diff --git a/bin/update-ca-trust b/bin/update-ca-trust new file mode 100755 index 000000000..34147ce58 --- /dev/null +++ b/bin/update-ca-trust @@ -0,0 +1,44 @@ +#!/bin/bash + +install -d /{etc,usr/share}/ca-certificates/trust-source/{anchors,blacklist} + +# Directories used by update-ca-trust (aka "trust extract-compat") +install -d /etc/{ssl/certs/java,ca-certificates/extracted} + +# Compatibility link for OpenSSL using /etc/ssl as CAdir +# Used in preference to the individual links in /etc/ssl/certs +ln -sr "/etc/ca-certificates/extracted/tls-ca-bundle.pem" "/etc/ssl/cert.pem" + +# Compatiblity link for legacy bundle +ln -sr "/etc/ca-certificates/extracted/tls-ca-bundle.pem" "/etc/ssl/certs/ca-certificates.crt" + + +# At this time, while this script is trivial, we ignore any parameters given. +# However, for backwards compatibility reasons, future versions of this script must +# support the syntax "update-ca-trust extract" trigger the generation of output +# files in $DEST. + +DEST=/etc/ca-certificates/extracted + +extract() { + trust extract --overwrite "$@" +} + +# The directory-format extractors remove all files in the target directory, but not directories or files therein +extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir +extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth $DEST/tls-ca-bundle.pem +extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email $DEST/email-ca-bundle.pem +extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem +extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt + +# We don't want to have to remove everything from the certs directory but neither +# do we want to leave stale certs around, so symlink it all from somewhere else +for f in $DEST/cadir/*; do + ln -fsr -t /etc/ssl/certs "$f" +done + +# Now find and remove all broken symlinks +find -L /etc/ssl/certs -maxdepth 1 -type l -delete + +# Java bundle +extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts