Changed schedule

Runs at 1st and 15th day of each month at 4:30am

.copr/Makefile

@@ -3,7 +3,7 @@
 SHELL := bash
 
 source:
-	dnf -y install cmake gcc gcc-c++ openssl
+	dnf -y install cmake gcc gcc-c++
 	cmake --fresh -DBUILD_RPMS=ON -B build -S .
 	cmake --build build --target srpm
 

.github/workflows/ci.yml

@@ -8,6 +8,10 @@ on:
 jobs:
   release-ci:
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_metadata.outputs.version }}
+      tag: ${{ steps.get_metadata.outputs.tag }}
+      to_release: ${{ steps.newtag.outputs.to_release }}
 
     steps:
       - name: Local checkout
@@ -16,15 +20,15 @@ jobs:
       - name: Install CI dependencies
         run: |
           sudo apt-get update
-          sudo apt-get -y -qq install cmake openssl g++ gcc
+          sudo apt-get -y -qq install cmake g++ gcc
 
       - name: Get latest package metadata
         id: get_metadata
         run: |
           cmake --fresh -B build -S .
           echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
-          echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT
+          echo "version=$(cat build/version)" >> $GITHUB_OUTPUT
-          
+
       - name: Check if package version has corresponding git tag
         id: tagged
         shell: bash
@@ -39,17 +43,16 @@ jobs:
         id: newtag
         if: steps.tagged.outputs.tagged == 0
         run: |
-          git config --global user.name "github-actions[bot]"
+          git tag ${{ steps.get_metadata.outputs.tag }} \
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a ${{ steps.get_metadata.outputs.tag }} \
-            -m "New cert chain was released" \
-            --trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
           && echo to_release=1 >> $GITHUB_OUTPUT \
           && git push origin ${{ steps.get_metadata.outputs.tag  }} \
           || exit 0
 
-      - name: Create and publish GitHub release
+  build-fedora:
-        if: steps.newtag.outputs.to_release == 1
+    needs: release-ci
-        uses: softprops/action-gh-release@v2
+    uses: ./.github/workflows/fedora.yml
-        with:
+    with:
-          tag_name: ${{ steps.get_metadata.outputs.tag }}
+      containers: "['fedora:latest', 'fedora:41']"
+      version: ${{ needs.release-ci.outputs.version }}
+      to_release: ${{ needs.release-ci.outputs.to_release }}
+      tag: ${{ needs.release-ci.outputs.tag }}

.github/workflows/fedora.yml

@@ -0,0 +1,70 @@
+on:
+  workflow_call:
+    inputs:
+      containers:
+        default: "['fedora:latest']"
+        required: false
+        type: string
+      tag:
+        required: true
+        type: string
+      to_release:
+        default: "0"
+        required: false
+        type: string
+      version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    strategy:
+      max-parallel: 2
+      matrix:
+        image: ${{ fromJson(inputs.containers) }}
+    runs-on: ubuntu-latest
+    container: ${{ matrix.image }}
+
+    steps:
+      - name: Prepare - local checkout
+        uses: actions/checkout@v4
+
+      - name: Prepare - install build dependencies
+        run: |
+          dnf -y install \
+            cmake \
+            gcc \
+            gcc-c++ \
+            git \
+            openssl \
+            rpm-build \
+            rpmdevtools \
+            tar
+
+      - name: Prepare - setup RPM build tree
+        run: |
+          rpmdev-setuptree
+
+      - name: Prepare - configure the source
+        run: |
+          cmake -B $(pwd)/build -S $(pwd)
+
+      - name: Build - create source tarball and SRPM package
+        run: |
+          cmake --build $(pwd)/build --target srpm
+
+      - name: Build - create RPM package
+        run: |
+          cmake --build $(pwd)/build --target rpms
+
+      - name: Publish - create GitHub release
+        uses: softprops/action-gh-release@v2
+        if: inputs.to_release == 1
+        with:
+          tag_name: ${{ inputs.tag }}
+          files: |
+            dist/*.rpm

.gitignore

@@ -15,4 +15,3 @@ build/
  CMakeCache.txt
 
 dist/
-temp/

CMakeLists.txt

@@ -29,69 +29,58 @@ set(SourceFiles
 
 include(CPackLists.txt)
 
-add_custom_target(clear-cache
-  COMMAND rm -rf cache/
-)
-
 add_custom_target(clear-certs
-  COMMAND rm -rf certs/
+  COMMAND rm -rf 
-)
+    certs/
-
+    pki/
-add_custom_target(clear-anchors
-  COMMAND rm -rf pki/
-)
-
-add_custom_target(clear-docs
-  COMMAND rm -rf docs/
-)
-
-add_custom_target(clear-all
-  DEPENDS
-    clear-anchors
-    clear-cache
-    clear-certs
-    clear-docs
-)
-
-add_custom_target(sources
-  COMMAND xargs -n1
-    curl
-      --create-dirs
-      --output-dir cache
-      -ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
-  DEPENDS
-    clear-cache
 )
 
 add_custom_target(certs
-  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool extract
+  COMMAND xargs -n1 
-    && ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool classify
+    curl 
+      --create-dirs 
+      --output-dir certs 
+      -ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
+    && cd certs
+    && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
+    && unzip ACcompactado.zip
   DEPENDS
     clear-certs
-    sources
 )
 
-add_custom_target(anchors ALL
+add_custom_target(isrg-root-x2.crt
-  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool anchors
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
+    pki/ca-trust-source/anchors/isrg-root-x2.crt
+    certs/isrg-root-x2.pem
   DEPENDS
-    clear-anchors
     certs
 )
 
-add_custom_target(docs ALL
+add_custom_target(lets-encrypt-ca-bundle.crt
-  COMMAND mkdir docs
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
-    && cp cache/*.pdf docs/
+    pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    certs/lets-encrypt-e1.pem
+    certs/lets-encrypt-e2.pem
+    certs/lets-encrypt-r3.pem
+    certs/lets-encrypt-r4.pem
   DEPENDS
-    clear-docs
+    certs
-    sources
 )
 
-# Checks for OpeSSL utility
+add_custom_target(icp-brasil-ca-bundle.crt
-find_program(OPENSSL
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
-  NAMES openssl openssl3
+    pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
-  REQUIRED
+    certs/*.crt
+  DEPENDS
+    certs
+)
+
+add_custom_target(anchors ALL
+  DEPENDS
+    isrg-root-x2.crt
+    lets-encrypt-ca-bundle.crt
+    icp-brasil-ca-bundle.crt
 )
-message("-- Check for OpenSSL utility: ${OPENSSL}")
 
 # Checks which tool is used to update certificate keyring
 find_program(UPDATE_CACERTS_TOOL
@@ -113,24 +102,12 @@ endif()
 message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
 
 install(
-  DIRECTORY 
+  FILES
-    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/.
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/isrg-root-x2.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
   DESTINATION
     ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
-  FILES_MATCHING
-    PATTERN "*.crt"
-)
-
-set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
-install(
-  FILES
-  ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
-    ${CMAKE_CURRENT_SOURCE_DIR}/README.md
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
-  DESTINATION
-    ${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
 )
 
 # vim: ts=2:sw=2:sts=2:et

CPackLists.txt

@@ -25,7 +25,6 @@ set(SourceIgnoreFiles
   "cmake-build*"
   "cmake_install.cmake"
   "dist/"
-  "temp/"
 )
 
 # Escape any '.' and '/' characters
@@ -62,20 +61,6 @@ configure_file(
 )
 
 if(BUILD_RPMS)
-execute_process(
-  COMMAND cat "${CMAKE_CURRENT_SOURCE_DIR}/changelog.txt"
-  OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
-)
-
-execute_process(
-  COMMAND bash -c
-    "head -1 \"${CMAKE_CURRENT_SOURCE_DIR}/changelog.txt\" \
-      | grep -iPo '.*${CPACK_PACKAGE_VERSION}-\\K[\\d]' \
-      | tr -d '\\n' \
-    "
-  OUTPUT_VARIABLE CPACK_RPM_PACKAGE_RELEASE
-)
-
 CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
   "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
   @ONLY 

README.md

@@ -1,5 +1,4 @@
 # ca-certificates-brazil
----
 The Brazilian Public Key Infrastructure:  ICP-Brasil
 
 ## Description
@@ -11,18 +10,3 @@ It is observed that the model adopted by Brazil was single-root certification,
 and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
 also has the role of accrediting and discrediting the other participants in the
 chain, supervise and audit the processes.
-
-## Documentation
-
-* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
-    https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
-  )
-* [Certification Practice Statement Root Certification Authority of Brazil](
-    https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
-  )
-* [Security Policy of Root-CA (in Portuguese)](
-    https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
-  )
-
-These files may also have been distributed within the installation package provided
-by your distribution.

changelog.txt

@@ -1,2 +0,0 @@
-* Fri Jul 04 2025 Christian Tosta <7252968+christiantosta@users.noreply.github.com> 2025.07.04-1
-- This is an automatically built package (See our Git URL for more info).

crt2bundle.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+out=${1}
+mkdir -p $(dirname ${out})
+shift
+
+in=''
+for c in ${*}; do
+  echo "+ Loading CA certificate: ${c}";
+  in="${in} -certfile ${c}";
+done;
+
+openssl crl2pkcs7 -nocrl ${in} \
+  | openssl pkcs7 -print_certs -out ${out}

packaging/pkg.spec.in

@@ -1,15 +1,14 @@
 %global debug_package %{nil}
 %global source_date_epoch_from_changelog 0
-%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>
 
 %define __openssl   %{_bindir}/openssl
 
 Name:               ca-certificates-brazil
 Version:            @CPACK_PACKAGE_VERSION@
-Release:            @CPACK_RPM_PACKAGE_RELEASE@%{?dist}
+Release:            %{autorelease}
 Summary:            The ICP-Brasil root certificate bundle
 
-License:            MIT AND Public Domain
+License:            Public Domain
 URL:                https://www.gov.br/iti/pt-br/assuntos/certificado-digital
 Source0:            %{name}-%{version}.tar.gz
 
@@ -20,9 +19,6 @@ BuildRequires:      %{_bindir}/mktemp
 BuildRequires:      %{_bindir}/unzip
 BuildRequires:      gcc
 BuildRequires:      gcc-c++
-Provides:           ca-certificates(ICP-Brasil) = %{version}-%{release}
-Provides:           config(ICP-Brasil) = %{version}-%{release}
-Requires:           %{name}-extras
 
 %description
 The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain 
@@ -39,42 +35,21 @@ chain, supervise and audit the processes.
 %{cmake}
 
 %build
-BUILD_SHARED_LIBS= \
-CMAKE_CXX_FLAGS_RELEASE= \
-CMAKE_C_FLAGS_RELEASE= \
-CMAKE_Fortran_FLAGS_RELEASE= \
-CMAKE_INSTALL_DO_STRIP= \
-CMAKE_INSTALL_FULL_SBINDIR= \
-CMAKE_INSTALL_SBINDIR= \
-INCLUDE_INSTALL_DIR= \
-LIB_INSTALL_DIR= \
-SHARE_INSTALL_PREFIX= \
-SYSCONF_INSTALL_DIR= \
 %{cmake_build}
 
 %install
 %{__rm} -rf %{buildroot}
 %{cmake_install}
 
-%files 
+
-%doc %{_datadir}/doc/%{name}/*.pdf
+%files
-%doc %{_datadir}/doc/%{name}/README.md
+%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
-%license %{_datadir}/doc/%{name}/LICENSE
+%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
 %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+
+
 %post -p %{_bindir}/update-ca-trust
 %postun -p %{_bindir}/update-ca-trust
 
-%package extras
-Summary: Extra Root and Intermediate certificates used by ICP-Brasil
-%description extras
-%{summary}
-
-%files extras
-%license %{_datadir}/doc/%{name}/LICENSE
-%{_datadir}/pki/ca-trust-source/anchors/*.crt
-%exclude %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
-%post extras -p %{_bindir}/update-ca-trust
-%postun extras -p %{_bindir}/update-ca-trust
-
 %changelog
-@CPACK_RPM_CHANGELOG@
+%autochangelog

sources

@@ -5,6 +5,3 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
 https://letsencrypt.org/certs/lets-encrypt-e2.pem
 https://letsencrypt.org/certs/lets-encrypt-r3.pem
 https://letsencrypt.org/certs/lets-encrypt-r4.pem
-https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
-https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
-https://acraiz.icpbrasil.gov.br/PSacraiz.pdf

utils/cert-tool

@@ -1,176 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-check_cert_validity() {
-  local cert=("${@}")
-
-  # Get validity dates of certificate
-  local expire=$(printf "%s\\n" "${cert[@]:1}" \
-    | openssl x509 \
-      -noout \
-      -dates \
-    | sed '/notAfter/!d;s/notAfter=//g;s/ /\\ /g' \
-    | xargs date +%s -d
-  )
-
-  # Checks if certificate is valid at this date
-  if [[ ${expire} -gt $(date +%s -d now) ]]; then
-    return 0
-  else
-    printf "%s: %s [%s %s]\\n" \
-      $"-- WARNING" \
-      $"Certificate was expired" \
-      $"Fingerprint=(SHA256)" \
-      ${cert[0]}
-    return 1
-  fi
-}
-
-unzip_fingerprint() {
-  local zip_source=${1:-}
-  local fp_algo=sha256
-
-  local files=$(
-      [[ -f "${zip_source}" ]] && \
-        (unzip -qql ${zip_source} | awk '{print $4}')
-    )
-
-  # Unzip cert into array and compute their fingerprint
-  printf "%s: %s\\n" $"Archive" "${zip_source}"
-  local file; for file in ${files}; do
-    readarray -t cert < <(
-      unzip -p ${zip_source} ${file} \
-      | openssl x509 \
-        -fingerprint \
-	      -${fp_algo} \
-      | sed 's/.*Fingerprint=//g;s/://g'
-    )
-
-    # Check validity dates of certificate then writes it to disk
-    if check_cert_validity "${cert[@]}"; then
-      local cert_file="certs/${cert[0]}.crt"
-      printf "  %s %s\\n" $"Inflating" "certs/${file}"
-      #printf "  %s %s\\n" $"Inflating" "certs/${cert[0]}.crt"
-      #printf "  - %s=(%s) %s\\n" "Fingerprint" "${fp_algo^^}" "${cert[0]}"
-      printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
-    fi
-  done
-}
-
-copy_fingerprint() {
-  local cert_source=${1:-}
-  local fp_algo=sha256
-
-  readarray -t cert < <(
-    cat ${cert_source} \
-      | openssl x509 \
-        -fingerprint \
-        -${fp_algo} \
-      | sed 's/.*Fingerprint=//g;s/://g'
-  )
-
-  # Check validity dates of certificate then writes it to disk
-  if check_cert_validity "${cert[@]}"; then
-    local cert_file="certs/${cert[0]}.crt"
-    printf "%s %s\\n" $"Copying" "certs/${cert_source}"
-    printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
-  fi
-}
-
-#split() {
-#  local certs=("${@}")
-#
-#  printf "%s\\n" "${certs[@]}" \
-#  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
-#  | csplit \
-#    --quiet \
-#    --elide-empty-files \
-#    --prefix ${random_prefix:-}-cert \
-#    --suffix-format=-%02d.crt \
-#    - '/-END CERTIFICATE-/1' \
-#   '{*}'
-#}
-
-function extract() {
-  local file
-  mkdir -p certs
-  find cache -type f | while read file; do
-    case "$(file -b --mime-type ${file})" in
-      application/zip) unzip_fingerprint "${file}" ;;
-      application/x-pem-file) copy_fingerprint ${file} ;;
-    esac
-  done
-}
-
-
-function classify() {
-  # Create classified output directories
-  mkdir -p certs/{ca-root,ca-trust,servers}
-
-  # Process and classify generated files
-  echo -e "\n-- CLASSIFYING CACHED CERTIFICATES\n"
-  count=0
-  cert_files=$(find certs/ -maxdepth 1 -type f)
-  for cert_file in ${cert_files}; do
-    fingerprint="(SHA256) ${cert_file}"
-    echo "+ Processing certificate [Fingerprint: ${fingerprint}]"
-    issuer=$(openssl x509 -in "${cert_file}" -noout -issuer | sed 's/^issuer=//g')
-    issuer_o=$(echo "${issuer}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
-    subject=$(openssl x509 -in "${cert_file}" -noout -subject | sed 's/^subject=//g')
-    subject_o=$(echo "${subject}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
-    subject_cn=$(echo "${subject}" | grep -iPo 'CN\s*=\s*\K[^,]+' || :)
-    cert_o=$(echo "${subject_o^^}" | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g")
-    cert_cn=$(echo "${subject_cn}" | sed -E "s/\s/_/g;s/\/.*//g;s/^\*\./wildcard-/g")
-
-    # save temporary pem file to .CRT file
-    if [[  "${subject_cn}" =~ "gov.br" ]]; then # it's a server certificate
-      cert_crt_file="${issuer_o^^}-${cert_cn}.crt"
-      openssl x509 -in "${cert_file}" -out "certs/servers/${cert_crt_file}"
-      let count=count+1
-    elif [[ "${subject}" == "${issuer}" ]]; then # it's a root certificate (self-signed)
-      cert_crt_file="${cert_o}-${cert_cn}.crt"
-      openssl x509 -in "${cert_file}" -out "certs/ca-root/${cert_crt_file}"
-      let count=count+1
-    else # it's an intermediate certificate
-      cert_crt_file="${cert_o}-${cert_cn}.crt"
-      openssl x509 -in "${cert_file}" -out "certs/ca-trust/${cert_crt_file}"
-      let count=count+1
-    fi
-  done
-  echo "-- Processed certificates: ${count}"
-}
-
-function anchors() {
-  echo -e "\n-- GENERATING P11-KIT SOURCE ANCHORS"
-  
-  local ca_list=$(
-    (for cert in certs/{ca-root,ca-trust}/*.crt; do
-      openssl x509 -in ${cert} -noout -subject \
-        | grep -iPo 'O\s*=\s*\K[^,]+' \
-        | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
-     done;
-    for cert in certs/servers/*.crt; do
-      openssl x509 -in ${cert} -noout -issuer \
-        | grep -iPo 'O\s*=\s*\K[^,]+' \
-        | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
-    done;) | sort -u)
-
-  for ca in ${ca_list}; do
-    echo -e "\n-> Generating p11-kit source anchors for CA \"${ca}\""
-    local out=pki/ca-trust-source/anchors/${ca,,}-ca-bundle.crt
-    mkdir -p $(dirname ${out}); in=
-    for c in $(find certs/{ca-root,ca-trust,servers}/ -name ${ca}*); do
-      echo "+ Loading CA certificate: ${c}"
-      in="${in} -certfile ${c}"
-    done \
-      && openssl crl2pkcs7 -nocrl ${in} \
-        | openssl pkcs7 -print_certs -out ${out}
-  done
-}
-
-cmd=${@:1}; shift
-${cmd} ${@}
-
-exit 0
-
-# vim: ts=2:sw=2:sts=2:et