update-ca-trust: make a copy of directory-hash symlinks in ../tls/certs

Resolves: RHEL-50293 - update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs - Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
2024-08-28 15:32:17 +02:00 · 2024-08-28 15:32:17 +02:00 · 9bf988861b
commit 9bf988861b
parent 59744b459d
3 changed files with 60 additions and 65 deletions
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -1,7 +1,6 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
 %define classic_tls_bundle ca-bundle.crt
-%define openssl_format_trust_bundle ca-bundle.trust.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@ -38,7 +37,7 @@ Name: ca-certificates
 Version: 2024.2.69_v8.0.303
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 101.1%{?dist}
+Release: 101.2%{?dist}
 License: MIT AND GPL-2.0-or-later

 URL: https://fedoraproject.org/wiki/CA-Certificates
@ -235,33 +234,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
-chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin

-# /etc/ssl is provided in a Debian compatible form for (bad) code that
-# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
-ln -s %{catrustdir}/extracted/pem/directory-hash \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
-ln -s /etc/pki/tls/openssl.cnf \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
-ln -s /etc/pki/tls/ct_log_list.cnf \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
-# legacy filenames
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
-ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
-ln -s %{catrustdir}/extracted/%{java_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
-
 # Populate %%{catrustdir}/extracted/pem/directory-hash.
 #
 # First direct p11-kit-trust.so to the generated bundle (not the one
@ -291,16 +268,39 @@ trust-policy: yes
 x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
 EOF

+# Extract the trust anchors to the directory-hash format.
 trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
-      --purpose server-auth \
-      $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+              --purpose server-auth \
+              $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash

-# Create a temporary file with the list of (%ghost )files in the directory-hash.
-find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
-sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
 # Clean up the temporary module config.
 rm -f "$trust_module_config"

+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
+     -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
+     -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
+# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
+     -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
+
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+
+# /etc/ssl is provided in a Debian compatible form for (bad) code that
+# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
+ln -s %{pkidir}/tls/certs \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
+ln -s /etc/pki/tls/openssl.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
+ln -s /etc/pki/tls/ct_log_list.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
+# legacy filenames
+ln -s %{catrustdir}/extracted/%{java_bundle} \
+    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}

 %clean
 /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
@ -308,6 +308,10 @@ rm -rf $RPM_BUILD_ROOT

 %pre
 if [ $1 -gt 1 ] ; then
+  # Remove the old symlinks
+  rm -f %{pkidir}/tls/cert.pem
+  rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
+
  # Upgrade or Downgrade.
  # If the classic filename is a regular file, then we are upgrading
  # from an old package and we will move it to an .rpmsave backup file.
@ -339,17 +343,6 @@ if [ $1 -gt 1 ] ; then
      fi
    fi
  fi
-
-  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
-      fi
-    fi
-  fi
 fi


@ -413,9 +406,7 @@ fi
 %{catrustdir}/source/README

 # symlinks for old locations
-%{pkidir}/tls/cert.pem
 %{pkidir}/tls/certs/%{classic_tls_bundle}
-%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
 # Hybrid hash directory with bundle file for Debian compatibility
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
@ -438,13 +429,14 @@ fi
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
-%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
-%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt

 %changelog
+*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
+- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
+- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
+
 *Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
 - update-ca-trust: return warnings on a unsupported argument instead of error

--- a/37
+++ b/37
@ -8,6 +8,7 @@ set -eu
 # files in $DEST.

 DEST=/etc/pki/ca-trust/extracted
+DEST_CERTS=/etc/pki/tls/certs

 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
@ -28,7 +29,8 @@ usage() {

 		EXTRACT OPTIONS
 		-o DIR, --output=DIR: Write the extracted trust store into the given
-		directory instead of updating $DEST.
+		directory instead of updating $DEST. (Note: This option will not
+		populate the ../pki/tls/certs with the directory-hash symbolic links.)
 	EOF
 }

@ -73,9 +75,15 @@ extract() {
 		    "$DEST"/edk2
 	fi

+
+	# Delete all directory hash symlinks from the cert directory
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST_CERTS" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
+	fi
+
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
-	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
@ -85,25 +93,16 @@ extract() {
 	# by GnuTLS)
 	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"

-	# p11-kit extract will have made this directory unwritable; when run with
-	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
-	# not be the case. See rhbz#2241240.
-	if [ -n "$USER_DEST" ]; then
-	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
-        fi

-	# Debian compatibility: their /etc/ssl/certs has this bundle
-	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
-	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
-	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
-	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
-
-	# Remove write permissions again
-	if [ -n "$USER_DEST" ]; then
-	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
-        fi
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
+			target=$(readlink -f "$link")
+			new_link="$DEST_CERTS/$(basename "$link")"
+			ln -s "$target" "$new_link"
+		done
+	fi
 }
-
 if [ $# -lt 1 ]; then
    set -- extract
 fi
--- a/update-ca-trust.8.txt
+++ b/update-ca-trust.8.txt
@ -230,7 +230,8 @@ EXTRACT OPTIONS
 ^^^^^^^^^^^^^^^
 *-o DIR*, *--output=DIR*::
 	Write the extracted trust store into the given directory instead of
-	updating /etc/pki/ca-trust/extracted.
+	updating /etc/pki/ca-trust/extracted. (Note: This option will not
+	populate the ../pki/tls/certs with the directory-hash symbolic links.)

 FILES
 -----
@ -257,6 +258,9 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.

+/etc/pki/tls/certs::
+	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
+
 AUTHOR
 ------
 Written by Kai Engert and Stef Walter.