* update ca-certificates to 20240618-1

2024-07-25 20:31:31 +02:00 · 2024-07-25 20:31:31 +02:00 · 8540caf2ad
commit 8540caf2ad
parent be41cef9f3
5 changed files with 298 additions and 105 deletions
--- a/ca-certificates/.SRCINFO
+++ b/ca-certificates/.SRCINFO
@ -0,0 +1,46 @@
+pkgbase = ca-certificates
+	pkgdesc = Common CA certificates
+	pkgver = 20240618
+	pkgrel = 1
+	url = https://src.fedoraproject.org/rpms/ca-certificates
+	arch = any
+	license = GPL-2.0-or-later
+	makedepends = asciidoc
+	makedepends = p11-kit
+	source = 40-update-ca-trust.hook
+	source = README.etc
+	source = README.etcssl
+	source = README.extr
+	source = README.java
+	source = README.src
+	source = README.usr
+	source = update-ca-trust
+	source = update-ca-trust.8.txt
+	b2sums = 82e3d728267d931dd8613f5e4944995fb1909dffdd61bce17c5c8aa0e8d14201d249cb25899ac631e6a44a6d2acc02e62bd17692fd7fd27e3c8fb9a7648c6004
+	b2sums = 0de3d4ce83f00f95ea7b94f497403b4dc7ff5d0de33bdc76abe3bdd02280d6dc494c7ca4334cfdc5b91ab3fb0022c69f6809eca67d12e77048aa7f70252d479c
+	b2sums = a43766c7e451b3053abee99f8c9c526d984e20c1e60f1ef6e685805bbca46afa2725c7768a16ac5464778132fb13b43e59b2145ea89e4d2058f68cd2bf0abb1a
+	b2sums = ead530282525ea699fcb814fe9fcfe7f47d44febef40703dd65372fd6e583c347f07135efe5244b1d9c400b235dc43a3f7b27abb4c87ef5faa61da6c6d744ebf
+	b2sums = 9fdd34c3f99a01a0d12bb48595114def7685841f81871f5dbf56c433e19bb3acb733e108e6463b48425cd4b74a41ee961c927b24c2dce65f26a37baae5ed9eb9
+	b2sums = 1fbefe367f9e59e7bc5886d07b7da8bd918c8b77ab0d2026813dad965294d2bb3fd4698d6b22e728d890044b98c0015e7328c050c5d96d0e7d2a3a1ae3f16362
+	b2sums = 57e5f6485cde17139e3d1649bd05e1f1b7e260ec58137d41e91ac938bc728bed8ee72eacd0d03f1ccb8cd9e2a23df0df1b2f5fd46694530e1cb49325b05d68fd
+	b2sums = 31a8539ffb9fc2cdc840a079f8e5a8d5c0b45b36db33a835a2c5784d4151e33f6b5c36c44ff809932cc8ba130015a768f94e73a26f694a48a91cd82b540a7bbd
+	b2sums = 08a77b118db14f520a9a3fa8ee257eaa03fded9d7267e29836f1d5eeb65b2c875ec081eddc3e71473dd4ea50a0a43346c5a60a89362b02bab601d0e78331c7f8
+
+pkgname = ca-certificates-utils
+	pkgdesc = Common CA certificates (utilities)
+	install = ca-certificates-utils.install
+	depends = bash
+	depends = coreutils
+	depends = findutils
+	depends = p11-kit
+	provides = ca-certificates
+	provides = ca-certificates-java
+	conflicts = ca-certificates-java
+	replaces = ca-certificates-java
+
+pkgname = ca-certificates
+	pkgdesc = Common CA certificates - default providers
+	license = CC0-1.0
+	depends = ca-certificates-mozilla
+	conflicts = ca-certificates-cacert<=20140824-4
+	replaces = 
--- a/ca-certificates/PKGBUILD
+++ b/ca-certificates/PKGBUILD
@ -3,25 +3,35 @@
 # Contributor: Pierre Schmitz <pierre@archlinux.de>

