sigsolucoes/ca-certificates-brazil
3
0
Fork 0
mirror of https://github.com/ekaaty/ca-certificates-brazil.git synced 2025-12-06 01:22:38 -03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: sigsolucoes:c3e7f84ea474e3a7337d80cd52ea71f99d08d003
Branches Tags
sigsolucoes:main
sigsolucoes:v2025.11.25 sigsolucoes:v2025.10.07 sigsolucoes:v2025.08.22 sigsolucoes:v2025.08.01 sigsolucoes:v2025.07.04 sigsolucoes:v2025.05.28
..
compare: sigsolucoes:v2025.05.28
Branches Tags
sigsolucoes:main
sigsolucoes:v2025.11.25 sigsolucoes:v2025.10.07 sigsolucoes:v2025.08.22 sigsolucoes:v2025.08.01 sigsolucoes:v2025.07.04 sigsolucoes:v2025.05.28

6 Commits
c3e7f84ea4 ... v2025.05.2

Author SHA1 Message Date
Christian Tosta
37ed5325a6 Added documentation 2025-05-20 01:20:45 -03:00
Christian Tosta
98f868287c Changed GH schedule 
Runs at 1st and 15th day of each month at 4:30am
 2025-05-20 01:20:45 -03:00
Christian Tosta
784af0a893 [CI/CD] Added GH Workflows 
Signed-off-by: Leonardo Amaral <contato@leonardoamaral.com.br>
Co-authored-by: Leonardo Amaral <contato@leonardoamaral.com.br>
 2025-05-20 01:20:45 -03:00
Christian Tosta
c54459693c Save version on file 2025-05-20 01:20:45 -03:00
Christian Tosta
33192b3bb5 CA PKI update tool autodetection (legacy/p11kit) 2025-05-20 01:20:45 -03:00
Christian Tosta
f3835684cf Initial import 2025-05-20 01:20:34 -03:00
9 changed files with 282 additions and 75 deletions
Expand all files Collapse all files

12
.copr/Makefile Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/make
SHELL := bash
source:
dnf -y install cmake gcc gcc-c++
cmake --fresh -DBUILD_RPMS=ON -B build -S .
cmake --build build --target srpm
srpm: source
mkdir -p $(outdir)
cp dist/*.src.rpm $(outdir)

71
.github/workflows/build-rpm.yml vendored
View File

@@ -1,71 +0,0 @@
name: Build RPM Package
on:
push:
tags:
- v[0-9]+.[0-9]+.[0-9]+
jobs:
build-rpm:
name: Build and upload RPM packages
runs-on: ubuntu-latest
container:
image: fedora:latest
steps:
- uses: actions/checkout@v4
- name: install RPM build tools
run: |
dnf -y install \
cmake \
gcc \
gcc-c++ \
git \
rpm-build \
rpmdevtools \
tar
- name: Setup RPM build tree
run: |
rpmdev-setuptree
- name: Create source tarball
run: |
cmake -B build -S .
cmake --build build --target sdist
- name: Set environment variables
run: |
echo "PKG_NAME=ca-certificates-brazil" >> $GITHUB_ENV
echo "PKG_VERSION=$(grep \
-m1 -iPo '.*CPACK_PACKAGE_VERSION [\"]*\K[\S]*[^(\"\))]' \
build/CPackConfig.cmake) \
" >> $GITHUB_ENV
- name: Copy SOURCES and SPEC file
run: |
cp packaging/pkg.spec.in ~/rpmbuild/SPECS/${PKG_NAME}.spec
rpmdev-bumpspec -n ${PKG_VERSION} ~/rpmbuild/SPECS/${PKG_NAME}.spec
cp dist/*.src.tar.gz ~/rpmbuild/SOURCES/
- name: Build RPM
run: |
dnf -y builddep ~/rpmbuild/SPECS/ca-certificates-brazil.spec
rpmbuild -ba ~/rpmbuild/SPECS/ca-certificates-brazil.spec
- name: Upload built RPMs
uses: actions/upload-artifact@v4
with:
name: built-rpms
path: |
~/rpmbuild/RPMS/
~/rpmbuild/SRPMS/
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
if: github.ref_type == 'tag'
with:
generate_release_notes: true
files: |
~/rpmbuild/RPMS/**/*.rpm

58
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,58 @@
name: Build and Release CI
on:
push:
schedule:
- cron: '30 4 1,15 * *'
workflow_dispatch:
jobs:
release-ci:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get_metadata.outputs.version }}
tag: ${{ steps.get_metadata.outputs.tag }}
to_release: ${{ steps.newtag.outputs.to_release }}
steps:
- name: Local checkout
uses: actions/checkout@v4
- name: Install CI dependencies
run: |
sudo apt-get update
sudo apt-get -y -qq install cmake g++ gcc
- name: Get latest package metadata
id: get_metadata
run: |
cmake --fresh -B build -S .
echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
echo "version=$(cat build/version)" >> $GITHUB_OUTPUT
- name: Check if package version has corresponding git tag
id: tagged
shell: bash
run: |
git show-ref \
--tags --verify --quiet -- \
"refs/tags/${{ steps.get_metadata.outputs.tag }}" \
&& echo tagged=1 >> $GITHUB_OUTPUT \
|| echo tagged=0 >> $GITHUB_OUTPUT
- name: Create new tag and set to_release
id: newtag
if: steps.tagged.outputs.tagged == 0
run: |
git tag ${{ steps.get_metadata.outputs.tag }} \
&& echo to_release=1 >> $GITHUB_OUTPUT \
&& git push origin ${{ steps.get_metadata.outputs.tag }} \
|| exit 0
build-fedora:
needs: release-ci
uses: ./.github/workflows/fedora.yml
with:
containers: "['fedora:latest', 'fedora:41']"
version: ${{ needs.release-ci.outputs.version }}
to_release: ${{ needs.release-ci.outputs.to_release }}
tag: ${{ needs.release-ci.outputs.tag }}

70
.github/workflows/fedora.yml vendored Normal file
View File

@@ -0,0 +1,70 @@
on:
workflow_call:
inputs:
containers:
default: "['fedora:latest']"
required: false
type: string
tag:
required: true
type: string
to_release:
default: "0"
required: false
type: string
version:
required: true
type: string
defaults:
run:
shell: bash
jobs:
build:
strategy:
max-parallel: 2
matrix:
image: ${{ fromJson(inputs.containers) }}
runs-on: ubuntu-latest
container: ${{ matrix.image }}
steps:
- name: Prepare - local checkout
uses: actions/checkout@v4
- name: Prepare - install build dependencies
run: |
dnf -y install \
cmake \
gcc \
gcc-c++ \
git \
openssl \
rpm-build \
rpmdevtools \
tar
- name: Prepare - setup RPM build tree
run: |
rpmdev-setuptree
- name: Prepare - configure the source
run: |
cmake -B $(pwd)/build -S $(pwd)
- name: Build - create source tarball and SRPM package
run: |
cmake --build $(pwd)/build --target srpm
- name: Build - create RPM package
run: |
cmake --build $(pwd)/build --target rpms
- name: Publish - create GitHub release
uses: softprops/action-gh-release@v2
if: inputs.to_release == 1
with:
tag_name: ${{ inputs.tag }}
files: |
dist/*.rpm

39
CMakeLists.txt
View File

@@ -15,6 +15,11 @@ execute_process(
OUTPUT_STRIP_TRAILING_WHITESPACE OUTPUT_STRIP_TRAILING_WHITESPACE
) )
execute_process(
COMMAND echo ${PROJECT_VERSION}
OUTPUT_FILE ${CMAKE_BINARY_DIR}/version
)
set(SourceFiles set(SourceFiles
"${CMAKE_SOURCE_DIR}/cmake" "${CMAKE_SOURCE_DIR}/cmake"
"${CMAKE_SOURCE_DIR}/CMakeLists.txt" "${CMAKE_SOURCE_DIR}/CMakeLists.txt"
@@ -27,9 +32,15 @@ include(CPackLists.txt)
add_custom_target(clear-certs add_custom_target(clear-certs
COMMAND rm -rf COMMAND rm -rf
certs/ certs/
docs/
pki/ pki/
) )
add_custom_target(clear-docs
COMMAND rm -rf
docs/
)
add_custom_target(certs add_custom_target(certs
COMMAND xargs -n1 COMMAND xargs -n1
curl curl
@@ -39,10 +50,19 @@ add_custom_target(certs
&& cd certs && cd certs
&& (sha512sum -c --quiet ${HASH_FILE} || exit -1) && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
&& unzip ACcompactado.zip && unzip ACcompactado.zip
&& rm -f ACcompactado.zip ${HASH_FILE}
DEPENDS DEPENDS
clear-certs clear-certs
) )
add_custom_target(docs ALL
COMMAND mkdir docs
&& mv certs/*.pdf docs/
DEPENDS
clear-docs
certs
)
add_custom_target(isrg-root-x2.crt add_custom_target(isrg-root-x2.crt
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
pki/ca-trust-source/anchors/isrg-root-x2.crt pki/ca-trust-source/anchors/isrg-root-x2.crt
@@ -77,6 +97,13 @@ add_custom_target(anchors ALL
icp-brasil-ca-bundle.crt icp-brasil-ca-bundle.crt
) )
# Checks for OpeSSL utility
find_program(OPENSSL
NAMES openssl openssl3
REQUIRED
)
message("-- Check for OpenSSL utility: ${OPENSSL}")
# Checks which tool is used to update certificate keyring # Checks which tool is used to update certificate keyring
find_program(UPDATE_CACERTS_TOOL find_program(UPDATE_CACERTS_TOOL
NAMES NAMES
@@ -105,4 +132,16 @@ install(
${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR} ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
) )
set(DOCS_INSTALL_DIR "share/doc/${PROJECT}")
install(
FILES
${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
${CMAKE_CURRENT_SOURCE_DIR}/README.md
${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
DESTINATION
${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
)
# vim: ts=2:sw=2:sts=2:et # vim: ts=2:sw=2:sts=2:et

74
CPackLists.txt
View File

@@ -6,6 +6,7 @@ set(CPACK_VERBATIM_VARIABLES YES)
set(SourceIgnoreFiles set(SourceIgnoreFiles
".cache" ".cache"
".copr"
".clang-format" ".clang-format"
".clangd" ".clangd"
".git/" ".git/"
@@ -59,12 +60,84 @@ configure_file(
@ONLY @ONLY
) )
if(BUILD_RPMS)
CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
"${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
@ONLY
IMMEDIATE
)
set(CPACK_GENERATOR "RPM")
set(CPACK_SOURCE_GENERATOR "RPM")
set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
endif()
include(CPack) include(CPack)
add_custom_target(build-rpms)
add_custom_target(no-build-rpms)
add_custom_command(
TARGET build-rpms
POST_BUILD
COMMAND "${CMAKE_COMMAND}"
-DBUILD_RPMS=ON
-B "${CMAKE_BINARY_DIR}"
-S "${CMAKE_SOURCE_DIR}"
VERBATIM
USES_TERMINAL
)
add_custom_command(
TARGET no-build-rpms
POST_BUILD
COMMAND "${CMAKE_COMMAND}"
-DBUILD_RPMS=OFF
-B "${CMAKE_BINARY_DIR}"
-S "${CMAKE_SOURCE_DIR}"
VERBATIM
USES_TERMINAL
)
add_custom_target(srpm
COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}"
--target package_source
DEPENDS build-rpms
VERBATIM
USES_TERMINAL
)
add_custom_target(rpms
COMMAND rpmbuild
--rebuild
--define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
"${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
DEPENDS build-rpms srpm
VERBATIM
USES_TERMINAL
)
add_custom_command(
TARGET rpms
POST_BUILD
COMMAND /bin/sh -c "find \
\"${CPACK_OUTPUT_FILE_PREFIX}/\" \
-mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
&& find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
-type d -empty -delete \
"
VERBATIM
USES_TERMINAL
)
add_custom_target(sdist add_custom_target(sdist
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}" --build "${CMAKE_BINARY_DIR}"
--target package_source --target package_source
DEPENDS no-build-rpms
VERBATIM VERBATIM
USES_TERMINAL USES_TERMINAL
) )
@@ -73,6 +146,7 @@ add_custom_target(bdist
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}" --build "${CMAKE_BINARY_DIR}"
--target package --target package
DEPENDS no-build-rpms
VERBATIM VERBATIM
USES_TERMINAL USES_TERMINAL
) )

16
README.md
View File

@@ -1,4 +1,5 @@
# ca-certificates-brazil # ca-certificates-brazil
---
The Brazilian Public Key Infrastructure: ICP-Brasil The Brazilian Public Key Infrastructure: ICP-Brasil
## Description ## Description
@@ -10,3 +11,18 @@ It is observed that the model adopted by Brazil was single-root certification,
and the ITI, in addition to playing the role of Root Certifying Authority - Root AC, and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
also has the role of accrediting and discrediting the other participants in the also has the role of accrediting and discrediting the other participants in the
chain, supervise and audit the processes. chain, supervise and audit the processes.
## Documentation
* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
)
* [Certification Practice Statement Root Certification Authority of Brazil](
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
)
* [Política de Segurança da AC-Raiz](
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
)
These files may also have been distributed within the installation package provided
by your distribution.

12
packaging/pkg.spec.in
View File

@@ -4,18 +4,21 @@
%define __openssl %{_bindir}/openssl %define __openssl %{_bindir}/openssl
Name: ca-certificates-brazil Name: ca-certificates-brazil
Version: __VERSION__ Version: @CPACK_PACKAGE_VERSION@
Release: %{autorelease} Release: %{autorelease}
Summary: The ICP-Brasil root certificate bundle Summary: The ICP-Brasil root certificate bundle
License: Public Domain License: Public Domain
URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital
Source0: %{name}-%{version}.src.tar.gz Source0: %{name}-%{version}.tar.gz
BuildArch: noarch BuildArch: noarch
BuildRequires: %{__openssl} BuildRequires: %{__openssl}
BuildRequires: %{_bindir}/cmake
BuildRequires: %{_bindir}/mktemp BuildRequires: %{_bindir}/mktemp
BuildRequires: %{_bindir}/unzip BuildRequires: %{_bindir}/unzip
BuildRequires: gcc
BuildRequires: gcc-c++
%description %description
The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain
@@ -28,7 +31,7 @@ also has the role of accrediting and discrediting the other participants in the
chain, supervise and audit the processes. chain, supervise and audit the processes.
%prep %prep
%autosetup -c %autosetup -n %{name}-%{version}.src
%{cmake} %{cmake}
%build %build
@@ -40,6 +43,9 @@ chain, supervise and audit the processes.
%files %files
%doc %{_datadir}/doc/*.pdf
%doc %{_datadir}/doc/README.md
%license %{_datadir}/doc/LICENSE
%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt %{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt %{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt

3
sources
View File

@@ -5,3 +5,6 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
https://letsencrypt.org/certs/lets-encrypt-e2.pem https://letsencrypt.org/certs/lets-encrypt-e2.pem
https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-r4.pem https://letsencrypt.org/certs/lets-encrypt-r4.pem
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf