sigsolucoes/ca-certificates-brazil
3
0
Fork 0
mirror of https://github.com/ekaaty/ca-certificates-brazil.git synced 2025-12-06 01:22:38 -03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: sigsolucoes:v2025.07.04
Branches Tags
sigsolucoes:main
sigsolucoes:v2025.11.25 sigsolucoes:v2025.10.07 sigsolucoes:v2025.08.22 sigsolucoes:v2025.08.01 sigsolucoes:v2025.07.04 sigsolucoes:v2025.05.28
..
compare: sigsolucoes:e82c47bd4964f308d2e48627dbc6e1fd69456eca
Branches Tags
sigsolucoes:main
sigsolucoes:v2025.11.25 sigsolucoes:v2025.10.07 sigsolucoes:v2025.08.22 sigsolucoes:v2025.08.01 sigsolucoes:v2025.07.04 sigsolucoes:v2025.05.28

25 Commits
v2025.07.0 ... e82c47bd49

Author SHA1 Message Date
Christian Tosta
e82c47bd49 Updated Fedora build CI
Some checks failed
Build and Release CI / release-ci (push) Has been cancelled
Details
Build and Release CI / build-fedora (push) Has been cancelled
Details
2025-04-18 14:49:45 -03:00
Christian Tosta
52b949232f Updated Fedora build CI 2025-04-18 14:44:33 -03:00
Christian Tosta
39ebc58474 Updated Fedora build CI 2025-04-18 14:36:56 -03:00
Christian Tosta
582cc027e8 Updated Fedora build CI 2025-04-18 14:34:38 -03:00
Christian Tosta
4eb3f5c61a Updated Fedora build CI 2025-04-18 14:23:42 -03:00
Christian Tosta
34d45a47d2 Updated Fedora build CI 2025-04-18 14:23:27 -03:00
Christian Tosta
94912593f0 Added Fedora build CI 2025-04-18 13:37:13 -03:00
Christian Tosta
bfe09d01e9 Added Fedora build CI 2025-04-18 13:31:40 -03:00
Christian Tosta
adca4dcde3 Added Fedora build CI 2025-04-18 13:29:47 -03:00
Christian Tosta
6fb0bf2ddc Replace workflows for CI workflow 2025-04-18 13:18:54 -03:00
Christian Tosta
003a05b17a Replace workflows for CI workflow 2025-04-18 13:17:24 -03:00
Christian Tosta
2a1c30ea74 Updated build RPM workflow 2025-04-18 11:57:12 -03:00
Christian Tosta
4bc89cd26b Updated build RPM workflow 2025-04-18 11:53:21 -03:00
Christian Tosta
f3c14cd2f6 Updated build RPM workflow 2025-04-18 11:47:34 -03:00
Christian Tosta
229fd03b51 Updated build RPM workflow 2025-04-18 11:43:12 -03:00
Christian Tosta
af6642198d Updated build RPM workflow 2025-04-18 11:40:07 -03:00
Christian Tosta
0604d891f1 Updated build RPM workflow 2025-04-18 11:34:12 -03:00
Christian Tosta
db7e33ce50 Added build RPM workflow 2025-04-18 11:32:00 -03:00
Christian Tosta
0e6cc7f9a4 Updated auto-tagging workflow 2025-04-18 11:01:33 -03:00
Christian Tosta
a008f27813 Added auto-tagging workflow 2025-04-18 10:51:42 -03:00
Christian Tosta
47529209d4 Add RPM packaging support 2025-04-18 10:22:15 -03:00
Christian Tosta
3df218f8e7 Save version on file 2025-04-18 10:18:48 -03:00
Christian Tosta
4b2bdb47bf CA PKI update tool autodetection (legacy/p11kit) 2025-04-16 08:39:53 -03:00
Christian Tosta
921cab191b Update README.md 2025-03-27 05:22:55 -03:00
Christian Tosta
bdc70acaaf Initial commit 2025-03-27 05:20:04 -03:00
8 changed files with 101 additions and 179 deletions
Expand all files Collapse all files

12
.copr/Makefile
View File

@@ -1,12 +0,0 @@
#!/usr/bin/make
SHELL := bash
source:
dnf -y install cmake gcc gcc-c++ openssl
cmake --fresh -DBUILD_RPMS=ON -B build -S .
cmake --build build --target srpm
srpm: source
mkdir -p $(outdir)
cp dist/*.src.rpm $(outdir)

37
.github/workflows/ci.yml vendored
View File

@@ -2,12 +2,14 @@ name: Build and Release CI
on: on:
push: push:
schedule: schedule:
- cron: '30 4 1,15 * *' - cron: '30 3 * * *'
workflow_dispatch: workflow_dispatch:
jobs: jobs:
release-ci: release-ci:
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs:
VERSION: ${{ steps.get_metadata.outputs.VERSION }}
steps: steps:
- name: Local checkout - name: Local checkout
@@ -16,40 +18,35 @@ jobs:
- name: Install CI dependencies - name: Install CI dependencies
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get -y -qq install cmake openssl g++ gcc sudo apt-get -y -qq install cmake g++ gcc
- name: Get latest package metadata - name: Get latest package metadata
id: get_metadata id: get_metadata
run: | run: |
cmake --fresh -B build -S . cmake --fresh -B build -S .
echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT echo "TAG=v$(cat build/version)" >> $GITHUB_OUTPUT
echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT echo "VERSION=$(cat build/version)" >> $GITHUB_OUTPUT
- name: Check if package version has corresponding git tag - name: Check if package version has corresponding git tag
id: tagged id: tagged
shell: bash shell: bash
run: | run: |
git show-ref \ git show-ref \
--tags --verify --quiet -- \ --tags --verify --quiet -- \
"refs/tags/${{ steps.get_metadata.outputs.tag }}" \ "refs/tags/${{ steps.get_metadata.outputs.TAG }}" \
&& echo tagged=1 >> $GITHUB_OUTPUT \ && echo tagged=1 >> $GITHUB_OUTPUT \
|| echo tagged=0 >> $GITHUB_OUTPUT || echo tagged=0 >> $GITHUB_OUTPUT
- name: Create new tag and set to_release - name: Create new tag
id: newtag
if: steps.tagged.outputs.tagged == 0 if: steps.tagged.outputs.tagged == 0
run: | run: |
git config --global user.name "github-actions[bot]" git tag ${{ steps.get_metadata.outputs.TAG }} \
git config --global user.email "github-actions[bot]@users.noreply.github.com" && git push origin ${{ steps.get_metadata.outputs.TAG }} \
git tag -a ${{ steps.get_metadata.outputs.tag }} \
-m "New cert chain was released" \
--trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
&& echo to_release=1 >> $GITHUB_OUTPUT \
&& git push origin ${{ steps.get_metadata.outputs.tag }} \
|| exit 0 || exit 0
- name: Create and publish GitHub release build-fedora:
if: steps.newtag.outputs.to_release == 1 needs: release-ci
uses: softprops/action-gh-release@v2 uses: ./.github/workflows/fedora.yml
with: with:
tag_name: ${{ steps.get_metadata.outputs.tag }} containers: "['fedora:latest', 'fedora:41']"
version: ${{ needs.release-ci.outputs.VERSION }}

79
.github/workflows/fedora.yml vendored Normal file
View File

@@ -0,0 +1,79 @@
#name: build-rpm
on:
workflow_call:
inputs:
containers:
required: true
type: string
version:
required: false
type: string
jobs:
build:
strategy:
max-parallel: 2
matrix:
image: ${{ fromJson(inputs.containers) }}
runs-on: ubuntu-latest
container: ${{ matrix.image }}
steps:
- name: Local checkout
uses: actions/checkout@v4
- name: install RPM build dependencies
run: |
dnf -y install \
cmake \
gcc \
gcc-c++ \
git \
rpm-build \
rpmdevtools \
tar
- name: Setup RPM build tree
run: |
rpmdev-setuptree
- name: Create source tarball
run: |
cmake --fresh -B build -S .
cmake --build build --target sdist
- name: Set environment variables
run: |
echo "PKG_VERSION=$(cat build/version)" >> $GITHUB_ENV
echo "PKG_NAME=$(grep -Po 'Name:\ *\K[\S ]*' \
packaging/pkg.spec.in)" >> $GITHUB_ENV
- name: Copy SOURCES and SPEC file
run: |
cp packaging/pkg.spec.in ~/rpmbuild/SPECS/${PKG_NAME}.spec
rpmdev-bumpspec -n ${PKG_VERSION} ~/rpmbuild/SPECS/${PKG_NAME}.spec
cp dist/*.src.tar.gz ~/rpmbuild/SOURCES/
- name: Build RPM packages
run: |
dnf -y builddep ~/rpmbuild/SPECS/${PKG_NAME}.spec
rpmbuild -ba ~/rpmbuild/SPECS/${PKG_NAME}.spec
- name: Check if package version has corresponding git tag
id: tagged
shell: bash
run: |
git show-ref \
--tags --verify --quiet -- \
"refs/tags/${NEW_TAG}" \
&& echo tagged=1 >> $GITHUB_OUTPUT \
|| echo tagged=0 >> $GITHUB_OUTPUT
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
if: github.ref_type == 'tag' && steps.tagged.output.tagged == 1
with:
files: |
~/rpmbuild/RPMS/*/*.rpm
~/rpmbuild/SRPMS/*.rpm

34
CMakeLists.txt
View File

@@ -32,15 +32,9 @@ include(CPackLists.txt)
add_custom_target(clear-certs add_custom_target(clear-certs
COMMAND rm -rf COMMAND rm -rf
certs/ certs/
docs/
pki/ pki/
) )
add_custom_target(clear-docs
COMMAND rm -rf
docs/
)
add_custom_target(certs add_custom_target(certs
COMMAND xargs -n1 COMMAND xargs -n1
curl curl
@@ -50,19 +44,10 @@ add_custom_target(certs
&& cd certs && cd certs
&& (sha512sum -c --quiet ${HASH_FILE} || exit -1) && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
&& unzip ACcompactado.zip && unzip ACcompactado.zip
&& rm -f ACcompactado.zip ${HASH_FILE}
DEPENDS DEPENDS
clear-certs clear-certs
) )
add_custom_target(docs ALL
COMMAND mkdir docs
&& mv certs/*.pdf docs/
DEPENDS
clear-docs
certs
)
add_custom_target(isrg-root-x2.crt add_custom_target(isrg-root-x2.crt
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
pki/ca-trust-source/anchors/isrg-root-x2.crt pki/ca-trust-source/anchors/isrg-root-x2.crt
@@ -97,13 +82,6 @@ add_custom_target(anchors ALL
icp-brasil-ca-bundle.crt icp-brasil-ca-bundle.crt
) )
# Checks for OpeSSL utility
find_program(OPENSSL
NAMES openssl openssl3
REQUIRED
)
message("-- Check for OpenSSL utility: ${OPENSSL}")
# Checks which tool is used to update certificate keyring # Checks which tool is used to update certificate keyring
find_program(UPDATE_CACERTS_TOOL find_program(UPDATE_CACERTS_TOOL
NAMES NAMES
@@ -132,16 +110,4 @@ install(
${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR} ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
) )
set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
install(
FILES
${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
${CMAKE_CURRENT_SOURCE_DIR}/README.md
${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
DESTINATION
${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
)
# vim: ts=2:sw=2:sts=2:et # vim: ts=2:sw=2:sts=2:et

82
CPackLists.txt
View File

@@ -6,7 +6,6 @@ set(CPACK_VERBATIM_VARIABLES YES)
set(SourceIgnoreFiles set(SourceIgnoreFiles
".cache" ".cache"
".copr"
".clang-format" ".clang-format"
".clangd" ".clangd"
".git/" ".git/"
@@ -60,92 +59,12 @@ configure_file(
@ONLY @ONLY
) )
if(BUILD_RPMS)
execute_process(
COMMAND bash -c
"LANG=C DATE=$(date +'%a %b %d %Y'); \
echo \"* $DATE %{packager} - ${PROJECT_VERSION}-1%{?dist}\"; \
echo \"- This is an automatically built package (See our Git URL for more info).\"; \
"
OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
)
CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
"${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
@ONLY
IMMEDIATE
)
set(CPACK_GENERATOR "RPM")
set(CPACK_SOURCE_GENERATOR "RPM")
set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
endif()
include(CPack) include(CPack)
add_custom_target(build-rpms)
add_custom_target(no-build-rpms)
add_custom_command(
TARGET build-rpms
POST_BUILD
COMMAND "${CMAKE_COMMAND}"
-DBUILD_RPMS=ON
-B "${CMAKE_BINARY_DIR}"
-S "${CMAKE_SOURCE_DIR}"
VERBATIM
USES_TERMINAL
)
add_custom_command(
TARGET no-build-rpms
POST_BUILD
COMMAND "${CMAKE_COMMAND}"
-DBUILD_RPMS=OFF
-B "${CMAKE_BINARY_DIR}"
-S "${CMAKE_SOURCE_DIR}"
VERBATIM
USES_TERMINAL
)
add_custom_target(srpm
COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}"
--target package_source
DEPENDS build-rpms
VERBATIM
USES_TERMINAL
)
add_custom_target(rpms
COMMAND rpmbuild
--rebuild
--define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
"${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
DEPENDS build-rpms srpm
VERBATIM
USES_TERMINAL
)
add_custom_command(
TARGET rpms
POST_BUILD
COMMAND /bin/sh -c "find \
\"${CPACK_OUTPUT_FILE_PREFIX}/\" \
-mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
&& find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
-type d -empty -delete \
"
VERBATIM
USES_TERMINAL
)
add_custom_target(sdist add_custom_target(sdist
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}" --build "${CMAKE_BINARY_DIR}"
--target package_source --target package_source
DEPENDS no-build-rpms
VERBATIM VERBATIM
USES_TERMINAL USES_TERMINAL
) )
@@ -154,7 +73,6 @@ add_custom_target(bdist
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}" --build "${CMAKE_BINARY_DIR}"
--target package --target package
DEPENDS no-build-rpms
VERBATIM VERBATIM
USES_TERMINAL USES_TERMINAL
) )

16
README.md
View File

@@ -1,5 +1,4 @@
# ca-certificates-brazil # ca-certificates-brazil
---
The Brazilian Public Key Infrastructure: ICP-Brasil The Brazilian Public Key Infrastructure: ICP-Brasil
## Description ## Description
@@ -11,18 +10,3 @@ It is observed that the model adopted by Brazil was single-root certification,
and the ITI, in addition to playing the role of Root Certifying Authority - Root AC, and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
also has the role of accrediting and discrediting the other participants in the also has the role of accrediting and discrediting the other participants in the
chain, supervise and audit the processes. chain, supervise and audit the processes.
## Documentation
* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
)
* [Certification Practice Statement Root Certification Authority of Brazil](
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
)
* [Security Policy of Root-CA (in Portuguese)](
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
)
These files may also have been distributed within the installation package provided
by your distribution.

17
packaging/pkg.spec.in
View File

@@ -1,25 +1,21 @@
%global debug_package %{nil} %global debug_package %{nil}
%global source_date_epoch_from_changelog 0 %global source_date_epoch_from_changelog 0
%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>
%define __openssl %{_bindir}/openssl %define __openssl %{_bindir}/openssl
Name: ca-certificates-brazil Name: ca-certificates-brazil
Version: @CPACK_PACKAGE_VERSION@ Version: __VERSION__
Release: %{autorelease} Release: %{autorelease}
Summary: The ICP-Brasil root certificate bundle Summary: The ICP-Brasil root certificate bundle
License: Public Domain License: Public Domain
URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.src.tar.gz
BuildArch: noarch BuildArch: noarch
BuildRequires: %{__openssl} BuildRequires: %{__openssl}
BuildRequires: %{_bindir}/cmake
BuildRequires: %{_bindir}/mktemp BuildRequires: %{_bindir}/mktemp
BuildRequires: %{_bindir}/unzip BuildRequires: %{_bindir}/unzip
BuildRequires: gcc
BuildRequires: gcc-c++
%description %description
The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain
@@ -32,7 +28,7 @@ also has the role of accrediting and discrediting the other participants in the
chain, supervise and audit the processes. chain, supervise and audit the processes.
%prep %prep
%autosetup -n %{name}-%{version}.src %autosetup -c
%{cmake} %{cmake}
%build %build
@@ -43,10 +39,7 @@ chain, supervise and audit the processes.
%{cmake_install} %{cmake_install}
%files %files
%doc %{_datadir}/doc/%{name}/*.pdf
%doc %{_datadir}/doc/%{name}/README.md
%license %{_datadir}/doc/%{name}/LICENSE
%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt %{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt %{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
@@ -56,4 +49,4 @@ chain, supervise and audit the processes.
%postun -p %{_bindir}/update-ca-trust %postun -p %{_bindir}/update-ca-trust
%changelog %changelog
@CPACK_RPM_CHANGELOG@ %autochangelog

3
sources
View File

@@ -5,6 +5,3 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
https://letsencrypt.org/certs/lets-encrypt-e2.pem https://letsencrypt.org/certs/lets-encrypt-e2.pem
https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-r4.pem https://letsencrypt.org/certs/lets-encrypt-r4.pem
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf