CA PKI update tool autodetection (legacy/p11kit)

2025-12-06 01:22:38 -03:00 · 2025-04-16 08:39:53 -03:00
parent f3835684cf
commit 33192b3bb5
2 changed files with 53 additions and 16 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,7 +1,19 @@
 cmake_minimum_required(VERSION 3.16)

 project(ca-certificates-brazil)
-string(TIMESTAMP PROJECT_VERSION "%Y%m%d")
+set(HASH_FILE "hashsha512.txt")
+
+execute_process(
+  COMMAND bash -c 
+    "date +%Y.%m.%d \
+      -d \"$( \
+      curl -ksI $(grep ${HASH_FILE} ${CMAKE_SOURCE_DIR}/sources) \
+        | grep -iPo '^Last-Modified: \\K[\\S ]*'
+      )\"
+    "
+  OUTPUT_VARIABLE PROJECT_VERSION
+  OUTPUT_STRIP_TRAILING_WHITESPACE
+)

 set(SourceFiles 
  "${CMAKE_SOURCE_DIR}/cmake"
@@ -15,9 +27,7 @@ include(CPackLists.txt)
 add_custom_target(clear-certs
  COMMAND rm -rf 
    certs/
-    isrg-root-x2.crt
-    lets-encrypt-ca-bundle.crt
-    icp-brasil-ca-bundle.crt
+    pki/
 )

 add_custom_target(certs
@@ -26,14 +36,16 @@ add_custom_target(certs
      --create-dirs 
      --output-dir certs 
      -ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
-    && unzip -d certs certs/ACcompactado.zip
+    && cd certs
+    && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
+    && unzip ACcompactado.zip
  DEPENDS
    clear-certs
 )

 add_custom_target(isrg-root-x2.crt
  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
-    buildroot/share/pki/ca-trust-source/anchors/isrg-root-x2.crt
+    pki/ca-trust-source/anchors/isrg-root-x2.crt
    certs/isrg-root-x2.pem
  DEPENDS
    certs
@@ -41,7 +53,7 @@ add_custom_target(isrg-root-x2.crt

 add_custom_target(lets-encrypt-ca-bundle.crt
  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
-    buildroot/share/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
    certs/lets-encrypt-e1.pem
    certs/lets-encrypt-e2.pem
    certs/lets-encrypt-r3.pem
@@ -52,26 +64,45 @@ add_custom_target(lets-encrypt-ca-bundle.crt

 add_custom_target(icp-brasil-ca-bundle.crt
  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
-    buildroot/share/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+    pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
    certs/*.crt
  DEPENDS
    certs
 )

-add_custom_target(archors ALL
+add_custom_target(anchors ALL
  DEPENDS
    isrg-root-x2.crt
    lets-encrypt-ca-bundle.crt
    icp-brasil-ca-bundle.crt
 )

+# Checks which tool is used to update certificate keyring
+find_program(UPDATE_CACERTS_TOOL
+  NAMES
+    update-ca-certificates
+    update-ca-trust
+  REQUIRED
+)
+message("-- Check for CA certificates update tool: ${UPDATE_CACERTS_TOOL}")
+string(REGEX MATCH "update-ca-trust" P11KIT UPDATE_CACERTS_TOOL)
+string(REGEX MATCH "update-ca-certificates" LEGACY UPDATE_CACERTS_TOOL)
+
+# Set install destination directory according the used tool
+if(DEFINED P11KIT)
+  set(CACERT_INSTALL_DIR "share/pki/ca-trust-source/anchors")
+else()
+  set(CACERT_INSTALL_DIR "share/ca-certificates/extra")
+endif()
+message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
+
 install(
  FILES
-    ${CMAKE_CURRENT_BINARY_DIR}/buildroot/share/pki/ca-trust-source/anchors/isrg-root-x2.crt
-    ${CMAKE_CURRENT_BINARY_DIR}/buildroot/share/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
-    ${CMAKE_CURRENT_BINARY_DIR}/buildroot/share/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/isrg-root-x2.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
  DESTINATION
-    ./share/pki/ca-trust-source/anchors
+    ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
 )

 # vim: ts=2:sw=2:sts=2:et
--- a/CPackLists.txt
+++ b/CPackLists.txt
@@ -30,10 +30,16 @@ set(SourceIgnoreFiles
 string(REPLACE "." "\\\." SourceIgnoreFiles "${SourceIgnoreFiles}")
 string(REPLACE "/" "\\\/" SourceIgnoreFiles "${SourceIgnoreFiles}")

+# Override install prefix for package target
+string(REGEX REPLACE "^/(.*)" "\\1" 
+  CPACK_PACKAGING_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}"
+)
+set(CPACK_SET_DESTDIR ON)
+
 set(CPACK_GENERATOR "TGZ")
-set(CPACK_TOPLEVEL_TAG "")
+set(CPACK_PACKAGE_TOPLEVEL_TAG "noarch")
 set(CPACK_INCLUDE_TOPLEVEL_DIRECTORY 0)
-set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}")
+set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}.${CPACK_PACKAGE_TOPLEVEL_TAG}")
 set(CPACK_IGNORE_FILES "${SourceIgnoreFiles}")
 set(CPACK_OUTPUT_CONFIG_FILE "${PROJECT_BINARY_DIR}/CPackConfig.cmake")
 configure_file(
@@ -63,7 +69,7 @@ add_custom_target(sdist
  USES_TERMINAL
 )

-add_custom_target(dist
+add_custom_target(bdist
  COMMAND "${CMAKE_COMMAND}"
    --build "${CMAKE_BINARY_DIR}"
    --target package