Populate directory-hash at %install

Related: RHEL-50293

This generates the contents of
/etc/pki/ca-trust/extracted/pem/directory-hash at %install, only
taking into account of the generated bundle, not the one already
present on the build system.  This is done by creating a temporary
module configuration file for p11-kit-trust.so.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno 2024-08-07 14:40:09 +09:00 committed by Frantisek Krenzelok
parent 1736dc56a7
commit c875a80bab

View File

@ -186,7 +186,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
@ -262,6 +262,33 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \ ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle} $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash.
#
# First direct p11-kit-trust.so to the generated bundle (not the one
# already present on the build system) with an overriding module
# config. Note that we have to use a different config path based on
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Clean up the temporary module config.
rm -f "$trust_module_config"
%pre %pre
if [ $1 -gt 1 ] ; then if [ $1 -gt 1 ] ; then