rpms/ca-certificates
7
0
Fork 0
Code Issues Pull Requests Releases Activity
59744b459d
ca-certificates/fetch.sh
Robert Relyea 65515a4fba fix version pasting
2023-10-04 14:37:44 -07:00

186 lines
5.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This script fetches the latest released certdata.txt and updates the
# ca-certificates.spec file
#
baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
force=0
skip_signed_obj=0
release_type="RTM"
release="3_65"
while [ -n "$1" ]; do
case $1 in
"-d")
baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
;;
-t*)
release_type=`echo $1 | sed -e 's;-t;;'`
if [ "${release_type}" = "" ]; then
shift
release_type=$1
fi
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
;;
-n*)
release=`echo $1 | sed -e 's;-n;;'`
if [ "${release}" = "" ]; then
shift
release=$1
fi
release=`echo ${release} | sed -e 's;\\.;_;g'`
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
;;
"-f")
force=1
;;
"-s")
skip_signed_obj=1
;;
*)
echo "usage: $0 [-r] [-n release] [-f]"
echo "-d use the development tip rather than the latest release"
echo "-n release fetch a specific nss release"
echo "-f skip the verify check"
echo "-s skip fetching signed objects"
exit 1
;;
esac
shift
done
# get the current certdata version number
# nss version number
# user making the change
# email of user
#
# versions from the latest nss code in mozilla
echo "Getting CKBI version number"
ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
if [ "${ckbi_version}" = "" ]; then
echo "Didn't find ckbi version from ${baseurl}"
exit 1;
fi
echo "Getting NSS version number"
nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
if [ "${nss_version}" = "" ]; then
echo "Didn't find nss version from ${baseurl}"
exit 1;
fi
# date from the current system date on this machine
echo "Creating change log"
export LANG=C
year=`date +%Y`
log_date=`date +"%a %b %d %Y"`
# user name from the environment, fallback to git, fallback to the current user
username=`whoami`
name=${NAME}
if [ "${name}" = "" ]; then
name=`git config user.name`
fi
if [ "${name}" = "" ]; then
name=`getent passwd $username`
fi
email=${EMAIL}
if [ "${email}" = "" ]; then
email=`git config user.email`
fi
if [ "${email}" = "" ]; then
email=$username@`hostname`
fi
# rawhide >=2, branches 1.x
cwd=$(pwd)
if [ `basename ${cwd}` = rawhide ]; then
release="2"
else
release="1.0"
fi
# fetch the codesigning certs now so we can get
# the code signing version number
if [ ${skip_signed_obj} -eq 0 ]; then
./fetch_objsign.sh
if [ -f codesign-release.txt ]; then
mcs_version=$(cat codesign-release.txt)
if [[ $ms_version != "unknown" ]]; then
ckbi_version="${ckbi_version}_${mcs_version}"
fi
signobjects="and Microsoft Signed Objects version $ms_version"
fi
fi
version=${year}.${ckbi_version}
#make sure the the current version is newer than what is already there
current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
echo "Can't downgrade current version: ${current_version} new version: ${version}"
exit 1;
fi
# now get our new certdata.txt
echo "Fetching new certdata.txt"
wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
if [ $? -ne 0 ]; then
echo fetching certdata.text from ${baseurl} failed!
echo " To restore the old certdata.txt use:"
echo " git checkout -- certdata.txt"
exit 1;
fi
# merge the signing certs into the normal certdata.txt file.
if [ ${skip_signed_obj} -eq 0 ]; then
cp certdata.txt certdata.txt.orig
python3 ./mergepem2certdata.py -c "certdata.txt.orig" -p "microsoft_sign_obj_ca.pem" -o "certdata.txt" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" -x "NEVER"
fi
# Verify everything is good with the user
echo -e "Upgrading ${current_version} -> ${version}:"
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}${sign_objects}"
./check_certs.sh
echo ""
yn=""
if [ ! ${force} ]; then
echo -n "Do you want to continue (Y/N default Y)? "
read yn
echo ""
fi
if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
echo "Skipping ca-certificate.spec upgrade."
echo " NOTE: certdata.txt has been upgraded."
echo " To restore the old certdata.txt use:"
echo " git checkout -- certdata.txt"
exit 1;
fi
echo "Updating .spec file"
cat ca-certificates.spec | while IFS= read -r line
do
echo $line | grep "^Version: " 1>&2
if [ $? -eq 0 ]; then
echo "Version: ${version}"
echo "New Version: ${version}" 1>&2
continue
fi
echo $line | grep "^Release: " 1>&2
if [ $? -eq 0 ]; then
echo "Release: ${release}%{?dist}"
echo "New Release: ${release}%{?dist}" 1>&2
continue
fi
echo $line | grep "^%changelog" 1>&2
if [ $? -eq 0 ]; then
echo "$line"
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" 1>&2
./check_certs.sh
echo ""
continue
fi
echo "$line"
done > /tmp/ca-certificates.spec.$$
mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
git status
exit 0
Reference in New Issue View Git Blame Copy Permalink