fumiyas/update-ca-trust-hook.spec

## update-ca-trust-hook.spec
## OSSTech update-ca-trust-hook
## ======================================================================

%{?vendor_package}

%global rel		152
#%%global rel_extra	experimental

%global dist_name	update-ca-trust-hook
%global dist_ver_base	1.0
#%%global dist_ver_rc	rc3
%global dist_ver	%{dist_ver_base}%{?dist_ver_rc}

## ======================================================================

%global updater /usr/bin/update-ca-trust

%global hook_updater %{_sbindir}/update-ca-trust-hook
%global hook_update_dir %{_sysconfdir}/ca-certificates/update.d
%global backup_dir %{_localstatedir}/lib/%{dist_name}/backup
%global doc_dir %{_docdir}/%{name}-%{version}

Name:		%{?name_prefix}%{dist_name}
Version:	1.0
Release:	%{rel}%{?dist_ver_rc:.%dist_ver_rc}%{?rel_extra:.%rel_extra}%{?dist}
Summary:	Run commands after %updater
License:	GPLv3
URL:		https://www.osstech.co.jp/

BuildArch:	noarch

## ----------------------------------------------------------------------

Requires:	ca-certificates

%description
This package modifies %{updater} script to run commands under
%{hook_update_dir} directory after %{updater}.

## ======================================================================

%prep
#%%setup -c -T

## ======================================================================

%build

## ======================================================================

%install
mkdir -p %{buildroot}%{hook_update_dir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{backup_dir}

touch %{buildroot}%{hook_updater}
chmod 0755 %{buildroot}%{hook_updater}
cat <<'EOF' >%{buildroot}%{hook_updater}
#!/bin/bash

set -u

for hook in %{hook_update_dir}/*; do
  [[ $hook == @(*.rpmsave|*.rpmorig|*.rpmnew|*.old|*.bak|*.dist|*.tmp|*~) ]] && continue
  [[ -f $hook ]] || continue
  [[ -x $hook ]] || continue
  "$hook"
done
EOF

## ----------------------------------------------------------------------

mkdir -p %{buildroot}%{doc_dir}/examples/update.d

cat <<'EOF' >%{buildroot}%{doc_dir}/examples/update.d/append-java-cacerts
#!/bin/bash

set -u

export LC_ALL=C

keytool="/usr/bin/keytool"
cacerts_src_dir="/opt/osstech/etc/ca-certificates/source/anchors"
keystore_file="/etc/pki/ca-trust/extracted/java/cacerts"
keystore_pass="changeit"

keytool() {
  command "$keytool" \
    -keystore "$keystore_file" \
    -storepass "$keystore_pass" \
    "$@" \
  ;
}

for cacert_file in "$cacerts_src_dir"/*.{crt,cer,pem}; do
  [ -f "$cacert_file" ] || continue
  [ -s "$cacert_file" ] || continue
  keytool \
    -import \
    -noprompt \
    -trustcacerts \
    -file "$cacert_file" \
    -alias "$cacert_file" \
  2> >(sed '/^Certificate was added to keystore$/d' >&2) \
  ;
done

exit 0
EOF

## ======================================================================

%preun
if [[ $1 -eq 0 ]]; then ## Uninstall
  if \
    /bin/rpm \
      --verify \
      --nodeps \
      --noscripts \
      --nosignature \
      ca-certificates \
    |grep -q %{updater} \
  ;
  then
    cp -a %{backup_dir}/$(basename %{updater}) %{updater}
    %{updater}
  fi
fi

## ======================================================================

%triggerin -- ca-certificates
if ! \
  /bin/rpm \
    --verify \
    --nodeps \
    --noscripts \
    --nosignature \
    ca-certificates \
  |grep -q %{updater} \
;
then
  cp -a %{updater} %{backup_dir}/
  echo %{hook_updater} >>%{updater}
  %{hook_updater}
fi

## ======================================================================

%files
%doc
%dir %{hook_update_dir}
%dir %{backup_dir}
%{doc_dir}/examples
%{hook_updater}

## ======================================================================

%changelog
* Wed Sep 15 2021 SATOH Fumiyasu <fumiyas @ osstech.co.jp> 1.0-1.osstech
- Initial release
	## OSSTech update-ca-trust-hook
	## ======================================================================

	%{?vendor_package}

	%global rel 152
	#%%global rel_extra experimental

	%global dist_name update-ca-trust-hook
	%global dist_ver_base 1.0
	#%%global dist_ver_rc rc3
	%global dist_ver %{dist_ver_base}%{?dist_ver_rc}

	## ======================================================================

	%global updater /usr/bin/update-ca-trust

	%global hook_updater %{_sbindir}/update-ca-trust-hook
	%global hook_update_dir %{_sysconfdir}/ca-certificates/update.d
	%global backup_dir %{_localstatedir}/lib/%{dist_name}/backup
	%global doc_dir %{_docdir}/%{name}-%{version}

	Name: %{?name_prefix}%{dist_name}
	Version: 1.0
	Release: %{rel}%{?dist_ver_rc:.%dist_ver_rc}%{?rel_extra:.%rel_extra}%{?dist}
	Summary: Run commands after %updater
	License: GPLv3
	URL: https://www.osstech.co.jp/

	BuildArch: noarch

	## ----------------------------------------------------------------------

	Requires: ca-certificates

	%description
	This package modifies %{updater} script to run commands under
	%{hook_update_dir} directory after %{updater}.

	## ======================================================================

	%prep
	#%%setup -c -T

	## ======================================================================

	%build

	## ======================================================================

	%install
	mkdir -p %{buildroot}%{hook_update_dir}
	mkdir -p %{buildroot}%{_sbindir}
	mkdir -p %{buildroot}%{backup_dir}

	touch %{buildroot}%{hook_updater}
	chmod 0755 %{buildroot}%{hook_updater}
	cat <<'EOF' >%{buildroot}%{hook_updater}
	#!/bin/bash

	set -u

	for hook in %{hook_update_dir}/*; do
	[[ $hook == @(.rpmsave\|.rpmorig\|.rpmnew\|.old\|.bak\|.dist\|.tmp\|~) ]] && continue
	[[ -f $hook ]] \|\| continue
	[[ -x $hook ]] \|\| continue
	"$hook"
	done
	EOF

	## ----------------------------------------------------------------------

	mkdir -p %{buildroot}%{doc_dir}/examples/update.d

	cat <<'EOF' >%{buildroot}%{doc_dir}/examples/update.d/append-java-cacerts
	#!/bin/bash

	set -u

	export LC_ALL=C

	keytool="/usr/bin/keytool"
	cacerts_src_dir="/opt/osstech/etc/ca-certificates/source/anchors"
	keystore_file="/etc/pki/ca-trust/extracted/java/cacerts"
	keystore_pass="changeit"

	keytool() {
	command "$keytool" \
	-keystore "$keystore_file" \
	-storepass "$keystore_pass" \
	"$@" \
	;
	}

	for cacert_file in "$cacerts_src_dir"/*.{crt,cer,pem}; do
	[ -f "$cacert_file" ] \|\| continue
	[ -s "$cacert_file" ] \|\| continue
	keytool \
	-import \
	-noprompt \
	-trustcacerts \
	-file "$cacert_file" \
	-alias "$cacert_file" \
	2> >(sed '/^Certificate was added to keystore$/d' >&2) \
	;
	done

	exit 0
	EOF

	## ======================================================================

	%preun
	if [[ $1 -eq 0 ]]; then ## Uninstall
	if \
	/bin/rpm \
	--verify \
	--nodeps \
	--noscripts \
	--nosignature \
	ca-certificates \
	\|grep -q %{updater} \
	;
	then
	cp -a %{backup_dir}/$(basename %{updater}) %{updater}
	%{updater}
	fi
	fi

	## ======================================================================

	%triggerin -- ca-certificates
	if ! \
	/bin/rpm \
	--verify \
	--nodeps \
	--noscripts \
	--nosignature \
	ca-certificates \
	\|grep -q %{updater} \
	;
	then
	cp -a %{updater} %{backup_dir}/
	echo %{hook_updater} >>%{updater}
	%{hook_updater}
	fi

	## ======================================================================

	%files
	%doc
	%dir %{hook_update_dir}
	%dir %{backup_dir}
	%{doc_dir}/examples
	%{hook_updater}

	## ======================================================================

	%changelog
	* Wed Sep 15 2021 SATOH Fumiyasu <fumiyas @ osstech.co.jp> 1.0-1.osstech
	- Initial release