update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix

rhbz#2242727

ca-certificates.spec

@@ -38,7 +38,7 @@ Name: ca-certificates
 Version: 2023.2.62_v7.0.401
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: MIT AND GPL-2.0-or-later
 
 URL: https://fedoraproject.org/wiki/CA-Certificates
@@ -319,7 +319,7 @@ fi
 #fi
 # if ln is available, go ahead and run the ca-legacy and update
 # scripts. If not, wait until %posttrans.
-if [ -x %{_bindir}/ln ] && [ -x %{_bindir}/getopt ]; then
+if [ -x %{_bindir}/ln ]; then
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
 fi
@@ -404,6 +404,9 @@ fi
 
 
 %changelog
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
+- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
+
 * Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
 - Skip %post if getopt is missing (recent change made update-ca-trust use it)
 

update-ca-trust

@@ -35,49 +35,39 @@ usage() {
 extract() {
 	USER_DEST=
 
-	if ! TEMP=$(getopt -o "ho:" --long "help,output:" -n "$0" -- "$@"); then
+        # can't use getopt here. ca-certificates can't depend on a lot
-		echo >&2 ""
+        # of other libraries since openssl depends on ca-certificates
-		usage
+        # just fail when we hand parse
-		exit 1
-	fi
-	eval set -- "$TEMP"
-	unset TEMP
 
-	while true; do
+        while [ $# -ne 0 ]; do
-		case "$1" in
+	    case "$1" in
-			"-o"|"--output")
+	      "-o"|"--output")
-				USER_DEST=$2
+	          USER_DEST=$2
-				shift 2
+		  shift 2
-				continue
+		  continue
-			;;
+		  ;;
-			"--")
+		"--")
-				shift
+		  shift
-				break
+		  break
-			;;
+		  ;;
-			*)
+		*)
-				usage
+		  usage
-				exit 1
+		  exit 1
-			;;
+		  ;;
-		esac
+	    esac
 	done
-	if [ $# -ne 0 ]; then
-		echo >&2 "Error: Unexpected positional arguments:" "$@"
-		echo >&2
-		usage
-		exit
-	fi
 
 	if [ -n "$USER_DEST" ]; then
 		DEST=$USER_DEST
+	        # Attempt to create the directories if they do not exist
+                # yet (rhbz#2241240)
+	        /usr/bin/mkdir -p \
+		    "$DEST"/openssl \
+		    "$DEST"/pem \
+		    "$DEST"/java \
+		    "$DEST"/edk2
 	fi
 
-	# Attempt to create the directories if they do not exist yet (rhbz#2241240)
-	mkdir -p \
-		"$DEST"/openssl \
-		"$DEST"/pem \
-		"$DEST"/java \
-		"$DEST"/edk2
-
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
 	/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
@@ -93,7 +83,9 @@ extract() {
 	# p11-kit extract will have made this directory unwritable; when run with
 	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
 	# not be the case. See rhbz#2241240.
-	chmod u+w "$DEST/pem/directory-hash"
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
+        fi
 
 	# Debian compatibility: their /etc/ssl/certs has this bundle
 	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
@@ -102,20 +94,22 @@ extract() {
 	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
 
 	# Remove write permissions again
-	chmod u-w "$DEST/pem/directory-hash"
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
+        fi
 }
-
+if [ $# -lt 1 ]; then
-if [ "$#" -lt 1 ]; then
+    set -- extract
-	set -- extract
 fi
+
 case "$1" in
 	"extract")
 		shift
-		extract "$@"
+		extract $@
 	;;
 	"--"*|"-"*)
 		# First parameter seems to be an option, assume the command is 'extract'
-		extract "$@"
+		extract $@
 	;;
 	*)
 		echo >&2 "Error: Unknown command: $1"