diff --git a/.copr/Makefile b/.copr/Makefile new file mode 100644 index 0000000..3e9b524 --- /dev/null +++ b/.copr/Makefile @@ -0,0 +1,12 @@ +#!/usr/bin/make + +SHELL := bash + +source: + dnf -y install cmake gcc gcc-c++ + cmake --fresh -DBUILD_RPMS=ON -B build -S . + cmake --build build --target srpm + +srpm: source + mkdir -p $(outdir) + cp dist/*.src.rpm $(outdir) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..f7a3440 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,58 @@ +name: Build and Release CI +on: + push: + schedule: + - cron: '30 3 * * *' + workflow_dispatch: + +jobs: + release-ci: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.get_metadata.outputs.version }} + tag: ${{ steps.get_metadata.outputs.tag }} + to_release: ${{ steps.newtag.outputs.to_release }} + + steps: + - name: Local checkout + uses: actions/checkout@v4 + + - name: Install CI dependencies + run: | + sudo apt-get update + sudo apt-get -y -qq install cmake g++ gcc + + - name: Get latest package metadata + id: get_metadata + run: | + cmake --fresh -B build -S . + echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT + echo "version=$(cat build/version)" >> $GITHUB_OUTPUT + + - name: Check if package version has corresponding git tag + id: tagged + shell: bash + run: | + git show-ref \ + --tags --verify --quiet -- \ + "refs/tags/${{ steps.get_metadata.outputs.tag }}" \ + && echo tagged=1 >> $GITHUB_OUTPUT \ + || echo tagged=0 >> $GITHUB_OUTPUT + + - name: Create new tag and set to_release + id: newtag + if: steps.tagged.outputs.tagged == 0 + run: | + git tag ${{ steps.get_metadata.outputs.tag }} \ + && echo to_release=1 >> $GITHUB_OUTPUT \ + && git push origin ${{ steps.get_metadata.outputs.tag }} \ + || exit 0 + + build-fedora: + needs: release-ci + uses: ./.github/workflows/fedora.yml + with: + containers: "['fedora:latest', 'fedora:41']" + version: ${{ needs.release-ci.outputs.version }} + to_release: ${{ needs.release-ci.outputs.to_release }} + tag: ${{ needs.release-ci.outputs.tag }} diff --git a/.github/workflows/fedora.yml b/.github/workflows/fedora.yml new file mode 100644 index 0000000..acb7316 --- /dev/null +++ b/.github/workflows/fedora.yml @@ -0,0 +1,70 @@ +on: + workflow_call: + inputs: + containers: + default: "['fedora:latest']" + required: false + type: string + tag: + required: true + type: string + to_release: + default: "0" + required: false + type: string + version: + required: true + type: string + +defaults: + run: + shell: bash + +jobs: + build: + strategy: + max-parallel: 2 + matrix: + image: ${{ fromJson(inputs.containers) }} + runs-on: ubuntu-latest + container: ${{ matrix.image }} + + steps: + - name: Prepare - local checkout + uses: actions/checkout@v4 + + - name: Prepare - install build dependencies + run: | + dnf -y install \ + cmake \ + gcc \ + gcc-c++ \ + git \ + openssl \ + rpm-build \ + rpmdevtools \ + tar + + - name: Prepare - setup RPM build tree + run: | + rpmdev-setuptree + + - name: Prepare - configure the source + run: | + cmake -B $(pwd)/build -S $(pwd) + + - name: Build - create source tarball and SRPM package + run: | + cmake --build $(pwd)/build --target srpm + + - name: Build - create RPM package + run: | + cmake --build $(pwd)/build --target rpms + + - name: Publish - create GitHub release + uses: softprops/action-gh-release@v2 + if: inputs.to_release == 1 + with: + tag_name: ${{ inputs.tag }} + files: | + dist/*.rpm diff --git a/CPackLists.txt b/CPackLists.txt index 476a254..f86a7db 100644 --- a/CPackLists.txt +++ b/CPackLists.txt @@ -6,6 +6,7 @@ set(CPACK_VERBATIM_VARIABLES YES) set(SourceIgnoreFiles ".cache" + ".copr" ".clang-format" ".clangd" ".git/" @@ -59,12 +60,84 @@ configure_file( @ONLY ) +if(BUILD_RPMS) +CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in" + "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec" + @ONLY + IMMEDIATE +) + +set(CPACK_GENERATOR "RPM") +set(CPACK_SOURCE_GENERATOR "RPM") +set(CPACK_RPM_USER_PACKAGE_SOURCES ON) +set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}") +set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec") +endif() + include(CPack) +add_custom_target(build-rpms) +add_custom_target(no-build-rpms) + +add_custom_command( + TARGET build-rpms + POST_BUILD + COMMAND "${CMAKE_COMMAND}" + -DBUILD_RPMS=ON + -B "${CMAKE_BINARY_DIR}" + -S "${CMAKE_SOURCE_DIR}" + VERBATIM + USES_TERMINAL +) + +add_custom_command( + TARGET no-build-rpms + POST_BUILD + COMMAND "${CMAKE_COMMAND}" + -DBUILD_RPMS=OFF + -B "${CMAKE_BINARY_DIR}" + -S "${CMAKE_SOURCE_DIR}" + VERBATIM + USES_TERMINAL +) + +add_custom_target(srpm + COMMAND "${CMAKE_COMMAND}" + --build "${CMAKE_BINARY_DIR}" + --target package_source + DEPENDS build-rpms + VERBATIM + USES_TERMINAL +) + +add_custom_target(rpms + COMMAND rpmbuild + --rebuild + --define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}" + "${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm" + DEPENDS build-rpms srpm + VERBATIM + USES_TERMINAL +) + +add_custom_command( + TARGET rpms + POST_BUILD + COMMAND /bin/sh -c "find \ + \"${CPACK_OUTPUT_FILE_PREFIX}/\" \ + -mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \ + && find \"${CPACK_OUTPUT_FILE_PREFIX}\" \ + -type d -empty -delete \ + " + VERBATIM + USES_TERMINAL +) + add_custom_target(sdist COMMAND "${CMAKE_COMMAND}" --build "${CMAKE_BINARY_DIR}" --target package_source + DEPENDS no-build-rpms VERBATIM USES_TERMINAL ) @@ -73,6 +146,7 @@ add_custom_target(bdist COMMAND "${CMAKE_COMMAND}" --build "${CMAKE_BINARY_DIR}" --target package + DEPENDS no-build-rpms VERBATIM USES_TERMINAL ) diff --git a/packaging/pkg.spec.in b/packaging/pkg.spec.in new file mode 100644 index 0000000..a7840e0 --- /dev/null +++ b/packaging/pkg.spec.in @@ -0,0 +1,55 @@ +%global debug_package %{nil} +%global source_date_epoch_from_changelog 0 + +%define __openssl %{_bindir}/openssl + +Name: ca-certificates-brazil +Version: @CPACK_PACKAGE_VERSION@ +Release: %{autorelease} +Summary: The ICP-Brasil root certificate bundle + +License: Public Domain +URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital +Source0: %{name}-%{version}.tar.gz + +BuildArch: noarch +BuildRequires: %{__openssl} +BuildRequires: %{_bindir}/cmake +BuildRequires: %{_bindir}/mktemp +BuildRequires: %{_bindir}/unzip +BuildRequires: gcc +BuildRequires: gcc-c++ + +%description +The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain +of trust that enables the issuance of digital certificates for the virtual +identification of citizens. + +It is observed that the model adopted by Brazil was single-root certification, +and the ITI, in addition to playing the role of Root Certifying Authority - Root AC, +also has the role of accrediting and discrediting the other participants in the +chain, supervise and audit the processes. + +%prep +%autosetup -n %{name}-%{version}.src +%{cmake} + +%build +%{cmake_build} + +%install +%{__rm} -rf %{buildroot} +%{cmake_install} + + +%files +%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt +%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt +%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt + + +%post -p %{_bindir}/update-ca-trust +%postun -p %{_bindir}/update-ca-trust + +%changelog +%autochangelog