Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
RHEL: Hack: Run commands after update-ca-trust(8)
## OSSTech update-ca-trust-hook
## ======================================================================
%{?vendor_package}
%global rel 152
#%%global rel_extra experimental
%global dist_name update-ca-trust-hook
%global dist_ver_base 1.0
#%%global dist_ver_rc rc3
%global dist_ver %{dist_ver_base}%{?dist_ver_rc}
## ======================================================================
%global updater /usr/bin/update-ca-trust
%global hook_updater %{_sbindir}/update-ca-trust-hook
%global hook_update_dir %{_sysconfdir}/ca-certificates/update.d
%global backup_dir %{_localstatedir}/lib/%{dist_name}/backup
%global doc_dir %{_docdir}/%{name}-%{version}
Name: %{?name_prefix}%{dist_name}
Version: 1.0
Release: %{rel}%{?dist_ver_rc:.%dist_ver_rc}%{?rel_extra:.%rel_extra}%{?dist}
Summary: Run commands after %updater
License: GPLv3
URL: https://www.osstech.co.jp/
BuildArch: noarch
## ----------------------------------------------------------------------
Requires: ca-certificates
%description
This package modifies %{updater} script to run commands under
%{hook_update_dir} directory after %{updater}.
## ======================================================================
%prep
#%%setup -c -T
## ======================================================================
%build
## ======================================================================
%install
mkdir -p %{buildroot}%{hook_update_dir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{backup_dir}
touch %{buildroot}%{hook_updater}
chmod 0755 %{buildroot}%{hook_updater}
cat <<'EOF' >%{buildroot}%{hook_updater}
#!/bin/bash
set -u
for hook in %{hook_update_dir}/*; do
[[ $hook == @(*.rpmsave|*.rpmorig|*.rpmnew|*.old|*.bak|*.dist|*.tmp|*~) ]] && continue
[[ -f $hook ]] || continue
[[ -x $hook ]] || continue
"$hook"
done
EOF
## ----------------------------------------------------------------------
mkdir -p %{buildroot}%{doc_dir}/examples/update.d
cat <<'EOF' >%{buildroot}%{doc_dir}/examples/update.d/append-java-cacerts
#!/bin/bash
set -u
export LC_ALL=C
keytool="/usr/bin/keytool"
cacerts_src_dir="/opt/osstech/etc/ca-certificates/source/anchors"
keystore_file="/etc/pki/ca-trust/extracted/java/cacerts"
keystore_pass="changeit"
keytool() {
command "$keytool" \
-keystore "$keystore_file" \
-storepass "$keystore_pass" \
"$@" \
;
}
for cacert_file in "$cacerts_src_dir"/*.{crt,cer,pem}; do
[ -f "$cacert_file" ] || continue
[ -s "$cacert_file" ] || continue
keytool \
-import \
-noprompt \
-trustcacerts \
-file "$cacert_file" \
-alias "$cacert_file" \
2> >(sed '/^Certificate was added to keystore$/d' >&2) \
;
done
exit 0
EOF
## ======================================================================
%preun
if [[ $1 -eq 0 ]]; then ## Uninstall
if \
/bin/rpm \
--verify \
--nodeps \
--noscripts \
--nosignature \
ca-certificates \
|grep -q %{updater} \
;
then
cp -a %{backup_dir}/$(basename %{updater}) %{updater}
%{updater}
fi
fi
## ======================================================================
%triggerin -- ca-certificates
if ! \
/bin/rpm \
--verify \
--nodeps \
--noscripts \
--nosignature \
ca-certificates \
|grep -q %{updater} \
;
then
cp -a %{updater} %{backup_dir}/
echo %{hook_updater} >>%{updater}
%{hook_updater}
fi
## ======================================================================
%files
%doc
%dir %{hook_update_dir}
%dir %{backup_dir}
%{doc_dir}/examples
%{hook_updater}
## ======================================================================
%changelog
* Wed Sep 15 2021 SATOH Fumiyasu <fumiyas @ osstech.co.jp> 1.0-1.osstech
- Initial release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment