ca-certificates/SOURCES/update-ca-trust

#!/bin/sh

#set -vx
set -eu

# For backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.

DEST=/etc/pki/ca-trust/extracted

# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1

usage() {
	fold -s -w 76 >&2 <<-EOF
		Usage: $0 [extract] [-o DIR|--output=DIR]

		Update the system trust store in $DEST.

		COMMANDS
		(absent/empty command): Same as the extract command without arguments.

		extract: Instruct update-ca-trust to scan the source configuration in
		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
		updated versions of the consolidated configuration files stored below
		the $DEST directory hierarchy.

		EXTRACT OPTIONS
		-o DIR, --output=DIR: Write the extracted trust store into the given
		directory instead of updating $DEST.
	EOF
}

extract() {
	USER_DEST=

        # can't use getopt here. ca-certificates can't depend on a lot
        # of other libraries since openssl depends on ca-certificates
        # just fail when we hand parse

        while [ $# -ne 0 ]; do
	    case "$1" in
	      "-o"|"--output")
		  if [ $# -lt 2 ]; then
			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
			  echo >&2
			  exit 1
		  fi
	          USER_DEST=$2
		  shift 2
		  continue
		  ;;
		"--")
		  shift
		  break
		  ;;
		*)
		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
		  exit 1
		  ;;
	    esac
	done

	if [ -n "$USER_DEST" ]; then
		DEST=$USER_DEST
	        # Attempt to create the directories if they do not exist
                # yet (rhbz#2241240)
	        /usr/bin/mkdir -p \
		    "$DEST"/openssl \
		    "$DEST"/pem \
		    "$DEST"/java \
		    "$DEST"/edk2
	fi

	# OpenSSL PEM bundle that includes trust flags
	# (BEGIN TRUSTED CERTIFICATE)
	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
	# by GnuTLS)
	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"

	# p11-kit extract will have made this directory unwritable; when run with
	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
	# not be the case. See rhbz#2241240.
	if [ -n "$USER_DEST" ]; then
	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
        fi

	# Debian compatibility: their /etc/ssl/certs has this bundle
	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"

	# Remove write permissions again
	if [ -n "$USER_DEST" ]; then
	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
        fi
}

if [ $# -lt 1 ]; then
    set -- extract
fi

case "$1" in
	"extract")
		shift
		extract "$@"
	;;
	"--help")
		usage
		exit 0
	;;
	"-o"|"--output")
		echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
		echo >&2
		exit 1
	;;
	"enable")
		echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
		echo >&2
		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
		extract
	;;
	*)
		echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
		echo >&2
		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
		extract
	;;
esac
import ca-certificates-2022.2.54-90.2.el9_0 2 years ago			`#!/bin/sh`

			`#set -vx`
import ca-certificates-2024.2.69_v8.0.303-91.4.el9_4 4 weeks ago			`set -eu`
import ca-certificates-2022.2.54-90.2.el9_0 2 years ago
import ca-certificates-2024.2.69_v8.0.303-91.4.el9_4 4 weeks ago			`# For backwards compatibility reasons, future versions of this script must`
			`# support the syntax "update-ca-trust extract" trigger the generation of output`
import ca-certificates-2022.2.54-90.2.el9_0 2 years ago			`# files in $DEST.`

			`DEST=/etc/pki/ca-trust/extracted`

			`# Prevent p11-kit from reading user configuration files.`
			`export P11_KIT_NO_USER_CONFIG=1`

import ca-certificates-2024.2.69_v8.0.303-91.4.el9_4 4 weeks ago			`usage() {`
			`fold -s -w 76 >&2 <<-EOF`
			`Usage: $0 [extract] [-o DIR\|--output=DIR]`

			`Update the system trust store in $DEST.`

			`COMMANDS`
			`(absent/empty command): Same as the extract command without arguments.`

			`extract: Instruct update-ca-trust to scan the source configuration in`
			`/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce`
			`updated versions of the consolidated configuration files stored below`
			`the $DEST directory hierarchy.`

			`EXTRACT OPTIONS`
			`-o DIR, --output=DIR: Write the extracted trust store into the given`
			`directory instead of updating $DEST.`
			`EOF`
			`}`

			`extract() {`
			`USER_DEST=`

			`# can't use getopt here. ca-certificates can't depend on a lot`
			`# of other libraries since openssl depends on ca-certificates`
			`# just fail when we hand parse`

			`while [ $# -ne 0 ]; do`
			`case "$1" in`
			`"-o"\|"--output")`
			`if [ $# -lt 2 ]; then`
			`echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."`
			`echo >&2`
			`exit 1`
			`fi`
			`USER_DEST=$2`
			`shift 2`
			`continue`
			`;;`
			`"--")`
			`shift`
			`break`
			`;;`
			`*)`
			`echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."`
			`exit 1`
			`;;`
			`esac`
			`done`

			`if [ -n "$USER_DEST" ]; then`
			`DEST=$USER_DEST`
			`# Attempt to create the directories if they do not exist`
			`# yet (rhbz#2241240)`
			`/usr/bin/mkdir -p \`
			`"$DEST"/openssl \`
			`"$DEST"/pem \`
			`"$DEST"/java \`
			`"$DEST"/edk2`
			`fi`

			`# OpenSSL PEM bundle that includes trust flags`
			`# (BEGIN TRUSTED CERTIFICATE)`
			`/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"`
			`/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"`
			`/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"`
			`/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"`
			`/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"`
			`/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"`
			`# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and`
			`# by GnuTLS)`
			`/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"`

			`# p11-kit extract will have made this directory unwritable; when run with`
			`# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may`
			`# not be the case. See rhbz#2241240.`
			`if [ -n "$USER_DEST" ]; then`
			`/usr/bin/chmod u+w "$DEST/pem/directory-hash"`
			`fi`

			`# Debian compatibility: their /etc/ssl/certs has this bundle`
			`/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"`
			`# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt`
			`# since https://bugzilla.redhat.com/show_bug.cgi?id=572725`
			`/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"`

			`# Remove write permissions again`
			`if [ -n "$USER_DEST" ]; then`
			`/usr/bin/chmod u-w "$DEST/pem/directory-hash"`
			`fi`
			`}`

			`if [ $# -lt 1 ]; then`
			`set -- extract`
			`fi`

			`case "$1" in`
			`"extract")`
			`shift`
			`extract "$@"`
			`;;`
			`"--help")`
			`usage`
			`exit 0`
			`;;`
			`"-o"\|"--output")`
			`echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."`
			`echo >&2`
			`exit 1`
			`;;`
			`"enable")`
			`echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."`
			`echo >&2`
			`echo >&2 "Proceeding with extraction anyway for backwards compatibility."`
			`extract`
			`;;`
			`*)`
			`echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."`
			`echo >&2`
			`echo >&2 "Proceeding with extraction anyway for backwards compatibility."`
			`extract`
			`;;`
			`esac`