main/ca-certificates: ditch python dep, symlink ca-certificates.crt

replace the python script with a perl+shell script to extract the certs. This helps us to avoid pull in python when bootstrapping. rename ca-certificates-cacert to ca-certificates-bundle, which is a better name for the precompiled bundle. We also ship a pregenerated ca-certificates.crt file and a /etc/ssl/cert.pem symlink. (fixes #10678)

main/ca-certificates: ditch python dep, symlink ca-certificates.crt
replace the python script with a perl+shell script to extract the certs. This helps us to avoid pull in python when bootstrapping. rename ca-certificates-cacert to ca-certificates-bundle, which is a better name for the precompiled bundle. We also ship a pregenerated ca-certificates.crt file and a /etc/ssl/cert.pem symlink. (fixes #10678)
7363758e · Natanael Copa · f2104c8e · 7363758e · 7363758e · 7363758e
Commit 7363758e authored Feb 06, 2020 by Natanael Copa
3 changed files
--- a/main/ca-certificates/0001-update-ca-fix-compiler-warning.patch
+++ b/main/ca-certificates/0001-update-ca-fix-compiler-warning.patch
+From 3184fe80e403b9dc6d5fe3b7ebcd9d375363e2e4 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 5 Feb 2020 14:42:38 +0100
+Subject: [PATCH 1/3] update-ca: fix compiler warning
+
+---
+ update-ca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/update-ca.c b/update-ca.c
+index 7bb4f1b..2b3195b 100644
+--- a/update-ca.c
+++ b/update-ca.c
+@@ -330,7 +330,7 @@ int main(int a, char **v)
+ 	free(tmpfile);
+ 
+ 	/* Execute run-parts */
+-	static const char *run_parts_args[] = { "run-parts", RUNPARTSDIR, 0 };
+	static char *const run_parts_args[] = { "run-parts", RUNPARTSDIR, 0 };
+ 	execve("/usr/bin/run-parts", run_parts_args, NULL);
+ 	execve("/bin/run-parts", run_parts_args, NULL);
+ 	perror("run-parts");
+-- 
+2.25.0
+
--- a/main/ca-certificates/0002-replace-python-script-with-perl-script.patch
+++ b/main/ca-certificates/0002-replace-python-script-with-perl-script.patch
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -2,42 +2,46 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ca-certificates
 pkgver=20191127
-pkgrel=1
-pkgdesc="Common CA certificates PEM files"
+pkgrel=2
+pkgdesc="Common CA certificates PEM files from Mozilla"
 url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
 arch="all"
 license="MPL-2.0 GPL-2.0-or-later"
-depends=""
-makedepends_build="python3"
+makedepends_build="perl"
 makedepends_host="openssl-dev"
-subpackages="$pkgname-doc $pkgname-cacert"
+subpackages="$pkgname-doc $pkgname-bundle"
 # c_rehash is either in libcrypto1.0 or openssl depending on package, grr.  replace both of them
 replaces="libcrypto1.0 openssl openssl1.0"
 options="!fhs !check"
 triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
 install="$pkgname.post-deinstall"
 source="https://git.alpinelinux.org/ca-certificates/snapshot/ca-certificates-$pkgver.tar.xz
+	0001-update-ca-fix-compiler-warning.patch
+	0002-replace-python-script-with-perl-script.patch
 	0003-update-ca-insert-newline-between-certs.patch
 	"
-builddir="$srcdir/ca-certificates-$pkgver"

 build() {
-	cd "$builddir"
 	make
 }

 package() {
-	cd "$builddir"
 	make install DESTDIR="$pkgdir"

 	(
-		echo "# Automatically generated by ${pkgname}-${pkgver}-${pkgrel}"
+		echo "# Automatically generated by $pkgname-$pkgver-$pkgrel"
 		echo "# $(date -u)"
 		echo "# Do not edit."
 		cd "$pkgdir"/usr/share/ca-certificates
 		find . -name '*.crt' | sort | cut -b3-
 	) > "$pkgdir"/etc/ca-certificates.conf

+	# generate the bundle in similar way as update-ca-certificates would do
+	for i in $(ls *.crt | sort); do
+		cat "$i"
+		printf "\n"
+	done > "$pkgdir"/etc/ssl/certs/ca-certificates.crt
+
 	mkdir -p "$pkgdir"/etc/apk/protected_paths.d
 	cat > "$pkgdir"/etc/apk/protected_paths.d/ca-certificates.list <<-EOF
 		-etc/ssl/certs/ca-certificates.crt
@@ -52,13 +56,18 @@ package() {
 	chmod +x "$pkgdir"/etc/ca-certificates/update.d/certhash
 }

-cacert() {
-	pkgdesc="Mozilla bundled certificates"
+bundle() {
+	pkgdesc="Pre generated bundle of Mozilla certificates"
 	replaces="libressl2.7-libcrypto"
-	mkdir -p "$subpkgdir"/etc/ssl
-	cat "$pkgdir"/usr/share/ca-certificates/mozilla/*.crt > \
+	provides="$pkgname-cacert=$pkgver-r$pkgrel"
+	mkdir -p "$subpkgdir"/etc/ssl/certs
+	mv "$pkgdir"/etc/ssl/certs/ca-certificates.crt \
+		"$subpkgdir"/etc/ssl/certs/
+	ln -s certs/ca-certificates.crt \
 		"$subpkgdir"/etc/ssl/cert.pem
 }

 sha512sums="68a879680a5e20764b8a4ee3019e9a008193c578a687b0d29694355a679c04cbfa94d4049beb3c52a899d593f46254c94d67db833f39e91325a4476963b9ef18  ca-certificates-20191127.tar.xz
+aafe6d9047380fc403792fbf27146dc9c0532ef401e6eb9bd8b533c110f902cad0a66701cf3563ad625d07ae54619e9f2f3091ec14772b92e178dbed142ecd97  0001-update-ca-fix-compiler-warning.patch
+4d9c71b9ea0596f5efaa188f244b7ab587f96c218bb6fed01f11e34c553909f65bbe660156f8300be9511ae50614661c5dcd3b493ac146a8e888f62fc52bd9d4  0002-replace-python-script-with-perl-script.patch
 051b5d78916ee7389dfbd4e8871aab720415bd6e9ee0313dba770fc40ee7c68ac67d7918f2503458a3218e3bfc10691b5e379b65269106fde02c7e7a36eb7595  0003-update-ca-insert-newline-between-certs.patch"