openjdk team mailing list archive

[Thierry Carrez <thierry.carrez@xxxxxxxxxx>]

ca-certificates-java with SHA384withECDSA certificates filtering

Results for initial install (postinst):

creating /etc/ssl/certs/java/cacerts...
  removed untrusted certificate mozilla/Equifax_Secure_Global_eBusiness_CA.crt
  removed untrusted certificate mozilla/UTN_USERFirst_Object_Root_CA.crt
  ignored certificate mozilla/COMODO_ECC_Certification_Authority.crt (SHA384withECDSA unsupported)
Certificate was added to keystore
  added certificate mozilla/DigiNotar_Root_CA.crt
Certificate was added to keystore
  added certificate mozilla/Network_Solutions_Certificate_Authority.crt
Certificate was added to keystore
  added certificate mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
done.

Results for ca-certificates upgrade (hook):

Updating certificates in /etc/ssl/certs... 4 added, 2 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
  ignored (SHA384withECDSA unsupported): /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
Certificate was added to keystore
  added: /etc/ssl/certs/DigiNotar_Root_CA.pem
Certificate was added to keystore
  added: /etc/ssl/certs/Network_Solutions_Certificate_Authority.pem
Certificate was added to keystore
  added: /etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.pem
  does not exists: /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem
  does not exists: /etc/ssl/certs/UTN_USERFirst_Object_Root_CA.pem
done.
done.


** Attachment added: "ca-certificates-java_20081028ubuntu1.debdiff"
   http://launchpadlibrarian.net/28500622/ca-certificates-java_20081028ubuntu1.debdiff

-- 
[Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
https://bugs.launchpad.net/bugs/392104
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in Iced Tea: Confirmed
Status in “ca-certificates” package in Ubuntu: Invalid
Status in “ca-certificates-java” package in Ubuntu: Confirmed
Status in “openjdk-6” package in Ubuntu: New
Status in “ca-certificates-java” package in Debian: Confirmed

Bug description:
Binary package hint: ca-certificates

Recent update to ca-certificates 20090624 breaks ca-certificates-java installation, currently preventing all Java-based builds in karmic from succeeding (ca-certificates-java is required by default-jdk, so default-jdk cannot be installed as a build dependency).

Note that you should also get ca-certificates upgrade errors on systems where ca-certificates-java is already installed.

Here is the buildlog error:

Setting up ca-certificates-java (20081028) ...
creating /etc/ssl/certs/java/cacerts...
Certificate was added to keystore
  added certificate cacert.org/cacert.org.crt
Certificate was added to keystore
  added certificate gouv.fr/cert_igca_dsa.crt
Certificate was added to keystore
  added certificate gouv.fr/cert_igca_rsa.crt
keytool error: java.security.NoSuchAlgorithmException: SHA384withECDSA Signature not available
  error adding mozilla/COMODO_ECC_Certification_Authority.crt
Certificate was added to keystore
  added certificate mozilla/DigiNotar_Root_CA.crt
Certificate was added to keystore
  added certificate mozilla/Network_Solutions_Certificate_Authority.crt
Certificate was added to keystore
  added certificate mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
failed.
dpkg: error processing ca-certificates-java (--configure):
 subprocess post-installation script returned error exit status 1

Apparently the addition of mozilla/COMODO_ECC_Certification_Authority.crt doesn't please ca-certificates-java since it doesn't know how to handle SHA384withECDSA signatures. I guess this can either be fixed in ca-certificates or ca-certificates-java, so I'll pull both as affected.