Added documentation

Runs at 1st and 15th day of each month at 4:30am

.copr/Makefile

@@ -0,0 +1,12 @@
+#!/usr/bin/make
+
+SHELL := bash
+
+source:
+	dnf -y install cmake gcc gcc-c++
+	cmake --fresh -DBUILD_RPMS=ON -B build -S .
+	cmake --build build --target srpm
+
+srpm: source
+	mkdir -p $(outdir)
+	cp dist/*.src.rpm $(outdir)

.github/workflows/ci.yml

@@ -2,14 +2,16 @@ name: Build and Release CI
 on:
   push:
   schedule:
-    - cron: '30 3 * * *'
+    - cron: '30 4 1,15 * *'
   workflow_dispatch:
 
 jobs:
   release-ci:
     runs-on: ubuntu-latest
     outputs:
-      VERSION: ${{ steps.get_metadata.outputs.VERSION }}
+      version: ${{ steps.get_metadata.outputs.version }}
+      tag: ${{ steps.get_metadata.outputs.tag }}
+      to_release: ${{ steps.newtag.outputs.to_release }}
 
     steps:
       - name: Local checkout
@@ -24,8 +26,8 @@ jobs:
         id: get_metadata
         run: |
           cmake --fresh -B build -S .
-          echo "TAG=v$(cat build/version)" >> $GITHUB_OUTPUT
+          echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
-          echo "VERSION=$(cat build/version)" >> $GITHUB_OUTPUT
+          echo "version=$(cat build/version)" >> $GITHUB_OUTPUT
 
       - name: Check if package version has corresponding git tag
         id: tagged
@@ -33,15 +35,17 @@ jobs:
         run: |
           git show-ref \
             --tags --verify --quiet -- \
-            "refs/tags/${{ steps.get_metadata.outputs.TAG }}" \
+            "refs/tags/${{ steps.get_metadata.outputs.tag }}" \
           && echo tagged=1 >> $GITHUB_OUTPUT \
           || echo tagged=0 >> $GITHUB_OUTPUT
 
-      - name: Create new tag
+      - name: Create new tag and set to_release
+        id: newtag
         if: steps.tagged.outputs.tagged == 0
         run: |
-          git tag ${{ steps.get_metadata.outputs.TAG }} \
+          git tag ${{ steps.get_metadata.outputs.tag }} \
-          && git push origin ${{ steps.get_metadata.outputs.TAG  }} \
+          && echo to_release=1 >> $GITHUB_OUTPUT \
+          && git push origin ${{ steps.get_metadata.outputs.tag  }} \
           || exit 0
 
   build-fedora:
@@ -49,4 +53,6 @@ jobs:
     uses: ./.github/workflows/fedora.yml
     with:
       containers: "['fedora:latest', 'fedora:41']"
-      version: ${{ needs.release-ci.outputs.VERSION }}
+      version: ${{ needs.release-ci.outputs.version }}
+      to_release: ${{ needs.release-ci.outputs.to_release }}
+      tag: ${{ needs.release-ci.outputs.tag }}

.github/workflows/fedora.yml

@@ -1,14 +1,24 @@
-#name: build-rpm
-
 on:
   workflow_call:
     inputs:
       containers:
-        required: true
+        default: "['fedora:latest']"
-        type: string
-      version:
         required: false
         type: string
+      tag:
+        required: true
+        type: string
+      to_release:
+        default: "0"
+        required: false
+        type: string
+      version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
 
 jobs:
   build:
@@ -20,60 +30,41 @@ jobs:
     container: ${{ matrix.image }}
 
     steps:
-      - name: Local checkout
+      - name: Prepare - local checkout
         uses: actions/checkout@v4
 
-      - name: install RPM build dependencies
+      - name: Prepare - install build dependencies
         run: |
           dnf -y install \
             cmake \
             gcc \
             gcc-c++ \
             git \
+            openssl \
             rpm-build \
             rpmdevtools \
             tar
 
-      - name: Setup RPM build tree
+      - name: Prepare - setup RPM build tree
         run: |
           rpmdev-setuptree
 
-      - name: Create source tarball
+      - name: Prepare - configure the source
         run: |
-          cmake --fresh -B build -S .
+          cmake -B $(pwd)/build -S $(pwd)
-          cmake --build build --target sdist
 
-      - name: Set environment variables
+      - name: Build - create source tarball and SRPM package
         run: |
-          echo "PKG_VERSION=$(cat build/version)" >> $GITHUB_ENV
+          cmake --build $(pwd)/build --target srpm
-          echo "PKG_NAME=$(grep -Po 'Name:\ *\K[\S ]*' \
-            packaging/pkg.spec.in)" >> $GITHUB_ENV
 
-      - name: Copy SOURCES and SPEC file
+      - name: Build - create RPM package
         run: |
-          cp packaging/pkg.spec.in ~/rpmbuild/SPECS/${PKG_NAME}.spec
+          cmake --build $(pwd)/build --target rpms
-          rpmdev-bumpspec -n ${PKG_VERSION} ~/rpmbuild/SPECS/${PKG_NAME}.spec
-          cp dist/*.src.tar.gz ~/rpmbuild/SOURCES/
 
-      - name: Build RPM packages
+      - name: Publish - create GitHub release
-        run: |
-          dnf -y builddep ~/rpmbuild/SPECS/${PKG_NAME}.spec
-          rpmbuild -ba ~/rpmbuild/SPECS/${PKG_NAME}.spec
-
-      - name: Check if package version has corresponding git tag
-        id: tagged
-        shell: bash
-        run: |
-          git show-ref \
-            --tags --verify --quiet -- \
-            "refs/tags/${NEW_TAG}" \
-          && echo tagged=1 >> $GITHUB_OUTPUT \
-          || echo tagged=0 >> $GITHUB_OUTPUT
-
-      - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
-        if: github.ref_type == 'tag' && steps.tagged.output.tagged == 1
+        if: inputs.to_release == 1
         with:
+          tag_name: ${{ inputs.tag }}
           files: |
-            ~/rpmbuild/RPMS/*/*.rpm
+            dist/*.rpm
-            ~/rpmbuild/SRPMS/*.rpm

CMakeLists.txt

@@ -32,9 +32,15 @@ include(CPackLists.txt)
 add_custom_target(clear-certs
   COMMAND rm -rf 
     certs/
+    docs/
     pki/
 )
 
+add_custom_target(clear-docs
+  COMMAND rm -rf 
+    docs/
+)
+
 add_custom_target(certs
   COMMAND xargs -n1 
     curl 
@@ -44,10 +50,19 @@ add_custom_target(certs
     && cd certs
     && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
     && unzip ACcompactado.zip
+    && rm -f ACcompactado.zip ${HASH_FILE}
   DEPENDS
     clear-certs
 )
 
+add_custom_target(docs ALL
+  COMMAND mkdir docs 
+    && mv certs/*.pdf docs/
+  DEPENDS
+    clear-docs
+    certs
+)
+
 add_custom_target(isrg-root-x2.crt
   COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
     pki/ca-trust-source/anchors/isrg-root-x2.crt
@@ -82,6 +97,13 @@ add_custom_target(anchors ALL
     icp-brasil-ca-bundle.crt
 )
 
+# Checks for OpeSSL utility
+find_program(OPENSSL
+  NAMES openssl openssl3
+  REQUIRED
+)
+message("-- Check for OpenSSL utility: ${OPENSSL}")
+
 # Checks which tool is used to update certificate keyring
 find_program(UPDATE_CACERTS_TOOL
   NAMES
@@ -110,4 +132,16 @@ install(
     ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
 )
 
+set(DOCS_INSTALL_DIR "share/doc/${PROJECT}")
+install(
+  FILES
+  ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
+    ${CMAKE_CURRENT_SOURCE_DIR}/README.md
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
+  DESTINATION
+    ${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
+)
+
 # vim: ts=2:sw=2:sts=2:et

CPackLists.txt

@@ -6,6 +6,7 @@ set(CPACK_VERBATIM_VARIABLES YES)
 
 set(SourceIgnoreFiles 
   ".cache"
+  ".copr"
   ".clang-format"
   ".clangd"
   ".git/"
@@ -59,12 +60,84 @@ configure_file(
   @ONLY
 )
 
+if(BUILD_RPMS)
+CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
+  "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
+  @ONLY 
+  IMMEDIATE
+)
+
+set(CPACK_GENERATOR "RPM")
+set(CPACK_SOURCE_GENERATOR "RPM")
+set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
+set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
+set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
+endif()
+
 include(CPack)
 
+add_custom_target(build-rpms)
+add_custom_target(no-build-rpms)
+
+add_custom_command(
+  TARGET build-rpms
+  POST_BUILD
+  COMMAND "${CMAKE_COMMAND}"
+    -DBUILD_RPMS=ON
+    -B "${CMAKE_BINARY_DIR}"
+    -S "${CMAKE_SOURCE_DIR}"
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_command(
+  TARGET no-build-rpms
+  POST_BUILD
+  COMMAND "${CMAKE_COMMAND}"
+    -DBUILD_RPMS=OFF
+    -B "${CMAKE_BINARY_DIR}"
+    -S "${CMAKE_SOURCE_DIR}"
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(srpm
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package_source
+  DEPENDS build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(rpms
+  COMMAND rpmbuild
+    --rebuild
+    --define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
+    "${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
+  DEPENDS build-rpms srpm
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_command(
+  TARGET rpms
+  POST_BUILD
+  COMMAND /bin/sh -c "find \
+    \"${CPACK_OUTPUT_FILE_PREFIX}/\" \
+    -mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
+    && find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
+    -type d -empty -delete \
+  "
+  VERBATIM
+  USES_TERMINAL
+)
+
 add_custom_target(sdist
   COMMAND "${CMAKE_COMMAND}"
     --build "${CMAKE_BINARY_DIR}"
     --target package_source
+  DEPENDS no-build-rpms
   VERBATIM
   USES_TERMINAL
 )
@@ -73,6 +146,7 @@ add_custom_target(bdist
   COMMAND "${CMAKE_COMMAND}"
     --build "${CMAKE_BINARY_DIR}"
     --target package
+  DEPENDS no-build-rpms
   VERBATIM
   USES_TERMINAL
 )

README.md

@@ -1,4 +1,5 @@
 # ca-certificates-brazil
+---
 The Brazilian Public Key Infrastructure:  ICP-Brasil
 
 ## Description
@@ -10,3 +11,18 @@ It is observed that the model adopted by Brazil was single-root certification,
 and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
 also has the role of accrediting and discrediting the other participants in the
 chain, supervise and audit the processes.
+
+## Documentation
+
+* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
+    https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
+  )
+* [Certification Practice Statement Root Certification Authority of Brazil](
+    https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
+  )
+* [Política de Segurança da AC-Raiz](
+    https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
+  )
+
+These files may also have been distributed within the installation package provided
+by your distribution.

packaging/pkg.spec.in

@@ -4,18 +4,21 @@
 %define __openssl   %{_bindir}/openssl
 
 Name:               ca-certificates-brazil
-Version:            __VERSION__
+Version:            @CPACK_PACKAGE_VERSION@
 Release:            %{autorelease}
 Summary:            The ICP-Brasil root certificate bundle
 
 License:            Public Domain
 URL:                https://www.gov.br/iti/pt-br/assuntos/certificado-digital
-Source0:            %{name}-%{version}.src.tar.gz
+Source0:            %{name}-%{version}.tar.gz
 
 BuildArch:          noarch
 BuildRequires:      %{__openssl}
+BuildRequires:      %{_bindir}/cmake
 BuildRequires:      %{_bindir}/mktemp
 BuildRequires:      %{_bindir}/unzip
+BuildRequires:      gcc
+BuildRequires:      gcc-c++
 
 %description
 The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain 
@@ -28,7 +31,7 @@ also has the role of accrediting and discrediting the other participants in the
 chain, supervise and audit the processes.
 
 %prep
-%autosetup -c
+%autosetup -n %{name}-%{version}.src
 %{cmake}
 
 %build
@@ -39,7 +42,10 @@ chain, supervise and audit the processes.
 %{cmake_install}
 
 
-%files
+%files 
+%doc %{_datadir}/doc/*.pdf
+%doc %{_datadir}/doc/README.md
+%license %{_datadir}/doc/LICENSE
 %{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
 %{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
 %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt

sources

@@ -5,3 +5,6 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
 https://letsencrypt.org/certs/lets-encrypt-e2.pem
 https://letsencrypt.org/certs/lets-encrypt-r3.pem
 https://letsencrypt.org/certs/lets-encrypt-r4.pem
+https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
+https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
+https://acraiz.icpbrasil.gov.br/PSacraiz.pdf