From 44da037acbb6f11874d82c55afc46db072984c08 Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Oct 10 2023 00:23:28 +0000 Subject: update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix rhbz#2242727 --- diff --git a/ca-certificates.spec b/ca-certificates.spec index 3cf6006..97530b0 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -38,7 +38,7 @@ Name: ca-certificates Version: 2023.2.62_v7.0.401 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 3%{?dist} +Release: 4%{?dist} License: MIT AND GPL-2.0-or-later URL: https://fedoraproject.org/wiki/CA-Certificates @@ -319,7 +319,7 @@ fi #fi # if ln is available, go ahead and run the ca-legacy and update # scripts. If not, wait until %posttrans. -if [ -x %{_bindir}/ln ] && [ -x %{_bindir}/getopt ]; then +if [ -x %{_bindir}/ln ]; then %{_bindir}/ca-legacy install %{_bindir}/update-ca-trust fi @@ -404,6 +404,9 @@ fi %changelog +* Mon Oct 09 2023 Robert Relyea 2023.2.62_v7.0.401-4 +- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix + * Sat Oct 07 2023 Adam Williamson - 2023.2.62_v7.0.401-3 - Skip %post if getopt is missing (recent change made update-ca-trust use it) diff --git a/update-ca-trust b/update-ca-trust index 4c27e82..473fa8f 100644 --- a/update-ca-trust +++ b/update-ca-trust @@ -35,49 +35,39 @@ usage() { extract() { USER_DEST= - if ! TEMP=$(getopt -o "ho:" --long "help,output:" -n "$0" -- "$@"); then - echo >&2 "" - usage - exit 1 - fi - eval set -- "$TEMP" - unset TEMP - - while true; do - case "$1" in - "-o"|"--output") - USER_DEST=$2 - shift 2 - continue - ;; - "--") - shift - break - ;; - *) - usage - exit 1 - ;; - esac + # can't use getopt here. ca-certificates can't depend on a lot + # of other libraries since openssl depends on ca-certificates + # just fail when we hand parse + + while [ $# -ne 0 ]; do + case "$1" in + "-o"|"--output") + USER_DEST=$2 + shift 2 + continue + ;; + "--") + shift + break + ;; + *) + usage + exit 1 + ;; + esac done - if [ $# -ne 0 ]; then - echo >&2 "Error: Unexpected positional arguments:" "$@" - echo >&2 - usage - exit - fi if [ -n "$USER_DEST" ]; then DEST=$USER_DEST + # Attempt to create the directories if they do not exist + # yet (rhbz#2241240) + /usr/bin/mkdir -p \ + "$DEST"/openssl \ + "$DEST"/pem \ + "$DEST"/java \ + "$DEST"/edk2 fi - # Attempt to create the directories if they do not exist yet (rhbz#2241240) - mkdir -p \ - "$DEST"/openssl \ - "$DEST"/pem \ - "$DEST"/java \ - "$DEST"/edk2 - # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" @@ -93,7 +83,9 @@ extract() { # p11-kit extract will have made this directory unwritable; when run with # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may # not be the case. See rhbz#2241240. - chmod u+w "$DEST/pem/directory-hash" + if [ -n "$USER_DEST" ]; then + /usr/bin/chmod u+w "$DEST/pem/directory-hash" + fi # Debian compatibility: their /etc/ssl/certs has this bundle /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt" @@ -102,20 +94,22 @@ extract() { /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt" # Remove write permissions again - chmod u-w "$DEST/pem/directory-hash" + if [ -n "$USER_DEST" ]; then + /usr/bin/chmod u-w "$DEST/pem/directory-hash" + fi } - -if [ "$#" -lt 1 ]; then - set -- extract +if [ $# -lt 1 ]; then + set -- extract fi + case "$1" in "extract") shift - extract "$@" + extract $@ ;; "--"*|"-"*) # First parameter seems to be an option, assume the command is 'extract' - extract "$@" + extract $@ ;; *) echo >&2 "Error: Unknown command: $1"