 pkgbase=ca-certificates
-pkgname=(ca-certificates-utils ca-certificates)
-pkgver=20220905
+pkgname=(
+  ca-certificates-utils
+  ca-certificates
+)
+pkgver=20240618
 pkgrel=1
 pkgdesc="Common CA certificates"
 url="https://src.fedoraproject.org/rpms/ca-certificates"
 arch=(any)
-license=(GPL)
-makedepends=(asciidoc p11-kit)
-source=(update-ca-trust update-ca-trust.8.txt 40-update-ca-trust.hook
-        README.{etc,etcssl,extr,java,src,usr})
-sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3'
-            '7123fcc59bcf50dac66606c8d1b2669106e88579375f98b12e8ae06d96eb7763'
-            '3a3833ebd6f9cdef2e534a273653f973a4354d4f9368577d0d73236b014b7748'
-            'e14e00e2e862ac0da3fc77c265e58ee3dcc9c776280639323b8ee804c9d0f69a'
-            'c94462e3addd6328d3fda77436bfb9d39099dd9dbfb6bafd5941d743cb0aaf10'
-            'badc9c0ec9324dae0889b8f5a5c70f14416507234b9cafcb84ecb99a2b67fc78'
-            '5300660244bb621cbbb7fd3646bd33f7a5fad6801580593d8d5b3cf6fa9a158d'
-            'eba594055ad00cb0b73fc2b0eb8aa4845e5cb4eb42aac88e5f1429213b9e301f'
-            '3493832f17595d6d5a6711e5b188ef36f040e0caec7e0f3303623550ed6943cc')
+license=(GPL-2.0-or-later)
+makedepends=(
+  asciidoc
+  p11-kit
+)
+source=(
+  40-update-ca-trust.hook
+  README.{etc,etcssl,extr,java,src,usr}
+  update-ca-trust
+  update-ca-trust.8.txt
+)
+b2sums=('82e3d728267d931dd8613f5e4944995fb1909dffdd61bce17c5c8aa0e8d14201d249cb25899ac631e6a44a6d2acc02e62bd17692fd7fd27e3c8fb9a7648c6004'
+        '0de3d4ce83f00f95ea7b94f497403b4dc7ff5d0de33bdc76abe3bdd02280d6dc494c7ca4334cfdc5b91ab3fb0022c69f6809eca67d12e77048aa7f70252d479c'
+        'a43766c7e451b3053abee99f8c9c526d984e20c1e60f1ef6e685805bbca46afa2725c7768a16ac5464778132fb13b43e59b2145ea89e4d2058f68cd2bf0abb1a'
+        'ead530282525ea699fcb814fe9fcfe7f47d44febef40703dd65372fd6e583c347f07135efe5244b1d9c400b235dc43a3f7b27abb4c87ef5faa61da6c6d744ebf'
+        '9fdd34c3f99a01a0d12bb48595114def7685841f81871f5dbf56c433e19bb3acb733e108e6463b48425cd4b74a41ee961c927b24c2dce65f26a37baae5ed9eb9'
+        '1fbefe367f9e59e7bc5886d07b7da8bd918c8b77ab0d2026813dad965294d2bb3fd4698d6b22e728d890044b98c0015e7328c050c5d96d0e7d2a3a1ae3f16362'
+        '57e5f6485cde17139e3d1649bd05e1f1b7e260ec58137d41e91ac938bc728bed8ee72eacd0d03f1ccb8cd9e2a23df0df1b2f5fd46694530e1cb49325b05d68fd'
+        '31a8539ffb9fc2cdc840a079f8e5a8d5c0b45b36db33a835a2c5784d4151e33f6b5c36c44ff809932cc8ba130015a768f94e73a26f694a48a91cd82b540a7bbd'
+        '08a77b118db14f520a9a3fa8ee257eaa03fded9d7267e29836f1d5eeb65b2c875ec081eddc3e71473dd4ea50a0a43346c5a60a89362b02bab601d0e78331c7f8')

 build() {
  a2x -v -f manpage update-ca-trust.8.txt
@ -29,8 +39,16 @@ build() {

 package_ca-certificates-utils() {
  pkgdesc+=" (utilities)"
-  depends=(bash coreutils findutils 'p11-kit>=0.24.0')
-  provides=(ca-certificates ca-certificates-java)
+  depends=(
+    bash
+    coreutils
+    findutils
+    p11-kit
+  )
+  provides=(
+    ca-certificates
+    ca-certificates-java
+  )
  conflicts=(ca-certificates-java)
  replaces=(ca-certificates-java)
  install=ca-certificates-utils.install
@ -39,32 +57,43 @@ package_ca-certificates-utils() {
  install -Dt "$pkgdir/usr/share/man/man8" -m644 update-ca-trust.8
  install -Dt "$pkgdir/usr/share/libalpm/hooks" -m644 *.hook

+  local etcdir="$pkgdir/etc/$pkgbase"
+  local ssldir="$pkgdir/etc/ssl"
+  local usrdir="$pkgdir/usr/share/$pkgbase"
+
  # Trust source directories
-  install -Dm644 README.etc "$pkgdir/etc/$pkgbase/README"
-  install -Dm644 README.src "$pkgdir/etc/$pkgbase/trust-source/README"
-  install -Dm644 README.usr "$pkgdir/usr/share/$pkgbase/trust-source/README"
-  install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blocklist}
+  install -Dm644 README.etc "$etcdir/README"
+  install -Dm644 README.src "$etcdir/trust-source/README"
+  install -Dm644 README.usr "$usrdir/trust-source/README"
+  install -d {"$etcdir","$usrdir"}/trust-source/{anchors,blocklist}

  # Directories used by update-ca-trust (aka "trust extract-compat")
-  install -Dm644 README.etcssl "$pkgdir/etc/ssl/README"
-  install -Dm644 README.java   "$pkgdir/etc/ssl/certs/java/README"
-  install -Dm644 README.extr   "$pkgdir/etc/$pkgbase/extracted/README"
+  install -Dm644 README.etcssl "$ssldir/README"
+  install -Dm644 README.java   "$ssldir/certs/java/README"
+  install -Dm644 README.extr   "$etcdir/extracted/README"

  # Compatibility link for OpenSSL using /etc/ssl as CAdir
  # Used in preference to the individual links in /etc/ssl/certs
-  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/cert.pem"
+  ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/cert.pem"

  # Compatibility link for legacy bundle (Debian)
-  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-certificates.crt"
+  ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-certificates.crt"

  # Compatibility link for legacy bundle (RHEL/Fedora)
-  ln -sr "$pkgdir/etc/$pkgbase/extracted/tls-ca-bundle.pem" "$pkgdir/etc/ssl/certs/ca-bundle.crt"
+  ln -sr "$etcdir/extracted/tls-ca-bundle.pem" "$ssldir/certs/ca-bundle.crt"
+
+  # FIXME: Make "$ssldir/certs/java/cacerts" a packaged symlink, too
 }

 package_ca-certificates() {
-  pkgdesc+=" (default providers)"
-  depends=(ca-certificates-mozilla)
-  conflicts=('ca-certificates-cacert<=20140824-4')
+  pkgdesc+=" - default providers"
+  license=(CC0-1.0)
+  depends=(
+    ca-certificates-mozilla
+  )
+  conflicts=(
+    'ca-certificates-cacert<=20140824-4'
+  )
  replaces=("${conflicts[@]}")
 }

--- a/ca-certificates/README.extr
+++ b/ca-certificates/README.extr
@ -7,20 +7,42 @@ The files are as follows:

  - ca-bundle.trust.crt:

-    This file is in the BEGIN/END TRUSTED CERTIFICATE file format, 
-    as described in the x509(1) manual page.
+    Contains CA certificates in the BEGIN/END TRUSTED CERTIFICATE file format.
+
+    This is the only file in a format carrying distrust information.
+    Distrusted certificates are missing from the other files.
+
+  - email-ca-bundle.pem:
+
+    Contains CA certificates trusted for E-Mail protection in the
+    BEGIN/END CERTIFICATE file format.
+
+  - objsign-ca-bundle.pem:
+
+    Contains CA certificates trusted for code signing in the
+    BEGIN/END CERTIFICATE file format.
+
+  - tls-ca-bundle.pem:
+
+    Contains CA certificates trusted for TLS server authentication in the
+    BEGIN/END CERTIFICATE file format.
+
+  - cadir/:
+
+    Directory containing individual certificates trusted for TLS server
+    authentication in the BEGIN/END CERTIFICATE file format.
+
+    Also includes the necessary hash symlinks expected by OpenSSL.

  - edk2-cacerts.bin:

-    This file is in the EDK2 (EFI Development Kit II) file format.
+    Contains CA certificates trusted for TLS server authentication in the
+    EDK2 (EFI Development Kit II) file format.

-  - email-ca-bundle.pem, objsign-ca-bundle.pem, tls-ca-bundle.pem:
+  - java-cacerts.jks:

-    All files are in the BEGIN/END CERTIFICATE file format, 
-    as described in the x509(1) manual page.
-
-    Distrust information cannot be represented in this file format,
-    and distrusted certificates are missing from these files.
+    Contains CA certificates trusted for TLS server authentication in the
+    Java KeyStore file format.

 If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
 then you can use these files in your application to load a list of global
--- a/ca-certificates/update-ca-trust
+++ b/ca-certificates/update-ca-trust
@ -1,7 +1,8 @@
 #!/bin/bash

-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must
+set -eu
+
+# For backwards compatibility reasons, future versions of this script must
 # support the syntax "update-ca-trust extract" trigger the generation of output
 # files in $DEST.

@ -10,33 +11,114 @@ DEST=/etc/ca-certificates/extracted
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1

-extract() {
-  trust extract --overwrite "$@"
+usage() {
+  fold -s -w 79 >&2 <<EOF
+Usage: $0 [extract] [-o DIR|--output=DIR]
+
+Update the system trust store in $DEST.
+
+COMMANDS
+  (absent/empty command): Same as the extract command described below.
+
+  extract: Instruct update-ca-trust to scan the source configuration in
+  /usr/share/ca-certificates/trust-source and /etc/ca-certificates/trust-source
+  and produce updated versions of the consolidated configuration files stored
+  below the $DEST directory hierarchy.
+
+EXTRACT OPTIONS
+  -o DIR, --output=DIR: Write the extracted trust store into the given
+                        directory instead of updating
+                        $DEST.
+EOF
 }

-## Simple PEM bundles
-extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth  $DEST/tls-ca-bundle.pem
-extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email        $DEST/email-ca-bundle.pem
-extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
+extract() {
+  local dest="$DEST" f=

-## OpenSSL PEM bundle that includes trust flags
-extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
+  # can't use getopt here. ca-certificates can't depend on a lot
+  # of other libraries since openssl depends on ca-certificates
+  # just fail when we hand parse

-## TianoCore EDK II bundle
-extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin
+  while (( $# != 0 )); do
+    case "$1" in
+      "-o"|"--output")
+        dest="$2"
+        shift 2
+        continue
+        ;;
+      "--")
+        shift
+        break
+        ;;
+      *)
+        usage
+        exit 1
+        ;;
+    esac
+  done

-## Java bundle
-extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts
+  mkdir -p "$dest"

-## OpenSSL-style directory with individual PEM files and hash links
-# The directory-format extractors remove all files in the target directory, but not directories or files therein
-extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
+  # Simple PEM bundles (BEGIN CERTIFICATE)
+  trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
+    --purpose=server-auth "$dest/tls-ca-bundle.pem"
+  trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
+    --purpose=email "$dest/email-ca-bundle.pem"
+  trust extract --overwrite --comment --format=pem-bundle --filter=ca-anchors \
+    --purpose=code-signing "$dest/objsign-ca-bundle.pem"

-# We don't want to have to remove everything from the certs directory but neither
-# do we want to leave stale certs around, so only place symlinks in the real cadir
-for f in $DEST/cadir/*; do
-  ln -fsr -t /etc/ssl/certs "$f"
-done
+  # OpenSSL PEM bundle that includes trust flags (BEGIN TRUSTED CERTIFICATE)
+  trust extract --overwrite --comment --format=openssl-bundle \
+    --filter=certificates "$dest/ca-bundle.trust.crt"

-# Now find and remove all broken symlinks
-find -L /etc/ssl/certs -maxdepth 1 -type l -delete
+  # TianoCore EDK II bundle
+  trust extract --overwrite --format=edk2-cacerts --filter=ca-anchors \
+    --purpose=server-auth "$dest/edk2-cacerts.bin"
+
+  # Java KeyStore bundle
+  trust extract --overwrite --format=java-cacerts --filter=ca-anchors \
+    --purpose=server-auth "$dest/java-cacerts.jks"
+
+  # Hashed directory of simple PEM certs
+  # (BEGIN CERTIFICATE, usable as OpenSSL CApath and by GnuTLS)
+  trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors \
+    --purpose=server-auth "$dest/cadir"
+
+  if [[ $dest == $DEST ]]; then
+    # We can't extract directly to /etc/ssl/certs as this would indiscriminately
+    # empty the directory, but it contains packaged symlinks and directories.
+
+    # Symlink all files from the extracted cadir
+    for f in "$dest"/cadir/*; do
+      ln -fsr -t /etc/ssl/certs "$f"
+    done
+
+    # Now find and remove all broken symlinks
+    find -L /etc/ssl/certs -maxdepth 1 -type l -delete
+
+    ln -fsr "$dest/java-cacerts.jks" /etc/ssl/certs/java/cacerts
+  fi
+}
+
+if (( $# < 1 )); then
+    set -- extract
+fi
+
+case "$1" in
+  "extract")
+    shift
+    extract $@
+  ;;
+  "--"*|"-"*)
+    # First parameter seems to be an option, assume the command is 'extract'
+    extract $@
+  ;;
+  *)
+    echo >&2 "Error: Unknown command: $1"
+    echo >&2
+    usage
+    exit 1
+  ;;
+esac
+
+# vim:set sw=2 sts=-1 et:
--- a/ca-certificates/update-ca-trust.8.txt
+++ b/ca-certificates/update-ca-trust.8.txt
@ -27,7 +27,7 @@ certificates and associated trust

 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']


 DESCRIPTION
@ -36,7 +36,7 @@ update-ca-trust(8) is used to manage a consolidated and dynamic configuration
 feature of Certificate Authority (CA) certificates and associated trust.

 The feature is available for new applications that read the
-consolidated configuration files found in the /etc/ssl/certs or /etc/ca-certificates/extracted directories
+consolidated configuration files found in the /etc/ca-certificates/extracted directory
 or that load the PKCS#11 module p11-kit-trust.so

 Parts of the new feature are also provided in a way to make it useful
@ -52,7 +52,7 @@ for classic configuration files and for the classic NSS trust module named libns

 In order to enable legacy applications, that read the classic files or 
 access the classic module, to make use of the new consolidated and dynamic configuration 
-feature, some classic filenames have been changed to symbolic links.
+feature, the classic filenames have been changed to symbolic links.
 The symbolic links refer to dynamically created and consolidated 
 output stored below the /etc/ca-certificates/extracted directory hierarchy.

@ -143,12 +143,12 @@ Please refer to the x509(1) manual page for the documentation of the
 BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.

 Applications that rely on a static file for a list of trusted CAs
-may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
-directories. After modifying any file in the
+may load one of the files found in the /etc/ca-certificates/extracted
+directory. After modifying any file in the
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories or in any of their subdirectories, or after adding a file, 
 it is necessary to run the 'update-ca-trust extract' command,
-in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ .
+in order to update the consolidated files in /etc/ca-certificates/extracted/ .

 Applications that load the classic PKCS#11 module using filename libnssckbi.so 
 (which has been converted into a symbolic link pointing to the new module)
@ -161,7 +161,7 @@ the dynamically merged set of certificates and trust information stored in the
 [[extractconf]]
 EXTRACTED CONFIGURATION
 -----------------------
-The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate 
+The directory /etc/ca-certificates/extracted/ contains generated CA certificate 
 bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> 
 by running the 'update-ca-trust extract' command.

@ -169,7 +169,7 @@ If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
 then you can use these files in your application to load a list of global
 root CA certificates.

-Please never manually edit the files stored in these directories,
+Please never manually edit the files stored in this directory,
 because your changes will be lost and the files automatically overwritten,
 each time the 'update-ca-trust extract' command gets executed.

@ -178,22 +178,19 @@ please rather install them in the respective subdirectory below the
 /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
 directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.

-The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm.
-Distrust information cannot be represented in this format,
-and distrusted certificates are missing from these files.
-
-The directory /etc/ssl/certs/java contains 
+The directory /etc/ca-certificates/extracted/ contains 
 a CA certificate bundle in the java keystore file format.
 Distrust information cannot be represented in this file format,
 and distrusted certificates are missing from these files.
-File cacerts contains CA certificates trusted for TLS server authentication.
+File java-cacerts.jks contains CA certificates trusted for TLS server authentication.

-The directory /etc/ca-certificates/extracted contains 
-a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
+It also contains 
+CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format, 
 as described in the x509(1) manual page.
 File ca-bundle.trust.crt contains the full set of all trusted
 or distrusted certificates, including the associated trust flags.
-It also contains
+
+It also contains 
 CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, 
 as described in the x509(1) manual page.
 Distrust information cannot be represented in this file format,
@ -204,6 +201,7 @@ File email-ca-bundle.pem contains CA certificates
 trusted for E-Mail protection.
 File objsign-ca-bundle.pem contains CA certificates 
 trusted for code signing.
+
 It also contains a CA
 certificate bundle ("edk2-cacerts.bin") in the "sequence of
 EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
@ -216,34 +214,46 @@ server authentication.

 COMMANDS
 --------
-(absent/empty command)::
-    Same as the *extract* command described below. (However, the command may
-    print fewer warnings, as this command is being run during package 
-    installation, where non-fatal status output is undesired.)
+(absent/empty command)
+~~~~~~~~~~~~~~~~~~~~~~
+Same as the *extract* command described below. (However, the command may print
+fewer warnings, as this command is being run during rpm package installation,
+where non-fatal status output is undesired.)

-*extract*::
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
-    updated versions of the consolidated configuration files stored below
-    the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies.
+extract
+~~~~~~~
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
+produce updated versions of the consolidated configuration files stored below
+the /etc/ca-certificates/extracted directory hierarchy.
+
+EXTRACT OPTIONS
+^^^^^^^^^^^^^^^
+*-o DIR*, *--output=DIR*::
+	Write the extracted trust store into the given directory instead of
+	updating /etc/ca-certificates/extracted.

 FILES
 -----
-/etc/ssl/certs::
-	Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	Also includes the necessary hash symlinks expected by OpenSSL.
-	These files are symbolic links that are maintained by the update-ca-trust command.
-
-/etc/ssl/certs/ca-certificates.crt::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
-
 /etc/ssl/cert.pem::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

-/etc/ssl/java/cacerts::
+/etc/ssl/certs/::
+	Classic directory, contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	Also includes the necessary hash symlinks expected by OpenSSL.
+	The files are symbolic links that refer to the output created by the update-ca-trust command.
+
+/etc/ssl/certs/ca-bundle.crt::
+	Classic filename for compatibility with RHEL/Fedora, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/certs/ca-certificates.crt::
+	Classic filename for compatibility with Debian, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/certs/java/cacerts::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
-	This file is consolidated output created by the update-ca-trust command.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

 /usr/share/ca-certificates/trust-source::
 	Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
@ -256,8 +266,8 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.

-/etc/ca-certificates/extracted/tls-ca-bundle.pem::
-	File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+/etc/ca-certificates/extracted/ca-bundle.trust.crt::
+	File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
 	This file is consolidated output created by the update-ca-trust command.

 /etc/ca-certificates/extracted/email-ca-bundle.pem::
@ -268,11 +278,11 @@ FILES
 	File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.

-/etc/ca-certificates/extracted/ca-bundle.trust.crt::
-	File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+/etc/ca-certificates/extracted/tls-ca-bundle.pem::
+	File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.

-/etc/ca-certificates/extracted/cadir::
+/etc/ca-certificates/extracted/cadir/::
 	Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
 	Also includes the necessary hash symlinks expected by OpenSSL.
 	These files are maintained by the update-ca-trust command.
@ -281,6 +291,10 @@ FILES
 	File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information.
 	This file is consolidated output created by the update-ca-trust command.

+/etc/ca-certificates/extracted/java-cacerts.jks::
+	File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+	This file is consolidated output created by the update-ca-trust command.
+
 AUTHOR
 ------
-Written by Kai Engert and Stef Walter.
+Written by Kai Engert and Stef Walter for Fedora. Modified for Arch Linux by Jan Alexander Steffens (heftig).