From: Tomasz Swierczek Date: Fri, 18 Sep 2020 09:12:55 +0000 (+0200) Subject: Add updarte script - 500.ca-certificates_upgrade.sh X-Git-Tag: submit/tizen/20200922.113527^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fa3fcb29f7e047922c9d4659ae11aade4edabacb;p=platform%2Fcore%2Fsecurity%2Fca-certificates.git Add updarte script - 500.ca-certificates_upgrade.sh Update script will re-create the concatenated CA bundle and re-make links to certs on RW partition. The update script uses openssl binary to parse certificates, so the line: Requires: openssl1.1 was added to spec file. CA bundle could be created during ca-certificate package build, but it looks like the scripts to manage certificates were already installed together with the package, so current logic (of creating the bundle on actual image) was preserved with this "Requires", at the expense of some additional disk usage for openssl binary. Change-Id: I4bc44e945ca6592ead02a94c363d984a9982fe05 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index f4d2ea2..0ffc748 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -15,5 +15,10 @@ INSTALL(FILES PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ ) +INSTALL(FILES + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/500.ca-certificates_upgrade.sh + DESTINATION "/usr/share/upgrade/scripts" + PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ +) CONFIGURE_FILE(packaging/ca-certificates.manifest.in ca-certificates.manifest @ONLY) diff --git a/packaging/ca-certificates.spec b/packaging/ca-certificates.spec index 0fbcb95..d812da6 100644 --- a/packaging/ca-certificates.spec +++ b/packaging/ca-certificates.spec @@ -13,6 +13,7 @@ BuildRequires: coreutils BuildRequires: findutils Requires: filesystem Requires: security-config +Requires: openssl1.1 %description Utilities for system wide CA certificate installation @@ -126,6 +127,8 @@ mkdir -p %{buildroot}%{ca_certs_dir} # scripts for managing certificates %dir %{ro_ca_certs_script_dir} %attr(744, root, root) %{ro_ca_certs_script_dir}/* +# update script for CA bundle re-creation +%attr(755,root,root) /usr/share/upgrade/scripts/500.ca-certificates_upgrade.sh %files devel %config %{macro_ca_certificates} diff --git a/scripts/500.ca-certificates_upgrade.sh b/scripts/500.ca-certificates_upgrade.sh new file mode 100755 index 0000000..224072a --- /dev/null +++ b/scripts/500.ca-certificates_upgrade.sh @@ -0,0 +1,42 @@ +#!/bin/sh -e + +# +# Copyright (c) 2020 Samsung Electronics Co., Ltd. All rights reserved. +# +# This file is licensed under the terms of MIT License or the Apache License +# Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details. +# See the LICENSE file or the notice below for Apache License Version 2.0 +# details. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +. /etc/tizen-platform.conf + +# create bundle +exec $TZ_SYS_RO_SHARE/ca-certificates/scripts/concat-cacerts.sh $TZ_SYS_RO_SHARE/ca-certificates/certs/ $TZ_SYS_VAR/lib/ca-certificates/ca-bundle.pem + +# gen-symlinks.sh script also creates links on RO partition but these links +# should be still valid after platfrom update; this script only fixes RW partition + +# clear old links +rm -f $TZ_SYS_ETC/ssl/certs/* + +# link files : for certs RW area +CERTS_LIST=`find $TZ_SYS_RO_SHARE/ca-certificates/certs/ -type f -printf "%f "` +for cert in ${CERTS_LIST} +do + ln -sf $TZ_SYS_RO_SHARE/ca-certificates/certs/${cert} $TZ_SYS_ETC/ssl/certs/ +done