Add updarte script - 500.ca-certificates_upgrade.sh

Update script will re-create the concatenated CA bundle
and re-make links to certs on RW partition.

The update script uses openssl binary to parse certificates,
so the line:

Requires: openssl1.1

was added to spec file. CA bundle could be created during
ca-certificate package build, but it looks like the scripts
to manage certificates were already installed together with
the package, so current logic (of creating the bundle
on actual image) was preserved with this "Requires",
at the expense of some additional disk usage for openssl binary.

Change-Id: I4bc44e945ca6592ead02a94c363d984a9982fe05

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f4d2ea2dcdf99cc3c1e5f6142eae86d221e2bd3d..0ffc748906133584246954902b798533cbf20d20 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -15,5 +15,10 @@ INSTALL(FILES
        PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
 )
 
+INSTALL(FILES
+       ${CMAKE_CURRENT_SOURCE_DIR}/scripts/500.ca-certificates_upgrade.sh
+       DESTINATION "/usr/share/upgrade/scripts"
+       PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
+)
 
 CONFIGURE_FILE(packaging/ca-certificates.manifest.in ca-certificates.manifest @ONLY)

diff --git a/packaging/ca-certificates.spec b/packaging/ca-certificates.spec
index 0fbcb9572dfa6d5be492ee4501bac612687980a9..d812da6b5789d94f392b13e960fbb5aa913c3573 100644 (file)
--- a/packaging/ca-certificates.spec
+++ b/packaging/ca-certificates.spec
@@ -13,6 +13,7 @@ BuildRequires:  coreutils
 BuildRequires:  findutils
 Requires: filesystem
 Requires: security-config
+Requires: openssl1.1
 
 %description
 Utilities for system wide CA certificate installation
@@ -126,6 +127,8 @@ mkdir -p %{buildroot}%{ca_certs_dir}
 # scripts for managing certificates
 %dir %{ro_ca_certs_script_dir}
 %attr(744, root, root) %{ro_ca_certs_script_dir}/*
+# update script for CA bundle re-creation
+%attr(755,root,root) /usr/share/upgrade/scripts/500.ca-certificates_upgrade.sh
 
 %files devel
 %config %{macro_ca_certificates}

diff --git a/scripts/500.ca-certificates_upgrade.sh b/scripts/500.ca-certificates_upgrade.sh
new file mode 100755 (executable)
index 0000000..224072a
--- /dev/null
+++ b/scripts/500.ca-certificates_upgrade.sh
@@ -0,0 +1,42 @@
+#!/bin/sh -e
+
+#
+# Copyright (c) 2020 Samsung Electronics Co., Ltd. All rights reserved.
+#
+# This file is licensed under the terms of MIT License or the Apache License
+# Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
+# See the LICENSE file or the notice below for Apache License Version 2.0
+# details.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+. /etc/tizen-platform.conf
+
+# create bundle
+exec $TZ_SYS_RO_SHARE/ca-certificates/scripts/concat-cacerts.sh $TZ_SYS_RO_SHARE/ca-certificates/certs/ $TZ_SYS_VAR/lib/ca-certificates/ca-bundle.pem
+
+# gen-symlinks.sh script also creates links on RO partition but these links
+# should be still valid after platfrom update; this script only fixes RW partition
+
+# clear old links
+rm -f $TZ_SYS_ETC/ssl/certs/*
+
+# link files : for certs RW area
+CERTS_LIST=`find $TZ_SYS_RO_SHARE/ca-certificates/certs/ -type f -printf "%f "`
+for cert in ${CERTS_LIST}
+do
+    ln -sf $TZ_SYS_RO_SHARE/ca-certificates/certs/${cert} $TZ_SYS_ETC/ssl/certs/
+done