From 33192b3bb5eb408a0bf175eeb1f5b8864c3ef902 Mon Sep 17 00:00:00 2001
From: Christian Tosta <christian.tosta@gmail.com>
Date: Wed, 16 Apr 2025 08:39:53 -0300
Subject: [PATCH] CA PKI update tool autodetection (legacy/p11kit)

---
 CMakeLists.txt | 57 ++++++++++++++++++++++++++++++++++++++------------
 CPackLists.txt | 12 ++++++++---
 2 files changed, 53 insertions(+), 16 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ddb010c..bac51b4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,7 +1,19 @@
 cmake_minimum_required(VERSION 3.16)
 
 project(ca-certificates-brazil)
-string(TIMESTAMP PROJECT_VERSION "%Y%m%d")
+set(HASH_FILE "hashsha512.txt")
+
+execute_process(
+  COMMAND bash -c 
+    "date +%Y.%m.%d \
+      -d \"$( \
+      curl -ksI $(grep ${HASH_FILE} ${CMAKE_SOURCE_DIR}/sources) \
+        | grep -iPo '^Last-Modified: \\K[\\S ]*'
+      )\"
+    "
+  OUTPUT_VARIABLE PROJECT_VERSION
+  OUTPUT_STRIP_TRAILING_WHITESPACE
+)
 
 set(SourceFiles 
   "${CMAKE_SOURCE_DIR}/cmake"
@@ -15,9 +27,7 @@ include(CPackLists.txt)
 add_custom_target(clear-certs
   COMMAND rm -rf 
     certs/
-    isrg-root-x2.crt
-    lets-encrypt-ca-bundle.crt
-    icp-brasil-ca-bundle.crt
+    pki/
 )
 
 add_custom_target(certs
@@ -26,14 +36,16 @@ add_custom_target(certs
       --create-dirs 
       --output-dir certs 
       -ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
-    && unzip -d certs certs/ACcompactado.zip
+    && cd certs
+    && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
+    && unzip ACcompactado.zip
   DEPENDS
     clear-certs
 )
 
 add_custom_target(isrg-root-x2.crt
   COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
-    buildroot/share/pki/ca-trust-source/anchors/isrg-root-x2.crt
+    pki/ca-trust-source/anchors/isrg-root-x2.crt
     certs/isrg-root-x2.pem
   DEPENDS
     certs
@@ -41,7 +53,7 @@ add_custom_target(isrg-root-x2.crt
 
 add_custom_target(lets-encrypt-ca-bundle.crt
   COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
-    buildroot/share/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
     certs/lets-encrypt-e1.pem
     certs/lets-encrypt-e2.pem
     certs/lets-encrypt-r3.pem
@@ -52,26 +64,45 @@ add_custom_target(lets-encrypt-ca-bundle.crt
 
 add_custom_target(icp-brasil-ca-bundle.crt
   COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
-    buildroot/share/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+    pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
     certs/*.crt
   DEPENDS
     certs
 )
 
-add_custom_target(archors ALL
+add_custom_target(anchors ALL
   DEPENDS
     isrg-root-x2.crt
     lets-encrypt-ca-bundle.crt
     icp-brasil-ca-bundle.crt
 )
 
+# Checks which tool is used to update certificate keyring
+find_program(UPDATE_CACERTS_TOOL
+  NAMES
+    update-ca-certificates
+    update-ca-trust
+  REQUIRED
+)
+message("-- Check for CA certificates update tool: ${UPDATE_CACERTS_TOOL}")
+string(REGEX MATCH "update-ca-trust" P11KIT UPDATE_CACERTS_TOOL)
+string(REGEX MATCH "update-ca-certificates" LEGACY UPDATE_CACERTS_TOOL)
+
+# Set install destination directory according the used tool
+if(DEFINED P11KIT)
+  set(CACERT_INSTALL_DIR "share/pki/ca-trust-source/anchors")
+else()
+  set(CACERT_INSTALL_DIR "share/ca-certificates/extra")
+endif()
+message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
+
 install(
   FILES
-    ${CMAKE_CURRENT_BINARY_DIR}/buildroot/share/pki/ca-trust-source/anchors/isrg-root-x2.crt
-    ${CMAKE_CURRENT_BINARY_DIR}/buildroot/share/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
-    ${CMAKE_CURRENT_BINARY_DIR}/buildroot/share/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/isrg-root-x2.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
   DESTINATION
-    ./share/pki/ca-trust-source/anchors
+    ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
 )
 
 # vim: ts=2:sw=2:sts=2:et
diff --git a/CPackLists.txt b/CPackLists.txt
index f20006a..476a254 100644
--- a/CPackLists.txt
+++ b/CPackLists.txt
@@ -30,10 +30,16 @@ set(SourceIgnoreFiles
 string(REPLACE "." "\\\." SourceIgnoreFiles "${SourceIgnoreFiles}")
 string(REPLACE "/" "\\\/" SourceIgnoreFiles "${SourceIgnoreFiles}")
 
+# Override install prefix for package target
+string(REGEX REPLACE "^/(.*)" "\\1" 
+  CPACK_PACKAGING_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}"
+)
+set(CPACK_SET_DESTDIR ON)
+
 set(CPACK_GENERATOR "TGZ")
-set(CPACK_TOPLEVEL_TAG "")
+set(CPACK_PACKAGE_TOPLEVEL_TAG "noarch")
 set(CPACK_INCLUDE_TOPLEVEL_DIRECTORY 0)
-set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}")
+set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}.${CPACK_PACKAGE_TOPLEVEL_TAG}")
 set(CPACK_IGNORE_FILES "${SourceIgnoreFiles}")
 set(CPACK_OUTPUT_CONFIG_FILE "${PROJECT_BINARY_DIR}/CPackConfig.cmake")
 configure_file(
@@ -63,7 +69,7 @@ add_custom_target(sdist
   USES_TERMINAL
 )
 
-add_custom_target(dist
+add_custom_target(bdist
   COMMAND "${CMAKE_COMMAND}"
     --build "${CMAKE_BINARY_DIR}"
     --target package