mirror of
https://github.com/ekaaty/ca-certificates-brazil.git
synced 2025-12-06 01:22:38 -03:00
Compare commits
25 Commits
v2025.07.0
...
e82c47bd49
| Author | SHA1 | Date | |
|---|---|---|---|
|
e82c47bd49 | ||
|
|
52b949232f | ||
|
|
39ebc58474 | ||
|
|
582cc027e8 | ||
|
|
4eb3f5c61a | ||
|
|
34d45a47d2 | ||
|
|
94912593f0 | ||
|
|
bfe09d01e9 | ||
|
|
adca4dcde3 | ||
|
|
6fb0bf2ddc | ||
|
|
003a05b17a | ||
|
|
2a1c30ea74 | ||
|
|
4bc89cd26b | ||
|
|
f3c14cd2f6 | ||
|
|
229fd03b51 | ||
|
|
af6642198d | ||
|
|
0604d891f1 | ||
|
|
db7e33ce50 | ||
|
|
0e6cc7f9a4 | ||
|
|
a008f27813 | ||
|
|
47529209d4 | ||
|
|
3df218f8e7 | ||
|
|
4b2bdb47bf | ||
|
|
921cab191b | ||
|
|
bdc70acaaf |
@@ -1,12 +0,0 @@
|
||||
#!/usr/bin/make
|
||||
|
||||
SHELL := bash
|
||||
|
||||
source:
|
||||
dnf -y install cmake gcc gcc-c++ openssl
|
||||
cmake --fresh -DBUILD_RPMS=ON -B build -S .
|
||||
cmake --build build --target srpm
|
||||
|
||||
srpm: source
|
||||
mkdir -p $(outdir)
|
||||
cp dist/*.src.rpm $(outdir)
|
||||
37
.github/workflows/ci.yml
vendored
37
.github/workflows/ci.yml
vendored
@@ -2,12 +2,14 @@ name: Build and Release CI
|
||||
on:
|
||||
push:
|
||||
schedule:
|
||||
- cron: '30 4 1,15 * *'
|
||||
- cron: '30 3 * * *'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
release-ci:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
VERSION: ${{ steps.get_metadata.outputs.VERSION }}
|
||||
|
||||
steps:
|
||||
- name: Local checkout
|
||||
@@ -16,40 +18,35 @@ jobs:
|
||||
- name: Install CI dependencies
|
||||
run: |
|
||||
sudo apt-get update
|
||||
sudo apt-get -y -qq install cmake openssl g++ gcc
|
||||
sudo apt-get -y -qq install cmake g++ gcc
|
||||
|
||||
- name: Get latest package metadata
|
||||
id: get_metadata
|
||||
run: |
|
||||
cmake --fresh -B build -S .
|
||||
echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
|
||||
echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT
|
||||
|
||||
echo "TAG=v$(cat build/version)" >> $GITHUB_OUTPUT
|
||||
echo "VERSION=$(cat build/version)" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check if package version has corresponding git tag
|
||||
id: tagged
|
||||
shell: bash
|
||||
run: |
|
||||
git show-ref \
|
||||
--tags --verify --quiet -- \
|
||||
"refs/tags/${{ steps.get_metadata.outputs.tag }}" \
|
||||
"refs/tags/${{ steps.get_metadata.outputs.TAG }}" \
|
||||
&& echo tagged=1 >> $GITHUB_OUTPUT \
|
||||
|| echo tagged=0 >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Create new tag and set to_release
|
||||
id: newtag
|
||||
- name: Create new tag
|
||||
if: steps.tagged.outputs.tagged == 0
|
||||
run: |
|
||||
git config --global user.name "github-actions[bot]"
|
||||
git config --global user.email "github-actions[bot]@users.noreply.github.com"
|
||||
git tag -a ${{ steps.get_metadata.outputs.tag }} \
|
||||
-m "New cert chain was released" \
|
||||
--trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
|
||||
&& echo to_release=1 >> $GITHUB_OUTPUT \
|
||||
&& git push origin ${{ steps.get_metadata.outputs.tag }} \
|
||||
git tag ${{ steps.get_metadata.outputs.TAG }} \
|
||||
&& git push origin ${{ steps.get_metadata.outputs.TAG }} \
|
||||
|| exit 0
|
||||
|
||||
- name: Create and publish GitHub release
|
||||
if: steps.newtag.outputs.to_release == 1
|
||||
uses: softprops/action-gh-release@v2
|
||||
with:
|
||||
tag_name: ${{ steps.get_metadata.outputs.tag }}
|
||||
build-fedora:
|
||||
needs: release-ci
|
||||
uses: ./.github/workflows/fedora.yml
|
||||
with:
|
||||
containers: "['fedora:latest', 'fedora:41']"
|
||||
version: ${{ needs.release-ci.outputs.VERSION }}
|
||||
|
||||
79
.github/workflows/fedora.yml
vendored
Normal file
79
.github/workflows/fedora.yml
vendored
Normal file
@@ -0,0 +1,79 @@
|
||||
#name: build-rpm
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
containers:
|
||||
required: true
|
||||
type: string
|
||||
version:
|
||||
required: false
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
strategy:
|
||||
max-parallel: 2
|
||||
matrix:
|
||||
image: ${{ fromJson(inputs.containers) }}
|
||||
runs-on: ubuntu-latest
|
||||
container: ${{ matrix.image }}
|
||||
|
||||
steps:
|
||||
- name: Local checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: install RPM build dependencies
|
||||
run: |
|
||||
dnf -y install \
|
||||
cmake \
|
||||
gcc \
|
||||
gcc-c++ \
|
||||
git \
|
||||
rpm-build \
|
||||
rpmdevtools \
|
||||
tar
|
||||
|
||||
- name: Setup RPM build tree
|
||||
run: |
|
||||
rpmdev-setuptree
|
||||
|
||||
- name: Create source tarball
|
||||
run: |
|
||||
cmake --fresh -B build -S .
|
||||
cmake --build build --target sdist
|
||||
|
||||
- name: Set environment variables
|
||||
run: |
|
||||
echo "PKG_VERSION=$(cat build/version)" >> $GITHUB_ENV
|
||||
echo "PKG_NAME=$(grep -Po 'Name:\ *\K[\S ]*' \
|
||||
packaging/pkg.spec.in)" >> $GITHUB_ENV
|
||||
|
||||
- name: Copy SOURCES and SPEC file
|
||||
run: |
|
||||
cp packaging/pkg.spec.in ~/rpmbuild/SPECS/${PKG_NAME}.spec
|
||||
rpmdev-bumpspec -n ${PKG_VERSION} ~/rpmbuild/SPECS/${PKG_NAME}.spec
|
||||
cp dist/*.src.tar.gz ~/rpmbuild/SOURCES/
|
||||
|
||||
- name: Build RPM packages
|
||||
run: |
|
||||
dnf -y builddep ~/rpmbuild/SPECS/${PKG_NAME}.spec
|
||||
rpmbuild -ba ~/rpmbuild/SPECS/${PKG_NAME}.spec
|
||||
|
||||
- name: Check if package version has corresponding git tag
|
||||
id: tagged
|
||||
shell: bash
|
||||
run: |
|
||||
git show-ref \
|
||||
--tags --verify --quiet -- \
|
||||
"refs/tags/${NEW_TAG}" \
|
||||
&& echo tagged=1 >> $GITHUB_OUTPUT \
|
||||
|| echo tagged=0 >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Create GitHub Release
|
||||
uses: softprops/action-gh-release@v2
|
||||
if: github.ref_type == 'tag' && steps.tagged.output.tagged == 1
|
||||
with:
|
||||
files: |
|
||||
~/rpmbuild/RPMS/*/*.rpm
|
||||
~/rpmbuild/SRPMS/*.rpm
|
||||
@@ -32,15 +32,9 @@ include(CPackLists.txt)
|
||||
add_custom_target(clear-certs
|
||||
COMMAND rm -rf
|
||||
certs/
|
||||
docs/
|
||||
pki/
|
||||
)
|
||||
|
||||
add_custom_target(clear-docs
|
||||
COMMAND rm -rf
|
||||
docs/
|
||||
)
|
||||
|
||||
add_custom_target(certs
|
||||
COMMAND xargs -n1
|
||||
curl
|
||||
@@ -50,19 +44,10 @@ add_custom_target(certs
|
||||
&& cd certs
|
||||
&& (sha512sum -c --quiet ${HASH_FILE} || exit -1)
|
||||
&& unzip ACcompactado.zip
|
||||
&& rm -f ACcompactado.zip ${HASH_FILE}
|
||||
DEPENDS
|
||||
clear-certs
|
||||
)
|
||||
|
||||
add_custom_target(docs ALL
|
||||
COMMAND mkdir docs
|
||||
&& mv certs/*.pdf docs/
|
||||
DEPENDS
|
||||
clear-docs
|
||||
certs
|
||||
)
|
||||
|
||||
add_custom_target(isrg-root-x2.crt
|
||||
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
|
||||
pki/ca-trust-source/anchors/isrg-root-x2.crt
|
||||
@@ -97,13 +82,6 @@ add_custom_target(anchors ALL
|
||||
icp-brasil-ca-bundle.crt
|
||||
)
|
||||
|
||||
# Checks for OpeSSL utility
|
||||
find_program(OPENSSL
|
||||
NAMES openssl openssl3
|
||||
REQUIRED
|
||||
)
|
||||
message("-- Check for OpenSSL utility: ${OPENSSL}")
|
||||
|
||||
# Checks which tool is used to update certificate keyring
|
||||
find_program(UPDATE_CACERTS_TOOL
|
||||
NAMES
|
||||
@@ -132,16 +110,4 @@ install(
|
||||
${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
|
||||
)
|
||||
|
||||
set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
|
||||
install(
|
||||
FILES
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/README.md
|
||||
${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
|
||||
${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
|
||||
${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
|
||||
DESTINATION
|
||||
${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
|
||||
)
|
||||
|
||||
# vim: ts=2:sw=2:sts=2:et
|
||||
|
||||
@@ -6,7 +6,6 @@ set(CPACK_VERBATIM_VARIABLES YES)
|
||||
|
||||
set(SourceIgnoreFiles
|
||||
".cache"
|
||||
".copr"
|
||||
".clang-format"
|
||||
".clangd"
|
||||
".git/"
|
||||
@@ -60,92 +59,12 @@ configure_file(
|
||||
@ONLY
|
||||
)
|
||||
|
||||
if(BUILD_RPMS)
|
||||
execute_process(
|
||||
COMMAND bash -c
|
||||
"LANG=C DATE=$(date +'%a %b %d %Y'); \
|
||||
echo \"* $DATE %{packager} - ${PROJECT_VERSION}-1%{?dist}\"; \
|
||||
echo \"- This is an automatically built package (See our Git URL for more info).\"; \
|
||||
"
|
||||
OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
|
||||
)
|
||||
CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
|
||||
"${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
|
||||
@ONLY
|
||||
IMMEDIATE
|
||||
)
|
||||
|
||||
set(CPACK_GENERATOR "RPM")
|
||||
set(CPACK_SOURCE_GENERATOR "RPM")
|
||||
set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
|
||||
set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
|
||||
set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
|
||||
endif()
|
||||
|
||||
include(CPack)
|
||||
|
||||
add_custom_target(build-rpms)
|
||||
add_custom_target(no-build-rpms)
|
||||
|
||||
add_custom_command(
|
||||
TARGET build-rpms
|
||||
POST_BUILD
|
||||
COMMAND "${CMAKE_COMMAND}"
|
||||
-DBUILD_RPMS=ON
|
||||
-B "${CMAKE_BINARY_DIR}"
|
||||
-S "${CMAKE_SOURCE_DIR}"
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
TARGET no-build-rpms
|
||||
POST_BUILD
|
||||
COMMAND "${CMAKE_COMMAND}"
|
||||
-DBUILD_RPMS=OFF
|
||||
-B "${CMAKE_BINARY_DIR}"
|
||||
-S "${CMAKE_SOURCE_DIR}"
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
|
||||
add_custom_target(srpm
|
||||
COMMAND "${CMAKE_COMMAND}"
|
||||
--build "${CMAKE_BINARY_DIR}"
|
||||
--target package_source
|
||||
DEPENDS build-rpms
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
|
||||
add_custom_target(rpms
|
||||
COMMAND rpmbuild
|
||||
--rebuild
|
||||
--define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
|
||||
"${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
|
||||
DEPENDS build-rpms srpm
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
TARGET rpms
|
||||
POST_BUILD
|
||||
COMMAND /bin/sh -c "find \
|
||||
\"${CPACK_OUTPUT_FILE_PREFIX}/\" \
|
||||
-mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
|
||||
&& find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
|
||||
-type d -empty -delete \
|
||||
"
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
|
||||
add_custom_target(sdist
|
||||
COMMAND "${CMAKE_COMMAND}"
|
||||
--build "${CMAKE_BINARY_DIR}"
|
||||
--target package_source
|
||||
DEPENDS no-build-rpms
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
@@ -154,7 +73,6 @@ add_custom_target(bdist
|
||||
COMMAND "${CMAKE_COMMAND}"
|
||||
--build "${CMAKE_BINARY_DIR}"
|
||||
--target package
|
||||
DEPENDS no-build-rpms
|
||||
VERBATIM
|
||||
USES_TERMINAL
|
||||
)
|
||||
|
||||
16
README.md
16
README.md
@@ -1,5 +1,4 @@
|
||||
# ca-certificates-brazil
|
||||
---
|
||||
The Brazilian Public Key Infrastructure: ICP-Brasil
|
||||
|
||||
## Description
|
||||
@@ -11,18 +10,3 @@ It is observed that the model adopted by Brazil was single-root certification,
|
||||
and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
|
||||
also has the role of accrediting and discrediting the other participants in the
|
||||
chain, supervise and audit the processes.
|
||||
|
||||
## Documentation
|
||||
|
||||
* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
|
||||
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
|
||||
)
|
||||
* [Certification Practice Statement Root Certification Authority of Brazil](
|
||||
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
|
||||
)
|
||||
* [Security Policy of Root-CA (in Portuguese)](
|
||||
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
|
||||
)
|
||||
|
||||
These files may also have been distributed within the installation package provided
|
||||
by your distribution.
|
||||
|
||||
@@ -1,25 +1,21 @@
|
||||
%global debug_package %{nil}
|
||||
%global source_date_epoch_from_changelog 0
|
||||
%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>
|
||||
|
||||
%define __openssl %{_bindir}/openssl
|
||||
|
||||
Name: ca-certificates-brazil
|
||||
Version: @CPACK_PACKAGE_VERSION@
|
||||
Version: __VERSION__
|
||||
Release: %{autorelease}
|
||||
Summary: The ICP-Brasil root certificate bundle
|
||||
|
||||
License: Public Domain
|
||||
URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Source0: %{name}-%{version}.src.tar.gz
|
||||
|
||||
BuildArch: noarch
|
||||
BuildRequires: %{__openssl}
|
||||
BuildRequires: %{_bindir}/cmake
|
||||
BuildRequires: %{_bindir}/mktemp
|
||||
BuildRequires: %{_bindir}/unzip
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
|
||||
%description
|
||||
The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain
|
||||
@@ -32,7 +28,7 @@ also has the role of accrediting and discrediting the other participants in the
|
||||
chain, supervise and audit the processes.
|
||||
|
||||
%prep
|
||||
%autosetup -n %{name}-%{version}.src
|
||||
%autosetup -c
|
||||
%{cmake}
|
||||
|
||||
%build
|
||||
@@ -43,10 +39,7 @@ chain, supervise and audit the processes.
|
||||
%{cmake_install}
|
||||
|
||||
|
||||
%files
|
||||
%doc %{_datadir}/doc/%{name}/*.pdf
|
||||
%doc %{_datadir}/doc/%{name}/README.md
|
||||
%license %{_datadir}/doc/%{name}/LICENSE
|
||||
%files
|
||||
%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
|
||||
%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
|
||||
%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
|
||||
@@ -56,4 +49,4 @@ chain, supervise and audit the processes.
|
||||
%postun -p %{_bindir}/update-ca-trust
|
||||
|
||||
%changelog
|
||||
@CPACK_RPM_CHANGELOG@
|
||||
%autochangelog
|
||||
|
||||
3
sources
3
sources
@@ -5,6 +5,3 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
|
||||
https://letsencrypt.org/certs/lets-encrypt-e2.pem
|
||||
https://letsencrypt.org/certs/lets-encrypt-r3.pem
|
||||
https://letsencrypt.org/certs/lets-encrypt-r4.pem
|
||||
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
|
||||
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
|
||||
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
|
||||
|
||||
Reference in New Issue
Block a user