Testing Workflow

.copr/Makefile

@@ -1,12 +0,0 @@
-#!/usr/bin/make
-
-SHELL := bash
-
-source:
-	dnf -y install cmake gcc gcc-c++ openssl
-	cmake --fresh -DBUILD_RPMS=ON -B build -S .
-	cmake --build build --target srpm
-
-srpm: source
-	mkdir -p $(outdir)
-	cp dist/*.src.rpm $(outdir)

.github/workflows/build-rpm.yml

@@ -0,0 +1,71 @@
+name: Build RPM Package
+
+on:
+  push:
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+
+
+jobs:
+  build-rpm:
+    name: Build and upload RPM packages
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: install RPM build tools
+      run: |
+        dnf -y install \
+          cmake \
+          gcc \
+          gcc-c++ \
+          git \
+          rpm-build \
+          rpmdevtools \
+          tar
+
+    - name: Setup RPM build tree
+      run: |
+        rpmdev-setuptree
+
+    - name: Create source tarball
+      run: |
+        cmake -B build -S .
+        cmake --build build --target sdist
+
+    - name: Set environment variables
+      run: |
+        echo "PKG_NAME=ca-certificates-brazil" >> $GITHUB_ENV
+        echo "PKG_VERSION=$(grep \
+            -m1 -iPo '.*CPACK_PACKAGE_VERSION [\"]*\K[\S]*[^(\"\))]' \
+            build/CPackConfig.cmake) \
+        " >> $GITHUB_ENV
+
+    - name: Copy SOURCES and SPEC file
+      run: |
+        cp packaging/pkg.spec.in ~/rpmbuild/SPECS/${PKG_NAME}.spec
+        rpmdev-bumpspec -n ${PKG_VERSION} ~/rpmbuild/SPECS/${PKG_NAME}.spec
+        cp dist/*.src.tar.gz ~/rpmbuild/SOURCES/
+
+    - name: Build RPM
+      run: |
+        dnf -y builddep ~/rpmbuild/SPECS/ca-certificates-brazil.spec
+        rpmbuild -ba ~/rpmbuild/SPECS/ca-certificates-brazil.spec
+
+    - name: Upload built RPMs
+      uses: actions/upload-artifact@v4
+      with:
+        name: built-rpms
+        path: |
+          ~/rpmbuild/RPMS/
+          ~/rpmbuild/SRPMS/
+
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v2
+      if: github.ref_type == 'tag'
+      with:
+        generate_release_notes: true
+        files: |
+          ~/rpmbuild/RPMS/**/*.rpm

.github/workflows/ci.yml

@@ -1,55 +0,0 @@
-name: Build and Release CI
-on:
-  push:
-  schedule:
-    - cron: '30 4 1,15 * *'
-  workflow_dispatch:
-
-jobs:
-  release-ci:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Local checkout
-        uses: actions/checkout@v4
-
-      - name: Install CI dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get -y -qq install cmake openssl g++ gcc
-
-      - name: Get latest package metadata
-        id: get_metadata
-        run: |
-          cmake --fresh -B build -S .
-          echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
-          echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT
-          
-      - name: Check if package version has corresponding git tag
-        id: tagged
-        shell: bash
-        run: |
-          git show-ref \
-            --tags --verify --quiet -- \
-            "refs/tags/${{ steps.get_metadata.outputs.tag }}" \
-          && echo tagged=1 >> $GITHUB_OUTPUT \
-          || echo tagged=0 >> $GITHUB_OUTPUT
-
-      - name: Create new tag and set to_release
-        id: newtag
-        if: steps.tagged.outputs.tagged == 0
-        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a ${{ steps.get_metadata.outputs.tag }} \
-            -m "New cert chain was released" \
-            --trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
-          && echo to_release=1 >> $GITHUB_OUTPUT \
-          && git push origin ${{ steps.get_metadata.outputs.tag  }} \
-          || exit 0
-
-      - name: Create and publish GitHub release
-        if: steps.newtag.outputs.to_release == 1
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ steps.get_metadata.outputs.tag }}

CMakeLists.txt

@@ -15,11 +15,6 @@ execute_process(
   OUTPUT_STRIP_TRAILING_WHITESPACE
 )
 
-execute_process(
-  COMMAND echo ${PROJECT_VERSION}
-  OUTPUT_FILE ${CMAKE_BINARY_DIR}/version
-)
-
 set(SourceFiles 
   "${CMAKE_SOURCE_DIR}/cmake"
   "${CMAKE_SOURCE_DIR}/CMakeLists.txt"
@@ -32,15 +27,9 @@ include(CPackLists.txt)
 add_custom_target(clear-certs
   COMMAND rm -rf 
     certs/
-    docs/
     pki/
 )
 
-add_custom_target(clear-docs
-  COMMAND rm -rf 
-    docs/
-)
-
 add_custom_target(certs
   COMMAND xargs -n1 
     curl 
@@ -50,19 +39,10 @@ add_custom_target(certs
     && cd certs
     && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
     && unzip ACcompactado.zip
-    && rm -f ACcompactado.zip ${HASH_FILE}
   DEPENDS
     clear-certs
 )
 
-add_custom_target(docs ALL
-  COMMAND mkdir docs 
-    && mv certs/*.pdf docs/
-  DEPENDS
-    clear-docs
-    certs
-)
-
 add_custom_target(isrg-root-x2.crt
   COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
     pki/ca-trust-source/anchors/isrg-root-x2.crt
@@ -97,13 +77,6 @@ add_custom_target(anchors ALL
     icp-brasil-ca-bundle.crt
 )
 
-# Checks for OpeSSL utility
-find_program(OPENSSL
-  NAMES openssl openssl3
-  REQUIRED
-)
-message("-- Check for OpenSSL utility: ${OPENSSL}")
-
 # Checks which tool is used to update certificate keyring
 find_program(UPDATE_CACERTS_TOOL
   NAMES
@@ -132,16 +105,4 @@ install(
     ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
 )
 
-set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
-install(
-  FILES
-  ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
-    ${CMAKE_CURRENT_SOURCE_DIR}/README.md
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
-  DESTINATION
-    ${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
-)
-
 # vim: ts=2:sw=2:sts=2:et

CPackLists.txt

@@ -6,7 +6,6 @@ set(CPACK_VERBATIM_VARIABLES YES)
 
 set(SourceIgnoreFiles 
   ".cache"
-  ".copr"
   ".clang-format"
   ".clangd"
   ".git/"
@@ -60,92 +59,12 @@ configure_file(
   @ONLY
 )
 
-if(BUILD_RPMS)
-execute_process(
-  COMMAND bash -c
-    "LANG=C DATE=$(date +'%a %b %d %Y'); \
-      echo \"* $DATE %{packager} - ${PROJECT_VERSION}-1%{?dist}\"; \
-      echo \"- This is an automatically built package (See our Git URL for more info).\"; \
-    "
-  OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
-)
-CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
-  "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
-  @ONLY 
-  IMMEDIATE
-)
-
-set(CPACK_GENERATOR "RPM")
-set(CPACK_SOURCE_GENERATOR "RPM")
-set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
-set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
-set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
-endif()
-
 include(CPack)
 
-add_custom_target(build-rpms)
-add_custom_target(no-build-rpms)
-
-add_custom_command(
-  TARGET build-rpms
-  POST_BUILD
-  COMMAND "${CMAKE_COMMAND}"
-    -DBUILD_RPMS=ON
-    -B "${CMAKE_BINARY_DIR}"
-    -S "${CMAKE_SOURCE_DIR}"
-  VERBATIM
-  USES_TERMINAL
-)
-
-add_custom_command(
-  TARGET no-build-rpms
-  POST_BUILD
-  COMMAND "${CMAKE_COMMAND}"
-    -DBUILD_RPMS=OFF
-    -B "${CMAKE_BINARY_DIR}"
-    -S "${CMAKE_SOURCE_DIR}"
-  VERBATIM
-  USES_TERMINAL
-)
-
-add_custom_target(srpm
-  COMMAND "${CMAKE_COMMAND}"
-    --build "${CMAKE_BINARY_DIR}"
-    --target package_source
-  DEPENDS build-rpms
-  VERBATIM
-  USES_TERMINAL
-)
-
-add_custom_target(rpms
-  COMMAND rpmbuild
-    --rebuild
-    --define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
-    "${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
-  DEPENDS build-rpms srpm
-  VERBATIM
-  USES_TERMINAL
-)
-
-add_custom_command(
-  TARGET rpms
-  POST_BUILD
-  COMMAND /bin/sh -c "find \
-    \"${CPACK_OUTPUT_FILE_PREFIX}/\" \
-    -mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
-    && find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
-    -type d -empty -delete \
-  "
-  VERBATIM
-  USES_TERMINAL
-)
-
 add_custom_target(sdist
   COMMAND "${CMAKE_COMMAND}"
     --build "${CMAKE_BINARY_DIR}"
     --target package_source
-  DEPENDS no-build-rpms
   VERBATIM
   USES_TERMINAL
 )
@@ -154,7 +73,6 @@ add_custom_target(bdist
   COMMAND "${CMAKE_COMMAND}"
     --build "${CMAKE_BINARY_DIR}"
     --target package
-  DEPENDS no-build-rpms
   VERBATIM
   USES_TERMINAL
 )

README.md

@@ -1,5 +1,4 @@
 # ca-certificates-brazil
----
 The Brazilian Public Key Infrastructure:  ICP-Brasil
 
 ## Description
@@ -11,18 +10,3 @@ It is observed that the model adopted by Brazil was single-root certification,
 and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
 also has the role of accrediting and discrediting the other participants in the
 chain, supervise and audit the processes.
-
-## Documentation
-
-* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
-    https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
-  )
-* [Certification Practice Statement Root Certification Authority of Brazil](
-    https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
-  )
-* [Security Policy of Root-CA (in Portuguese)](
-    https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
-  )
-
-These files may also have been distributed within the installation package provided
-by your distribution.

packaging/pkg.spec.in

@@ -1,25 +1,21 @@
 %global debug_package %{nil}
 %global source_date_epoch_from_changelog 0
-%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>
 
 %define __openssl   %{_bindir}/openssl
 
 Name:               ca-certificates-brazil
-Version:            @CPACK_PACKAGE_VERSION@
+Version:            __VERSION__
 Release:            %{autorelease}
 Summary:            The ICP-Brasil root certificate bundle
 
 License:            Public Domain
 URL:                https://www.gov.br/iti/pt-br/assuntos/certificado-digital
-Source0:            %{name}-%{version}.tar.gz
+Source0:            %{name}-%{version}.src.tar.gz
 
 BuildArch:          noarch
 BuildRequires:      %{__openssl}
-BuildRequires:      %{_bindir}/cmake
 BuildRequires:      %{_bindir}/mktemp
 BuildRequires:      %{_bindir}/unzip
-BuildRequires:      gcc
-BuildRequires:      gcc-c++
 
 %description
 The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain 
@@ -32,7 +28,7 @@ also has the role of accrediting and discrediting the other participants in the
 chain, supervise and audit the processes.
 
 %prep
-%autosetup -n %{name}-%{version}.src
+%autosetup -c
 %{cmake}
 
 %build
@@ -43,10 +39,7 @@ chain, supervise and audit the processes.
 %{cmake_install}
 
 
-%files 
-%doc %{_datadir}/doc/%{name}/*.pdf
-%doc %{_datadir}/doc/%{name}/README.md
-%license %{_datadir}/doc/%{name}/LICENSE
+%files
 %{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
 %{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
 %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
@@ -56,4 +49,4 @@ chain, supervise and audit the processes.
 %postun -p %{_bindir}/update-ca-trust
 
 %changelog
-@CPACK_RPM_CHANGELOG@
+%autochangelog

sources

@@ -5,6 +5,3 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
 https://letsencrypt.org/certs/lets-encrypt-e2.pem
 https://letsencrypt.org/certs/lets-encrypt-r3.pem
 https://letsencrypt.org/certs/lets-encrypt-r4.pem
-https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
-https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
-https://acraiz.icpbrasil.gov.br/PSacraiz.pdf