PORTNAME= ca-certificates PORTVERSION= 2025.2.80 DISTVERSIONSUFFIX= _v9.0.305-91.el9 CATEGORIES= security linux MAINTAINER= emulation@FreeBSD.org COMMENT= Mozilla CA root certificate bundle (Rocky Linux ${LINUX_DIST_VER}) LICENSE= PD USES= linux:rl9 USE_LINUX= p11-kit USE_LINUX_RPM= noarch OPTIONS_DEFINE= DOCS .include # Here we perform a dance to properly regenerate the trust store # 1. We need to run these tools as a non-root user, otherwise they don't pick # up our config: https://github.com/p11-glue/p11-kit/blob/1bbd6db36b68cae074b35845c212c7d9a8ba19fe/p11-kit/conf.c#L249-L251 .if ${UID} == 0 SU_NOBODY= /usr/bin/su -m nobody -c .else SU_NOBODY= ${SH} -c .endif post-stage: # 2. Create a hacked copy of update-ca-trust that is permitted to look into # user-supplied config. ${SED} '/export P11_KIT_NO_USER_CONFIG=1/d' \ ${STAGEDIR}/${PREFIX}/usr/bin/update-ca-trust > \ ${WRKDIR}/update-ca-trust-staging ${CHMOD} +x ${WRKDIR}/update-ca-trust-staging # 3. Prevent update-ca-trust-staging from operating on ${LINUXBASE}. We want # it take inputs from ${STAGEDIR} and output into ${STAGEDIR}. # To achieve that, an undocumented feature is employed that can be tracked # through the following place in the code: # a. https://github.com/p11-glue/p11-kit/blob/1bbd6db36b68cae074b35845c212c7d9a8ba19fe/p11-kit/modules.c#L641-L658 # b. https://github.com/p11-glue/p11-kit/blob/1bbd6db36b68cae074b35845c212c7d9a8ba19fe/trust/module.c#L409 # c. https://github.com/p11-glue/p11-kit/blob/1bbd6db36b68cae074b35845c212c7d9a8ba19fe/trust/module.c#L293-L296 # Without this hack the /bin/trust program always use hardcoded paths that # point to ${LINUXBASE} as evidenced by # d. https://github.com/p11-glue/p11-kit/blob/1bbd6db36b68cae074b35845c212c7d9a8ba19fe/trust/module.c#L416C77-L416C88 ${MKDIR} ${WRKDIR}/.config/pkcs11/modules ${SED} "s|x-init-reserved:|x-init-reserved: paths=${STAGEDIR}/${LINUXBASE}/etc/pki/ca-trust/source:${STAGEDIR}/${LINUXBASE}/usr/share/pki/ca-trust-source|" \ ${LINUXBASE}/usr/share/p11-kit/modules/p11-kit-trust.module > \ ${WRKDIR}/.config/pkcs11/modules/p11-kit-trust.module # 4. If we're building as root, the nobody user wouldn't be able to write into # ${STAGEDIR}. Change the owner to allow that. .if ${UID} == 0 ${CHOWN} -R nobody ${STAGEDIR} .endif # 5. Run the actual generation step. ${SU_NOBODY} 'cd ${STAGEDIR} && ${LINUXBASE}/bin/env XDG_CONFIG_HOME="${WRKDIR}/.config" \ ../update-ca-trust-staging extract \ -o ./${PREFIX}/etc/pki/ca-trust/extracted' # 6. Reforge symlinks into relative ones to prevent Linuxulator from resolving # them into /etc. We want symlink targets to point into /compat/linux/etc. ${FIND} ${STAGEDIR}${PREFIX} -type l -exec \ ${SH} -c "tgt=\$$(readlink {}) ; [ \$$tgt != \$${tgt#/} ] && ${RLN} ${STAGEDIR}${PREFIX}\$$tgt {}" \; || ${TRUE} # Verify that we actually generated something. To make sure that ${LINUXBASE} # does not affect the generation the testing should be performed this way: # 1. Get into jail: # poudriere testport -i # 2. Test with package installed: # make test # 3. Rebuild with package installed: # make clean stage # 4. Check that the result is the same: # make check-plist test # 5. Deinstall the package: # make deinstall # 6. Check that the result is the same: # make test do-test: ${SU_NOBODY} '${LINUXBASE}/bin/env XDG_CONFIG_HOME="${WRKDIR}/.config" \ /bin/trust list' | wc -l | ((read count ; [ $$count != 0 ]) && ${ECHO_CMD} ok) .include