it all from somewhere else
+for f in $DEST/cadir/*; do
+  ln -fsr -t /etc/ssl/certs "$f"
+done
+
+# Now find and remove all broken symlinks
+find -L /etc/ssl/certs -maxdepth 1 -type l -delete
+
+# Java bundle
+extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts