Commit febc87f0 authored by Natanael Copa's avatar Natanael Copa

main/ca-certificates: run c_rehash as a hook from update.d

instead of running c_rehash directly we run it as a hook from update.d.

We also:
- update the man-page to be more correct.
- remove obsolete lua script
parent f488459f
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ca-certificates
pkgver=20160104
pkgrel=0
pkgrel=1
pkgdesc="Common CA certificates PEM files"
url="http://packages.debian.org/sid/ca-certificates"
arch="all"
......@@ -11,12 +11,22 @@ depends="openssl"
makedepends="python"
subpackages="$pkgname-doc"
options="!fhs"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
source="http://ftp.no.debian.org/debian/pool/main/c/$pkgname/${pkgname}_${pkgver}.tar.xz
fix-manpage.patch
update-ca.c
"
_builddir="$srcdir"/$pkgname
prepare() {
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
}
build () {
cd "$_builddir"
make || return 1
......@@ -58,11 +68,20 @@ package() {
-etc/ssl/certs/ca-cert-*.pem
-etc/ssl/certs/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[r0-9]*
EOF
cat > "$pkgdir"/etc/ca-certificates/update.d/c_rehash <<EOF
#!/bin/sh
exec /usr/bin/c_rehash /etc/ssl/certs
EOF
chmod +x "$pkgdir"/etc/ca-certificates/update.d/c_rehash || return 1
}
md5sums="d9665a83d0d3ef8176a38e6aa20458e9 ca-certificates_20160104.tar.xz
a4d6874d07ecee797b4c0f6a76f663bd update-ca.c"
0c3d9f5d795c7475b997e18498b7aec8 fix-manpage.patch
755477aff09e1b5909e4e6ef49671992 update-ca.c"
sha256sums="09eb770122e23260316120c0cbbddc8a1d33e7147210ce44e146084d5d5abcdd ca-certificates_20160104.tar.xz
ee01326ae155ae4f31fc6eb3e53ce667dce1eb4150d74e96f0d4f1eea3faf085 update-ca.c"
60b36c4881bb367891df038a0736456c2d170496de8c339026671008b1caa09b fix-manpage.patch
e6b4a05a363f131f3dab1d3c41c315b61be3de91a77aef8b98ea2ef8f28cadc4 update-ca.c"
sha512sums="4291ba58057b66d56853162b71862832135eab6f444a5e2cf3dd1089495d44624246dc0c540871851fe9aaceb42054516309402525c8f16a88911d3af9c3518a ca-certificates_20160104.tar.xz
97fc20703cca75418e38721b45020f9aec9e3e32ed2bc6e1c6632f5755a46602502291b5c780d8da371525f4ee2e74f94e8573f159cb8023591f23e6759d8afc update-ca.c"
690d6bb434fb3ccce931d7ee6a167124f9c2d2e7e7a016d85f7b72a5f7f7c34db8c6133f3575e962a91981a32a88f8961776fe5fd907e57f59c03a32f2fcced3 fix-manpage.patch
c8e14636b238fb5c2c50125530219425e23c7e78fca6e2de56a0057f8d86511ce2d95f6ced326d3395a574a2872ce09dea6d6b0651fd5b78e75e5f8aa404b378 update-ca.c"
--- ./sbin/update-ca-certificates.8.orig 2016-01-14 10:56:42.084504796 +0100
+++ ./sbin/update-ca-certificates.8 2016-01-14 10:57:21.685102125 +0100
@@ -40,9 +40,7 @@
/usr/local/share/ca-certificates are also included as implicitly trusted.
.PP
Before terminating, \fBupdate-ca-certificates\fP invokes
-\fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with
-a list of certificates: those added are prefixed with a +, those removed are
-prefixed with a -.
+\fBrun-parts\fP on /etc/ca-certificates/update.d.
.SH OPTIONS
A summary of options is included below.
.TP
#!/usr/bin/lua5.2
local CERTSDIR='/usr/share/ca-certificates/'
local LOCALCERTSDIR='/usr/local/share/ca-certificates/'
local ETCCERTSDIR='/etc/ssl/certs/'
local CERTBUNDLE='ca-certificates.crt'
local CERTSCONF='/etc/ca-certificates.conf'
local posix = require 'posix'
function string.begins(str, prefix) return str:sub(1,#prefix)==prefix end
local function add(fn, out, links)
-- Map fn to file in etc
local pem = "ca-cert-"..fn:gsub('.*/', ''):gsub('.crt$',''):gsub('[, ]','_'):gsub('[()]','=')..".pem"
links[pem] = fn
-- Read the certificate for the bundle
local f = io.open(fn, "rb")
if f ~= nil then
local content = f:read("*all")
f:close()
out:write(content)
if content:sub(-1) ~= '\n' then out:write('\n') end
end
end
local calinks = {}
local cacerts = {}
local fd, tmpfile = posix.mkstemp(ETCCERTSDIR..'bundleXXXXXX')
if not fd then
print("Failed to open temporary file for ca bundle")
return 1
end
posix.close(fd)
posix.chmod(tmpfile, "rw-r--r--")
local bundle = io.open(tmpfile, "wb")
-- Handle global CA certs from config file
for l in io.lines(CERTSCONF) do
local firstchar = l:sub(1,1)
if firstchar ~= "#" and firstchar ~= "!" then
add(CERTSDIR..l, bundle, calinks)
end
end
-- Handle local CA certificates
local certlist = posix.glob(LOCALCERTSDIR..'*.crt')
if certlist ~= nil then
table.sort(certlist)
for _, fn in ipairs(certlist) do
if posix.stat(fn, 'type') == 'regular' then
add(fn, bundle, calinks)
end
end
end
-- Update etc cert dir for additions and deletions
local f, target
for f in posix.files(ETCCERTSDIR) do
local fn = ETCCERTSDIR..f
if posix.stat(fn, 'type') == 'link' then
local curtgt = posix.readlink(fn)
local target = calinks[f]
if target == nil then
-- Symlink exists but is not wanted
-- Delete it if it points to 'our' directory
if curtgt:begins(CERTSDIR) or curtgt:begins(LOCALCERTSDIR) then
os.remove(fn)
end
elseif curtgt ~= target then
-- Symlink exists but points wrong
posix.link(target, ETCCERTSDIR..f, true)
else
-- Symlink exists and is ok
calinks[f] = nil
end
end
end
for f, target in pairs(calinks) do
posix.link(target, ETCCERTSDIR..f, true)
end
-- Update hashes and the bundle
bundle:close()
os.rename(tmpfile, ETCCERTSDIR..CERTBUNDLE)
os.execute("c_rehash "..ETCCERTSDIR.." > /dev/null")
......@@ -15,6 +15,7 @@
#define CERTSDIR "/usr/share/ca-certificates/"
#define LOCALCERTSDIR "/usr/local/share/ca-certificates/"
#define ETCCERTSDIR "/etc/ssl/certs/"
#define RUNPARTSDIR "/etc/ca-certificates/update.d/"
#define CERTBUNDLE "ca-certificates.crt"
#define CERTSCONF "/etc/ca-certificates.conf"
......@@ -316,13 +317,9 @@ int main(int a, char **v)
free(tmpfile);
/* Execute c_rehash */
int nullfd = open("/dev/null", O_WRONLY);
if (nullfd == -1)
return 1;
dup2(nullfd, STDOUT_FILENO);
char* c_rehash_args[] = { "/usr/bin/c_rehash", ETCCERTSDIR, 0 };
execve(c_rehash_args[0], c_rehash_args, NULL);
/* Execute run-parts */
char* run_parts_args[] = { "run-parts", RUNPARTSDIR, 0 };
execvpe(run_parts_args[0], run_parts_args, NULL);
return 0;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment