Added documentation

Runs at 1st and 15th day of each month at 4:30am

.copr/Makefile

@@ -0,0 +1,12 @@
+#!/usr/bin/make
+
+SHELL := bash
+
+source:
+	dnf -y install cmake gcc gcc-c++
+	cmake --fresh -DBUILD_RPMS=ON -B build -S .
+	cmake --build build --target srpm
+
+srpm: source
+	mkdir -p $(outdir)
+	cp dist/*.src.rpm $(outdir)

.github/workflows/ci.yml

@@ -0,0 +1,58 @@
+name: Build and Release CI
+on:
+  push:
+  schedule:
+    - cron: '30 4 1,15 * *'
+  workflow_dispatch:
+
+jobs:
+  release-ci:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_metadata.outputs.version }}
+      tag: ${{ steps.get_metadata.outputs.tag }}
+      to_release: ${{ steps.newtag.outputs.to_release }}
+
+    steps:
+      - name: Local checkout
+        uses: actions/checkout@v4
+
+      - name: Install CI dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y -qq install cmake g++ gcc
+
+      - name: Get latest package metadata
+        id: get_metadata
+        run: |
+          cmake --fresh -B build -S .
+          echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
+          echo "version=$(cat build/version)" >> $GITHUB_OUTPUT
+
+      - name: Check if package version has corresponding git tag
+        id: tagged
+        shell: bash
+        run: |
+          git show-ref \
+            --tags --verify --quiet -- \
+            "refs/tags/${{ steps.get_metadata.outputs.tag }}" \
+          && echo tagged=1 >> $GITHUB_OUTPUT \
+          || echo tagged=0 >> $GITHUB_OUTPUT
+
+      - name: Create new tag and set to_release
+        id: newtag
+        if: steps.tagged.outputs.tagged == 0
+        run: |
+          git tag ${{ steps.get_metadata.outputs.tag }} \
+          && echo to_release=1 >> $GITHUB_OUTPUT \
+          && git push origin ${{ steps.get_metadata.outputs.tag  }} \
+          || exit 0
+
+  build-fedora:
+    needs: release-ci
+    uses: ./.github/workflows/fedora.yml
+    with:
+      containers: "['fedora:latest', 'fedora:41']"
+      version: ${{ needs.release-ci.outputs.version }}
+      to_release: ${{ needs.release-ci.outputs.to_release }}
+      tag: ${{ needs.release-ci.outputs.tag }}

.github/workflows/fedora.yml

@@ -0,0 +1,70 @@
+on:
+  workflow_call:
+    inputs:
+      containers:
+        default: "['fedora:latest']"
+        required: false
+        type: string
+      tag:
+        required: true
+        type: string
+      to_release:
+        default: "0"
+        required: false
+        type: string
+      version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    strategy:
+      max-parallel: 2
+      matrix:
+        image: ${{ fromJson(inputs.containers) }}
+    runs-on: ubuntu-latest
+    container: ${{ matrix.image }}
+
+    steps:
+      - name: Prepare - local checkout
+        uses: actions/checkout@v4
+
+      - name: Prepare - install build dependencies
+        run: |
+          dnf -y install \
+            cmake \
+            gcc \
+            gcc-c++ \
+            git \
+            openssl \
+            rpm-build \
+            rpmdevtools \
+            tar
+
+      - name: Prepare - setup RPM build tree
+        run: |
+          rpmdev-setuptree
+
+      - name: Prepare - configure the source
+        run: |
+          cmake -B $(pwd)/build -S $(pwd)
+
+      - name: Build - create source tarball and SRPM package
+        run: |
+          cmake --build $(pwd)/build --target srpm
+
+      - name: Build - create RPM package
+        run: |
+          cmake --build $(pwd)/build --target rpms
+
+      - name: Publish - create GitHub release
+        uses: softprops/action-gh-release@v2
+        if: inputs.to_release == 1
+        with:
+          tag_name: ${{ inputs.tag }}
+          files: |
+            dist/*.rpm

.gitignore

@@ -0,0 +1,17 @@
+.cache
+.clang-format
+.clangd
+.idea
+
+cmake-build*
+build/
+ _CPack_Packages/
+ CMakeFiles/
+ Makefile
+ cmake_install.cmake
+ CPackConfig.cmake
+ CPackSourceConfig.cmake
+ CTestTestfile.cmake
+ CMakeCache.txt
+
+dist/

CMakeLists.txt

@@ -0,0 +1,147 @@
+cmake_minimum_required(VERSION 3.16)
+
+project(ca-certificates-brazil)
+set(HASH_FILE "hashsha512.txt")
+
+execute_process(
+  COMMAND bash -c 
+    "date +%Y.%m.%d \
+      -d \"$( \
+      curl -ksI $(grep ${HASH_FILE} ${CMAKE_SOURCE_DIR}/sources) \
+        | grep -iPo '^Last-Modified: \\K[\\S ]*'
+      )\"
+    "
+  OUTPUT_VARIABLE PROJECT_VERSION
+  OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+
+execute_process(
+  COMMAND echo ${PROJECT_VERSION}
+  OUTPUT_FILE ${CMAKE_BINARY_DIR}/version
+)
+
+set(SourceFiles 
+  "${CMAKE_SOURCE_DIR}/cmake"
+  "${CMAKE_SOURCE_DIR}/CMakeLists.txt"
+  "${CMAKE_SOURCE_DIR}/CPackLists.txt"
+  "${CMAKE_SOURCE_DIR}/sources"
+)
+
+include(CPackLists.txt)
+
+add_custom_target(clear-certs
+  COMMAND rm -rf 
+    certs/
+    docs/
+    pki/
+)
+
+add_custom_target(clear-docs
+  COMMAND rm -rf 
+    docs/
+)
+
+add_custom_target(certs
+  COMMAND xargs -n1 
+    curl 
+      --create-dirs 
+      --output-dir certs 
+      -ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
+    && cd certs
+    && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
+    && unzip ACcompactado.zip
+    && rm -f ACcompactado.zip ${HASH_FILE}
+  DEPENDS
+    clear-certs
+)
+
+add_custom_target(docs ALL
+  COMMAND mkdir docs 
+    && mv certs/*.pdf docs/
+  DEPENDS
+    clear-docs
+    certs
+)
+
+add_custom_target(isrg-root-x2.crt
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
+    pki/ca-trust-source/anchors/isrg-root-x2.crt
+    certs/isrg-root-x2.pem
+  DEPENDS
+    certs
+)
+
+add_custom_target(lets-encrypt-ca-bundle.crt
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
+    pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    certs/lets-encrypt-e1.pem
+    certs/lets-encrypt-e2.pem
+    certs/lets-encrypt-r3.pem
+    certs/lets-encrypt-r4.pem
+  DEPENDS
+    certs
+)
+
+add_custom_target(icp-brasil-ca-bundle.crt
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
+    pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+    certs/*.crt
+  DEPENDS
+    certs
+)
+
+add_custom_target(anchors ALL
+  DEPENDS
+    isrg-root-x2.crt
+    lets-encrypt-ca-bundle.crt
+    icp-brasil-ca-bundle.crt
+)
+
+# Checks for OpeSSL utility
+find_program(OPENSSL
+  NAMES openssl openssl3
+  REQUIRED
+)
+message("-- Check for OpenSSL utility: ${OPENSSL}")
+
+# Checks which tool is used to update certificate keyring
+find_program(UPDATE_CACERTS_TOOL
+  NAMES
+    update-ca-certificates
+    update-ca-trust
+  REQUIRED
+)
+message("-- Check for CA certificates update tool: ${UPDATE_CACERTS_TOOL}")
+string(REGEX MATCH "update-ca-trust" P11KIT UPDATE_CACERTS_TOOL)
+string(REGEX MATCH "update-ca-certificates" LEGACY UPDATE_CACERTS_TOOL)
+
+# Set install destination directory according the used tool
+if(DEFINED P11KIT)
+  set(CACERT_INSTALL_DIR "share/pki/ca-trust-source/anchors")
+else()
+  set(CACERT_INSTALL_DIR "share/ca-certificates/extra")
+endif()
+message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
+
+install(
+  FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/isrg-root-x2.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+  DESTINATION
+    ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
+)
+
+set(DOCS_INSTALL_DIR "share/doc/${PROJECT}")
+install(
+  FILES
+  ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
+    ${CMAKE_CURRENT_SOURCE_DIR}/README.md
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
+  DESTINATION
+    ${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
+)
+
+# vim: ts=2:sw=2:sts=2:et

CPackLists.txt

@@ -0,0 +1,154 @@
+cmake_minimum_required(VERSION 3.16)
+
+set(CPACK_PACKAGE_VERSION "${PROJECT_VERSION}")
+set(CPACK_OUTPUT_FILE_PREFIX "${PROJECT_SOURCE_DIR}/dist")
+set(CPACK_VERBATIM_VARIABLES YES)
+
+set(SourceIgnoreFiles 
+  ".cache"
+  ".copr"
+  ".clang-format"
+  ".clangd"
+  ".git/"
+  ".gitea/"
+  ".github/"
+  ".gitignore"
+  ".idea"
+  "CMakeCache.txt"
+  "CMakeFiles/"
+  "CPackConfig.cmake$"
+  "CPackSourceConfig.cmake"
+  "CTestTestfile.cmake"
+  "Makefile"
+  "_CPack_Packages/"
+  "build/"
+  "cmake-build*"
+  "cmake_install.cmake"
+  "dist/"
+)
+
+# Escape any '.' and '/' characters
+string(REPLACE "." "\\\." SourceIgnoreFiles "${SourceIgnoreFiles}")
+string(REPLACE "/" "\\\/" SourceIgnoreFiles "${SourceIgnoreFiles}")
+
+# Override install prefix for package target
+string(REGEX REPLACE "^/(.*)" "\\1" 
+  CPACK_PACKAGING_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}"
+)
+set(CPACK_SET_DESTDIR ON)
+
+set(CPACK_GENERATOR "TGZ")
+set(CPACK_PACKAGE_TOPLEVEL_TAG "noarch")
+set(CPACK_INCLUDE_TOPLEVEL_DIRECTORY 0)
+set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}.${CPACK_PACKAGE_TOPLEVEL_TAG}")
+set(CPACK_IGNORE_FILES "${SourceIgnoreFiles}")
+set(CPACK_OUTPUT_CONFIG_FILE "${PROJECT_BINARY_DIR}/CPackConfig.cmake")
+configure_file(
+  "${PROJECT_SOURCE_DIR}/cmake/CPackConfig.cmake.in"
+  "${PROJECT_BINARY_DIR}/CPackConfig.cmake"
+  @ONLY
+)
+
+set(CPACK_SOURCE_GENERATOR "TGZ")
+set(CPACK_SOURCE_TOPLEVEL_TAG "src")
+set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}.${CPACK_SOURCE_TOPLEVEL_TAG}")
+set(CPACK_SOURCE_IGNORE_FILES "${SourceIgnoreFiles}")
+set(CPACK_SOURCE_OUTPUT_CONFIG_FILE "${PROJECT_BINARY_DIR}/CPackSourceConfig.cmake")
+configure_file(
+  "${PROJECT_SOURCE_DIR}/cmake/CPackConfig.cmake.in"
+  "${PROJECT_BINARY_DIR}/CPackSourceConfig.cmake"
+  @ONLY
+)
+
+if(BUILD_RPMS)
+CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
+  "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
+  @ONLY 
+  IMMEDIATE
+)
+
+set(CPACK_GENERATOR "RPM")
+set(CPACK_SOURCE_GENERATOR "RPM")
+set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
+set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
+set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
+endif()
+
+include(CPack)
+
+add_custom_target(build-rpms)
+add_custom_target(no-build-rpms)
+
+add_custom_command(
+  TARGET build-rpms
+  POST_BUILD
+  COMMAND "${CMAKE_COMMAND}"
+    -DBUILD_RPMS=ON
+    -B "${CMAKE_BINARY_DIR}"
+    -S "${CMAKE_SOURCE_DIR}"
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_command(
+  TARGET no-build-rpms
+  POST_BUILD
+  COMMAND "${CMAKE_COMMAND}"
+    -DBUILD_RPMS=OFF
+    -B "${CMAKE_BINARY_DIR}"
+    -S "${CMAKE_SOURCE_DIR}"
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(srpm
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package_source
+  DEPENDS build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(rpms
+  COMMAND rpmbuild
+    --rebuild
+    --define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
+    "${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
+  DEPENDS build-rpms srpm
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_command(
+  TARGET rpms
+  POST_BUILD
+  COMMAND /bin/sh -c "find \
+    \"${CPACK_OUTPUT_FILE_PREFIX}/\" \
+    -mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
+    && find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
+    -type d -empty -delete \
+  "
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(sdist
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package_source
+  DEPENDS no-build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(bdist
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package
+  DEPENDS no-build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+# vim: ts=2:sw=2:sts=2:et:syntax=cmake

README.md

@@ -1,2 +1,28 @@
 # ca-certificates-brazil
+---
 The Brazilian Public Key Infrastructure:  ICP-Brasil
+
+## Description
+The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain
+of trust that enables the issuance of digital certificates for the virtual
+identification of citizens.
+
+It is observed that the model adopted by Brazil was single-root certification,
+and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
+also has the role of accrediting and discrediting the other participants in the
+chain, supervise and audit the processes.
+
+## Documentation
+
+* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
+    https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
+  )
+* [Certification Practice Statement Root Certification Authority of Brazil](
+    https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
+  )
+* [Política de Segurança da AC-Raiz](
+    https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
+  )
+
+These files may also have been distributed within the installation package provided
+by your distribution.

cmake/CPackConfig.cmake.in

@@ -0,0 +1,29 @@
+# This file will be configured to contain variables for CPack. These variables
+# should be set in the CMake list file of the project before CPack module is
+# included. Example variables are:
+#   CPACK_GENERATOR                     - Generator used to create package
+#   CPACK_INSTALL_CMAKE_PROJECTS        - For each project (path, name, component)
+#   CPACK_CMAKE_GENERATOR               - CMake Generator used for the projects
+#   CPACK_INSTALL_COMMANDS              - Extra commands to install components
+#   CPACK_INSTALL_DIRECTORIES           - Extra directories to install
+#   CPACK_PACKAGE_DESCRIPTION_FILE      - Description file for the package
+#   CPACK_PACKAGE_DESCRIPTION_SUMMARY   - Summary of the package
+#   CPACK_PACKAGE_EXECUTABLES           - List of pairs of executables and labels
+#   CPACK_PACKAGE_FILE_NAME             - Name of the package generated
+#   CPACK_PACKAGE_ICON                  - Icon used for the package
+#   CPACK_PACKAGE_INSTALL_DIRECTORY     - Name of directory for the installer
+#   CPACK_PACKAGE_NAME                  - Package project name
+#   CPACK_PACKAGE_VENDOR                - Package project vendor
+#   CPACK_PACKAGE_VERSION               - Package project version
+#   CPACK_PACKAGE_VERSION_MAJOR         - Package project version (major)
+#   CPACK_PACKAGE_VERSION_MINOR         - Package project version (minor)
+#   CPACK_PACKAGE_VERSION_PATCH         - Package project version (patch)
+
+# There are certain generator specific ones
+
+# NSIS Generator:
+#   CPACK_PACKAGE_INSTALL_REGISTRY_KEY  - Name of the registry key for the installer
+#   CPACK_NSIS_EXTRA_UNINSTALL_COMMANDS - Extra commands used during uninstall
+#   CPACK_NSIS_EXTRA_INSTALL_COMMANDS   - Extra commands used during install
+
+@_CPACK_OTHER_VARIABLES_@

crt2bundle.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+out=${1}
+mkdir -p $(dirname ${out})
+shift
+
+in=''
+for c in ${*}; do
+  echo "+ Loading CA certificate: ${c}";
+  in="${in} -certfile ${c}";
+done;
+
+openssl crl2pkcs7 -nocrl ${in} \
+  | openssl pkcs7 -print_certs -out ${out}

packaging/pkg.spec.in

@@ -0,0 +1,58 @@
+%global debug_package %{nil}
+%global source_date_epoch_from_changelog 0
+
+%define __openssl   %{_bindir}/openssl
+
+Name:               ca-certificates-brazil
+Version:            @CPACK_PACKAGE_VERSION@
+Release:            %{autorelease}
+Summary:            The ICP-Brasil root certificate bundle
+
+License:            Public Domain
+URL:                https://www.gov.br/iti/pt-br/assuntos/certificado-digital
+Source0:            %{name}-%{version}.tar.gz
+
+BuildArch:          noarch
+BuildRequires:      %{__openssl}
+BuildRequires:      %{_bindir}/cmake
+BuildRequires:      %{_bindir}/mktemp
+BuildRequires:      %{_bindir}/unzip
+BuildRequires:      gcc
+BuildRequires:      gcc-c++
+
+%description
+The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain 
+of trust that enables the issuance of digital certificates for the virtual 
+identification of citizens.
+
+It is observed that the model adopted by Brazil was single-root certification,
+and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
+also has the role of accrediting and discrediting the other participants in the 
+chain, supervise and audit the processes.
+
+%prep
+%autosetup -n %{name}-%{version}.src
+%{cmake}
+
+%build
+%{cmake_build}
+
+%install
+%{__rm} -rf %{buildroot}
+%{cmake_install}
+
+
+%files 
+%doc %{_datadir}/doc/*.pdf
+%doc %{_datadir}/doc/README.md
+%license %{_datadir}/doc/LICENSE
+%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
+%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+
+
+%post -p %{_bindir}/update-ca-trust
+%postun -p %{_bindir}/update-ca-trust
+
+%changelog
+%autochangelog

sources

@@ -0,0 +1,10 @@
+https://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil/ACcompactado.zip
+https://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil/hashsha512.txt
+https://letsencrypt.org/certs/isrg-root-x2.pem
+https://letsencrypt.org/certs/lets-encrypt-e1.pem
+https://letsencrypt.org/certs/lets-encrypt-e2.pem
+https://letsencrypt.org/certs/lets-encrypt-r3.pem
+https://letsencrypt.org/certs/lets-encrypt-r4.pem
+https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
+https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
+https://acraiz.icpbrasil.gov.br/PSacraiz.pdf